/ Money, Technology

Can you tell if an email is genuinely from your bank?

One sign you're not risking banking scams - a padlock by the sites' address bar

To help prevent fraudsters tricking people into giving away their details in banking scams, the British Bankers’ Association has pledged that banks will never send emails linking to pages that ask for login details.

For some time fraudsters have been sending ‘phishing’ emails to online banking customers. They’re designed to look like official messages, often with an urgent request to make contact.

The emails include a link to a genuine-looking page which invites the victim to enter online banking login details or other sensitive information. The fake page sends the information back to the con artist, who can then use it to steal funds or commit identity theft.

Links to log in to online banking

As the fraudsters become savvier, the most sophisticated of these banking emails can be difficult to tell apart from real ones.

To help prevent fraudsters tricking people into giving away their online banking details, the British Bankers’ Association (BBA) recently launched a publicity campaign (featured in a guest post on our site too) to remind us that banks will never send emails linking to pages that ask for login details.

I was glad to see the BBA’s advice, but disappointed to find a number of major banks were muddying the waters. We’ve seen genuine emails from Barclays, HSBC, Metro Bank and NatWest which appear to undermine the BBA’s advice. These invite customers to log in to online banking and include a link to their website.

Even following a link from an email to a bank’s homepage, and then through to online banking, can be risky. Fraudsters can easily send emails that appear genuine, but lead to a banking scams website.

Banking scams: is that email legitimate?

After a previous Conversation on the subject, Em told us of her strategy for making sure emails from her bank are legitimate:

‘If I have any doubt about the authenticity of an email, I right-click and select ‘View source’. If you know what to look for, you can check the real URLs behind the clickable links and other tell-tale signs of a fake.’

If you’re a techie sort, this is an option. But it shouldn’t be this hard to spot banking scams – and some banks aren’t helping.

To ensure you don’t get conned into visiting a phishing site, our advice is to only access online banking by typing the website address directly. Or perhaps by using a bookmark.

When we raised our concerns NatWest said it was ‘actively reviewing’ its approach. Metro Bank has removed links to its website from emails. HSBC and Barclays said they only included links to their homepage or marketing pages. But we don’t think this really addresses the issue.

Longer term, it would be great to see banks and email providers working together on tech fixes to make email more secure. Gmail is testing a feature which displays an icon next to emails that are genuine. But this needs to be widely adopted and understood if it is to make life harder for fraudsters – and easier for us.

What safeguards do you take when banking online? Have you received genuine emails from your bank that have caused you concern?


My current account provider is a mutual building society [the Nationwide] and I think it has a better approach to customer confidence than the retail banks. For some years now it has always included my full postcode in any e-mail as a security precaution together with the advice that they will never ask for any security details on-line; this message is repeated on every e-mail and on appropriate pages within their on-line banking site. I always look for the security features when I open an e-mail and I never follow a link on a financial website.

I have in the past taken issue with certain banks over their casual use of the English language and grammar. It is a vain attempt to seek popular appeal. Unfortunately, it also plays into the hands of fraudsters who, in most cases, commit errors of spelling, punctuation, and syntax. The banks should not pretend to be cool by writing “we’ll” and “they’re” and having catchy headlines like “want a better loan rate?”. High street banks traditionally had stone on the outside and the full mahogany on the inside. I want the on-line equivalent in tone, authority and a sense of responsibility with their communications. And I want to be addressed directly with a unique identifier as the Nationwide does, not with something little better than the ‘valued customer’ moniker used by the scammers.

NW concerned member says:
6 December 2014

Your comment about the Nationwide (NW) approach to security is very worrying. It is precisely why I raised with NW their approach when their security broke down during the last members’ online AGM voting. At the same time and as part of several exchanges when it took a while for them escalate to someone who understood the issue, I asked, sorry, no I instructed them them, to stop assuming that use of a publicly available piece of information such as a postcode, provides the recipient with assurance in an email about the sender’s bona fides. It does not and should not be used. Indeed it should immediately raise concerns for the recipient about who has sent the communication – it does for me.
I did suggest, as you outline in your last sentence, that they use an identifier but one that is set by the account holder and only known by them and NW. They noted my recommendation for consideration for inclusion in a future systems upgrade but they have so far not even ceased that insecure and very misleading practice as an interim measure.
I think safest is to keep any message very simple with no links. Eg. just direct an account holder to a secure online messaging service. Several of my financial service providers do that – Government ones in particular. A bit inconvenient at times but a safer tactic.

