Can you tell if an email is genuinely from your bank?

Your comment about the Nationwide (NW) approach to security is very worrying. It is precisely why I raised with NW their approach when their security broke down during the last members’ online AGM voting. At the same time and as part of several exchanges when it took a while for them escalate to someone who understood the issue, I asked, sorry, no I instructed them them, to stop assuming that use of a publicly available piece of information such as a postcode, provides the recipient with assurance in an email about the sender’s bona fides. It does not and should not be used. Indeed it should immediately raise concerns for the recipient about who has sent the communication – it does for me.
I did suggest, as you outline in your last sentence, that they use an identifier but one that is set by the account holder and only known by them and NW. They noted my recommendation for consideration for inclusion in a future systems upgrade but they have so far not even ceased that insecure and very misleading practice as an interim measure.
I think safest is to keep any message very simple with no links. Eg. just direct an account holder to a secure online messaging service. Several of my financial service providers do that – Government ones in particular. A bit inconvenient at times but a safer tactic.

I agree with you. It was good at the time but things have moved from bad to worse since Nationwide introduced their use of a postcode identifier and it is time they upgraded their security procedures to address the current level and sophistication of fraudulent activity. I have to say, however, that nothing they have ever sent me by e-mail has been necessary or confidential; the risk is that they normally contain lnks to the Nationwide website from where it is possible to access internet banking. It would be better if they stopped using links and advised customers to go into the website from scratch by typing the website address into their browser. Organisations appear to have a fear that unless they provide direct links they will lose traffic. I think the prevention of fraud and the gain in security should outweigh those concerns.

I have received two emails from Nationwide to tell me my credit card statement is ready. The first is just text and contains my name and postcode. Although these pieces of personal information are publicly available, the chances are it is legit as most phishing emails are general and sent randomly. It also contains no links to any website. The second one, which came the same day, is more worrying as it is full of fancy graphics and contains a link to the Nationwide online banking website. It also contains my name, post code and the last 4 digits of my card number, so I am sure it came from Nationwide. I notice that the second tip in Nationwide’s top 10 security tips is to never log in from an email link so I don’t know why they are now sending out such emails.

This is a very good point. Banks should never send emails with convenience links in them. Customers need educating to log in from the web address.

Wherever possible, banks should only communicate with customers through secure web forms. The only synchronous communication (telephone or SMS text) should be to alert the customer to log in properly and look at the secure communication on the web site.

The chances are that nearly all Internet illiterate customers will live near a branch, at least at the moment. But as more branches close, alternative methods of “in person” communication need to be developed. A local library or post office where the person can be physically recognised (rather than just by pieces of paper) is a possible solution.

Another worrying trend is people who use a mobile telephone as their only method of Internet access. They probably have got one because they think of it as a telephone not a computer, which gets past their computerphobia. However it is more easily lost or stolen.