Some banks could be doing more to protect their customers from spoof communications which try to steal their personal information, according to Which?
The consumer group said not all banks are using the full technology available to them, potentially leaving security system weaknesses that scammers could exploit.
Phishing scams may spoof banks’ genuine email addresses or domains to trick people into divulging sensitive information, such as bank account details, usernames or passwords.
Which? said banks should be implementing a system that protects web addresses they own or use – known as domain-based message authentication, reporting and conformance – or DMARC – to prevent spoofing attacks.
Banks can use DMARC to tell email providers how to handle the unauthorised use of their domains.
The process of introducing DMARC is frequently done gradually – with an initial monitoring phase followed by a quarantine phase which moves emails to spam if they fail checks and then, ultimately, a policy of reject which blocks emails failing the checks.
But Which? said when it asked…