I agree with you. It was good at the time but things have moved from bad to worse since Nationwide introduced their use of a postcode identifier and it is time they upgraded their security procedures to address the current level and sophistication of fraudulent activity. I have to say, however, that nothing they have ever sent me by e-mail has been necessary or confidential; the risk is that they normally contain lnks to the Nationwide website from where it is possible to access internet banking. It would be better if they stopped using links and advised customers to go into the website from scratch by typing the website address into their browser. Organisations appear to have a fear that unless they provide direct links they will lose traffic. I think the prevention of fraud and the gain in security should outweigh those concerns.

I have received two emails from Nationwide to tell me my credit card statement is ready. The first is just text and contains my name and postcode. Although these pieces of personal information are publicly available, the chances are it is legit as most phishing emails are general and sent randomly. It also contains no links to any website. The second one, which came the same day, is more worrying as it is full of fancy graphics and contains a link to the Nationwide online banking website. It also contains my name, post code and the last 4 digits of my card number, so I am sure it came from Nationwide. I notice that the second tip in Nationwide’s top 10 security tips is to never log in from an email link so I don’t know why they are now sending out such emails.

This is a very good point. Banks should never send emails with convenience links in them. Customers need educating to log in from the web address.

Wherever possible, banks should only communicate with customers through secure web forms. The only synchronous communication (telephone or SMS text) should be to alert the customer to log in properly and look at the secure communication on the web site.

The chances are that nearly all Internet illiterate customers will live near a branch, at least at the moment. But as more branches close, alternative methods of “in person” communication need to be developed. A local library or post office where the person can be physically recognised (rather than just by pieces of paper) is a possible solution.

Another worrying trend is people who use a mobile telephone as their only method of Internet access. They probably have got one because they think of it as a telephone not a computer, which gets past their computerphobia. However it is more easily lost or stolen.

I’m a consultant who works in a number of investment banks. The banks often send phishing e-mails from outside the bank to their employees’ work e-mail addresses to test how many employees will fall for phishing scams. These are not phishing e-mails for online banking logins but for other types of sensitive data. No employee ever gets into trouble for falling for it and it’s more for statistical analysis.

Perhaps the retail banks should try a similar test on their customers. They could send phishing e-mails, including deliberate tell-tale spelling mistakes etc, asking their customers to log into a dodgy third party web site that is actually operated secretly and safely by the bank. Customers who fall for it can then be warned by the bank that they are at risk from phishing.

I have never seen a phishing email that looked convincing, though some are better than others. It’s quite instructive to study them and look for clues that they are fake, and to check email headers. Even with emails I am convinced are genuine, I look up websites rather than click links.

Rather amusingly, today’s dodgy email was from Satander. 🙂

Just checked my latest newsletter from First Direct entitled “Be wise this Christmas”

Interestingly this is in the headers:
X-KASFlt-Status: {FROM: real name looks suspicious}

I don’t doubt this is a genuine email but even so, I never click on a link in anything that looks financial.

MikeG says:
6 December 2014

Several times I have been rung by Barclaycard Fraud Dept to query a payment. While I am grateful to them for being vigilant, I am concerned about the manner of contact. An automated message asks me to press 1 on the telephone keypad to be put through to a person. But how am I supposed to know this is not a scam? I think asking people to respond to telephone calls like this is irresponsible, and they should change this practice. I will only contact them through a telephone number published in their literature.

What’s even worse is being contacted by a bank with a request to call them urgently, phone them up to find out the reason, and then not be able to answer their security questions (I almost never contact my banks by phone). Nationwide did this to me, and then blocked access to my accounts as a result – remember, they asked me to ring them, they didn’t say why, and I was unprepared for the third degree. What was unforgivable was that the original call was from their marketing department! So not only did I waste my own time calling them so they could try to sell me something I neither asked for nor needed, I ended up considerably inconvenienced. Needless to say, I no longer bank with them.

As for phishing emails, I always check the sender’s email address and the URL, and I never click through on anything financially related or anything I don’t recognise. I agree that it is good practice for senders to include something in their emails that is personal to you. Also, Santander include an image and phrase on their login screens chosen by the customer.

Some phishing emails are laughable, for example, the recent spate purporting to come from courier companies, but I had one the other day that was particularly good. It dressed itself up as the “someone tried to login to your Apple account” warning, but gave itself away with poor spelling (Itunnes!!) and of course the URL it was asking you to follow was completely bizarre and in Hong Kong.

