Can you tell if an email is genuinely from your bank?

Your comment about the Nationwide (NW) approach to security is very worrying. It is precisely why I raised with NW their approach when their security broke down during the last members’ online AGM voting. At the same time and as part of several exchanges when it took a while for them escalate to someone who understood the issue, I asked, sorry, no I instructed them them, to stop assuming that use of a publicly available piece of information such as a postcode, provides the recipient with assurance in an email about the sender’s bona fides. It does not and should not be used. Indeed it should immediately raise concerns for the recipient about who has sent the communication – it does for me.
I did suggest, as you outline in your last sentence, that they use an identifier but one that is set by the account holder and only known by them and NW. They noted my recommendation for consideration for inclusion in a future systems upgrade but they have so far not even ceased that insecure and very misleading practice as an interim measure.
I think safest is to keep any message very simple with no links. Eg. just direct an account holder to a secure online messaging service. Several of my financial service providers do that – Government ones in particular. A bit inconvenient at times but a safer tactic.

I agree with you. It was good at the time but things have moved from bad to worse since Nationwide introduced their use of a postcode identifier and it is time they upgraded their security procedures to address the current level and sophistication of fraudulent activity. I have to say, however, that nothing they have ever sent me by e-mail has been necessary or confidential; the risk is that they normally contain lnks to the Nationwide website from where it is possible to access internet banking. It would be better if they stopped using links and advised customers to go into the website from scratch by typing the website address into their browser. Organisations appear to have a fear that unless they provide direct links they will lose traffic. I think the prevention of fraud and the gain in security should outweigh those concerns.

I have received two emails from Nationwide to tell me my credit card statement is ready. The first is just text and contains my name and postcode. Although these pieces of personal information are publicly available, the chances are it is legit as most phishing emails are general and sent randomly. It also contains no links to any website. The second one, which came the same day, is more worrying as it is full of fancy graphics and contains a link to the Nationwide online banking website. It also contains my name, post code and the last 4 digits of my card number, so I am sure it came from Nationwide. I notice that the second tip in Nationwide’s top 10 security tips is to never log in from an email link so I don’t know why they are now sending out such emails.

This is a very good point. Banks should never send emails with convenience links in them. Customers need educating to log in from the web address.

Wherever possible, banks should only communicate with customers through secure web forms. The only synchronous communication (telephone or SMS text) should be to alert the customer to log in properly and look at the secure communication on the web site.

The chances are that nearly all Internet illiterate customers will live near a branch, at least at the moment. But as more branches close, alternative methods of “in person” communication need to be developed. A local library or post office where the person can be physically recognised (rather than just by pieces of paper) is a possible solution.

Another worrying trend is people who use a mobile telephone as their only method of Internet access. They probably have got one because they think of it as a telephone not a computer, which gets past their computerphobia. However it is more easily lost or stolen.

What’s even worse is being contacted by a bank with a request to call them urgently, phone them up to find out the reason, and then not be able to answer their security questions (I almost never contact my banks by phone). Nationwide did this to me, and then blocked access to my accounts as a result – remember, they asked me to ring them, they didn’t say why, and I was unprepared for the third degree. What was unforgivable was that the original call was from their marketing department! So not only did I waste my own time calling them so they could try to sell me something I neither asked for nor needed, I ended up considerably inconvenienced. Needless to say, I no longer bank with them.

As for phishing emails, I always check the sender’s email address and the URL, and I never click through on anything financially related or anything I don’t recognise. I agree that it is good practice for senders to include something in their emails that is personal to you. Also, Santander include an image and phrase on their login screens chosen by the customer.

Some phishing emails are laughable, for example, the recent spate purporting to come from courier companies, but I had one the other day that was particularly good. It dressed itself up as the “someone tried to login to your Apple account” warning, but gave itself away with poor spelling (Itunnes!!) and of course the URL it was asking you to follow was completely bizarre and in Hong Kong.

One further thing you can do to avoid the risk of inadvertently triggering any malware in any attachments (besides reading your email on a Linux machine rather than a Windows one) is use “print preview” or its equivalent to look at the contents in a passive way. It won’t show the bogus URLs but you can quickly tell if your next action should be to hit the delete button.

Actually, before deleting fraudulent emails, I routinely report them to the Actions Fraud website. It may not do much to prevent people sending them out in the first place, but it feels better than doing nothing. In fact, I do this so often that it seems like I’ve been single-handedly responsible for a recent report based on Action Fraud’s statistics that highlighted my local area as a hot-spot for email fraud!

I can’t say that I have read anything more appalling than the way this customer was treated by Nationwide. I think the staff responsible should all be sacked without references for bringing the firm into disrepute, but I doubt that it will ever happen.

I agree with a Which? reader who recommended that if anyone phones from a bank to tell them that if they have anything important to say, to communicate through the banks’ secure web site, and then put the phone down.

The Action Fraud’s web site says that you have to use their form to report suspicious emails and it will take half an hour to fill in.
http://www.actionfraud.police.uk/report-a-fraud/how-to-report-a-fraud
It used to be possible to just forward the suspicious email to them, but as whoever runs it (or probably their legal department) doesn’t care a **** about other people’s time, they now require this rigmarole. Unfortunately most suspicious emails probably don’t get reported as a result of this.

I would assume that this was a scam.

phil – I trust you pursued them for a ex-gratia payment

JdR – I am afraid you are absolutely right that this rigmarole will result in under-reporting of attempts.

I wonder if white-listing genuine financial addresses would help or whether it would make people less vigilant. Given the insecurity of browsers even whitelisting would be a potential weakness.

How about they simply send you a letter !!

Your eBay account needs details only if you want to sell something. As others have written, it is always best to use your browser to go anywhere where a credit cars detail is required, not click on an email however genuine it appears. [ ie enter http://www.eBay.co.uk ]

Both are scams;-The Amazon email attempts to obtain your credit card details from your Amazon account, whilst it’s normally Paypal not eBay who holds your payment details.

I have also forward emails to various companies.

I do wonder why I bother when I get an automated condescending reply on how to handle such emails.

I would like to think they followed up on them, get to the source to get them stopped but their replies give no indication they care or have any intention of doing anything about them.

I think it would be impossible to give everyone a human reply. However web site pages giving details of successful prosecutions and even sentences for miscreants would be a very good idea. It could well act as a deterrent. However I doubt whether the legal departments would be that keen.

I also decline phone marketing. When I get a call from the bank I ask them to identify themselves (when I call them I know who I called, the reverse is not true). They usually struggle to do this as they want to “go through security first”. Better to call them back later.

I can never understand the logic of this. If they don’t trust you when you call them, why on Earth should you trust them when they call you. Refuse all unsolicited telephone calls – a very good idea.

Its like restaurants who demand your credit card before you order a meal. If they don’t trust you, why should you trust them with your card for a couple of hours? They could be buying a holiday for themselves and their six kids for a month in Miami for all you know. We will say that we will just have the main course and not stay for sweets and coffee (where there is a big mark up) and pay for it now.

Trust is a two way process.

Send them a section 11 notice (from the 1998 Data Protection Act) by post or email and tell them to stop processing your data for marketing purposes. They have to comply within 28 days by law.