One further thing you can do to avoid the risk of inadvertently triggering any malware in any attachments (besides reading your email on a Linux machine rather than a Windows one) is use “print preview” or its equivalent to look at the contents in a passive way. It won’t show the bogus URLs but you can quickly tell if your next action should be to hit the delete button.

Actually, before deleting fraudulent emails, I routinely report them to the Actions Fraud website. It may not do much to prevent people sending them out in the first place, but it feels better than doing nothing. In fact, I do this so often that it seems like I’ve been single-handedly responsible for a recent report based on Action Fraud’s statistics that highlighted my local area as a hot-spot for email fraud!

I can’t say that I have read anything more appalling than the way this customer was treated by Nationwide. I think the staff responsible should all be sacked without references for bringing the firm into disrepute, but I doubt that it will ever happen.

I agree with a Which? reader who recommended that if anyone phones from a bank to tell them that if they have anything important to say, to communicate through the banks’ secure web site, and then put the phone down.

The Action Fraud’s web site says that you have to use their form to report suspicious emails and it will take half an hour to fill in.
It used to be possible to just forward the suspicious email to them, but as whoever runs it (or probably their legal department) doesn’t care a **** about other people’s time, they now require this rigmarole. Unfortunately most suspicious emails probably don’t get reported as a result of this.

Mary Sabine says:
6 December 2014

I would assume that this was a scam.

phil – I trust you pursued them for a ex-gratia payment

JdR – I am afraid you are absolutely right that this rigmarole will result in under-reporting of attempts.

I wonder if white-listing genuine financial addresses would help or whether it would make people less vigilant. Given the insecurity of browsers even whitelisting would be a potential weakness.

Some financial services, such as PayPal and NatWest, have a very easy system with which customers can report spoofing – simply forward the email as an attachment. Others require laborious form filling on web sites or even require the use of a telephone call centre. I suspect that few people use them. However I am not sure to what extent the legal profession allows the companies or even the police to act on this information. I seem to recall reading somewhere that the Data “Protection” Act can make any investigation difficult.

Personally I think telephone scams are far more dangerous and there seems to be a greater case for banks never telephoning their customers. But this now begs the question as how can banks contact their customers at all if there is a genuine need.

How about they simply send you a letter !!

The Christmas Fairy says:
6 December 2014

Simples – never ,ever respond to banks’ emails – just visit your local branch !!!

Now , where is my local branch these days ???

james says:
6 December 2014

It should be possible to arrange a keyword with your bank, to be be included in the subject line.
If it is not there, the mail can be treated as suspect.

Another useful tip to check whether an email is genuine or not is to hover the mouse over the link which you’re being asked to click BUT DO NOT CLICK. The site address to which the link goes will appear at the bottom of the browser. If you do not recognise the address, it’s more than likely a scam.

David says:
6 December 2014

It’s not just banks!
Government websites are also affected.
As the owner of a one-person business, I have received quite convincing and vaguely unsettling emails from “HMRC” and “Land Registry” and “Companies House”, with text and graphics lifted from the official sites. Then last week (Nov 2014) I had a phone call from a polite lady purporting to be from HMRC (I subsequently came to realise she was genuine) asking for me by name (as scammers often do). I politely side-stepped this to ask who was calling, and asked for some confirmation that she was from HMRC – she was only able to give information that is readily available from Companies House.
Bearing in mind that many HMRC on-line mandatory processes have hard deadlines with immediate penalties of around £100, this must be a gift for scammers and it’s important that HMRC are at least as squeaky clean as banks.

Nick Bradshaw says:
6 December 2014

Whilst I appreciate that this issue concerns financial institutions, in the last few months I have been asked via email to update my card details by Amazon and eBay on more than one occasion. Don’t know whether the emails were genuine and really don’t care so they were binned. I did check my Amazon account details and in fact they had up to date information. Didn’t check my eBay account – no doubt it will be required if I want to purchase something.

Your eBay account needs details only if you want to sell something. As others have written, it is always best to use your browser to go anywhere where a credit cars detail is required, not click on an email however genuine it appears. [ ie enter http://www.eBay.co.uk ]

Both are scams;-The Amazon email attempts to obtain your credit card details from your Amazon account, whilst it’s normally Paypal not eBay who holds your payment details.

Frank says:
6 December 2014

Email providers should stop accepting addresses too similar to other addresses.

The law should be made far stricter and really punish people indulging in fishing and hacking. We are just pussyfooting and only getting what we deserve.

My first line of defence is to use a dedicated email address which has only ever been given to the bank. Any email proporting to be from the bank that comes on my regular account is a scam.

Apart from the obvious spelling and grammatical errors, I have had several phishing emails purporting to come from an institution I don’t bank with!

A genuine email should address you by name and include your postal address. ‘Dear Customer’ is an obvious phish.

As for checking the ‘real’ URL in links: viewing source code is all very well, but awkward and only for the technically savvy. It’s far easier simply to place your mouse pointer over the link but *don’t* click on it. The real URL will be shown in the status bar below the browser window – all ‘proper’ browsers like Firefox have always done this, and even IE now does so.

I always forward scam emails to the bank or other institution concerned. Most have an email address to report phishing, which can be found with a quick Google. Then I delete the email without opening any attachments or clicking on any links.

I have also forward emails to various companies.

I do wonder why I bother when I get an automated condescending reply on how to handle such emails.

I would like to think they followed up on them, get to the source to get them stopped but their replies give no indication they care or have any intention of doing anything about them.

I think it would be impossible to give everyone a human reply. However web site pages giving details of successful prosecutions and even sentences for miscreants would be a very good idea. It could well act as a deterrent. However I doubt whether the legal departments would be that keen.

Robert C says:
7 December 2014

I have received convincing looking emails from banks I do not have an account with – not hard to spot.
I feel that emails with links are a slippery slope – as proved by the examples above given by Which. Therefore I decline all marketing from my bank – especially by email and text message. Scamers will just get better at copying the bank’s latest genuine marketing emails, so: until banks confirm we will never get conned and they will take full responsibility, I solve the problem by declining them.

Recently I swapped to a new type of account with my bank, which includes a few fringe benefits (none of which I want) that I opted out of. The bank’s marketing partners somehow send me junk mail that I can’t stop as there is no unsubscribe option. Just shows the banks stop at nothing to send offers.

Robert C says:
7 December 2014

I also decline phone marketing. When I get a call from the bank I ask them to identify themselves (when I call them I know who I called, the reverse is not true). They usually struggle to do this as they want to “go through security first”. Better to call them back later.

I can never understand the logic of this. If they don’t trust you when you call them, why on Earth should you trust them when they call you. Refuse all unsolicited telephone calls – a very good idea.

Its like restaurants who demand your credit card before you order a meal. If they don’t trust you, why should you trust them with your card for a couple of hours? They could be buying a holiday for themselves and their six kids for a month in Miami for all you know. We will say that we will just have the main course and not stay for sweets and coffee (where there is a big mark up) and pay for it now.

Trust is a two way process.

Send them a section 11 notice (from the 1998 Data Protection Act) by post or email and tell them to stop processing your data for marketing purposes. They have to comply within 28 days by law.

The biggest problem with legit companies sending out emails is the way they try and go about collecting usage data to see how successful their mailshot was. Every link in the email will say its going to web address A but in fact they all route thru some 3rd party website B that the 1st company is using to collate this usage data. That process desensitises recipients into being less careful than they should be.

Prime example, to unsubscribe to a which connect email you get routed thru verveengine’s website, who I assume do all which’s marketing emails.

Why companies can’t give access to a subdirectoty on their own website for these 3rd party mailshot companies to use I do not know.

As far as fake e-mails go, if you add all genuine traders and partners to a ‘favourites’ list (depending on your e-mail provider AND client) then any e-mails from outside this circle will go wherever your favourites don’t go. This helps a lot in filtering out ‘close but never quite there’ addresses which are otherwise difficult to spot..

MBNA and Barclays Credit Cards have recently sent me emails with links to login pages. Both genuine, as far as I know. Maybe Which should write to them all, and point out the BBA advice. Can I claim from the bank if I fall for one of these scams, when they send out similar themselves? I would hope so.

Perhaps people should realise that they can be compromised remotely and it may not be through an email.

21 Mar 2015
“Security vulns in every one of the big four web browsers were exploited at the Pwn2Own hacking contest on Friday to remotely execute arbitrary code on Windows PCs.
Firefox, Safari, Chrome and Internet Explorer all fell to the skills of the competition entrants, some in less than a second.
All the vulnerabilities exploited will be privately disclosed to the affected software makers so patches can be released. Details are deliberately vague at the moment in the interests of responsible disclosure.”

Unfortunately the crooks do not tell the software makers who appear to belatedly realise that their products are not secure when they are released. Or perhaps they do but as they have never been prosecuted it really does not matter.

Every advance in flashiness and “usability” brings more exploitable complexity.