Guidance

Online banking, with its convenience and ease of access, has become an essential part of our financial lives. As financial transactions increasingly shift to digital platforms, ensuring the security of your financial information has never been more important.  

Financial information is a prime target for cyber criminals. Therefore, it is important that you are aware of the cyber threats and the best protective measures that can be taken against them in the world of online banking.

Online Banking Threats

Phishing Scams 

Phishing is one of the most common types of cyber attacks. Cyber criminals craft fraudulent emails or messages posing as legitimate organisations or people, enticing recipients to click on malicious links or provide sensitive information such as login credentials, account numbers, or personal identification details. 

Always verify the authenticity of emails or messages before clicking on any links or providing any personal information. Check out the guidance from NCSC to learn more about phishing scams. 

Malware Attacks 

Malware is malicious software that can be installed on a user’s computer without their knowledge. A device may be infected through various means, such as downloading malicious attachments, visiting compromised websites, or clicking on malicious ads. Once installed on a device, malware can cause harm in many ways such as stealing personal information, or gaining unauthorised access to online banking accounts. 

Ransomware is a type of malware that encrypts a user’s files, making them inaccessible. Attackers will demand a ransom payment in exchange for decrypting the files. Check out the mitigating malware guidance from the NCSC for guidance on defending your organisation.

Identity Theft 

Identity theft remains a pervasive threat in the world of online banking. Cyber criminals steal personal information, and use the stolen identity for fraudulent purposes. With this information, cyber criminals can open fraudulent accounts, make unauthorised purchases, or conduct illicit financial transactions in the victim’s name.  

It’s important to practice good cyber security and exercise caution with your personal information online to reduce the chances of becoming a victim of identity theft. 

Account Takeover 

Account takeover (ATO) attacks occur when cyber criminals gain unauthorised access to an online account through various means, such as phishing campaigns or getting stolen credentials from hacked sites or databases. Once in control of an account, cyber criminals can engage in fraudulent activity such as stealing money, transferring funds to other accounts, or making fraudulent purchases.

Read the NCSC guidance on recovering a hacked account to learn more. 

Remote Access

Remote access allows users to access a device or a network from another location. While there are genuine use cases for remote access, there has been an increase in these types of tools being exploited by fraudsters.

Typically, you get a phone call from someone impersonating a known organisation, such as an internet provider or a bank, in which they try to convince you to grant them access to your device in order to fix a problem. They may direct you to download a remote access software or simply click on a link. Once granted access, scammers can view your screen, capture personal information such as your bank details, and potentially install malware for further exploitation.

If you receive an unsolicited call asking for remote access or personal banking details, hang up immediately. No genuine company will make an unsolicited call to request remote access to your computer.

Man-in-the-Middle (MitM) Attacks

A MitM attack occurs when a cyber criminal intercepts the communication between two parties, such as a user’s computer and a bank’s website. The cyber criminal can then steal the user’s sensitive information, such as login credentials or financial data. MitM attacks are often carried out on public Wi-Fi networks, which are not as secure as private Wi-Fi networks.

To protect against MitM attacks, make sure to always use secure connections, keep your devices updated and don’t share sensitive information on public Wi-Fi networks.

Authorised Push Payment (APP) 

This involves a victim being manipulated into making payment directly to a fraudster, generally through social engineering tactics involving impersonation. Typically, the payment is made though online banking or a mobile app. To help protect against APP scams many banks are signed up to the CRM Code (Contingent Reimbursement Model). In accordance with the code, banks are required to protect customers and reimburse those who aren’t to blame for the scam. However, the CRM is not a guarantee that you will get your money back in any circumstances if you have been scammed, so we still need to be careful about not falling victim to scams.

Examples of Authorised Push Payment related scams to be aware of include:

• Purchase Scams: This kind of scam happens when someone is tricked into sending money via bank transfer to buy goods or services that don’t exist. The scammer may create an ad on social media, websites that you frequent, or even fake online marketplaces. Ticket fraud is a common source of purchase scams. Lloyds Bank recently issued a warning specifically about Taylor Swift Eras tour tickets in which they report that UK fans are estimated to have lost over £1 million since those tickets went on sale. The report also noted that 90% of the reported concert ticket scams started on Facebook, showing the importance of buying from a trusted vendor. For purchase scam related tips check out the NCSC guidance on shopping online securely. 

• Investment Scams: An investment scam is a deceptive practice that entices investors to make purchases based on false information. These scams often target individuals who are seeking to grow their wealth or secure their financial future. In the online space cryptocurrency scams have become more prominent with scammers offering get rich quick opportunities through investment. It’s especially important to be careful in this space since most cryptocurrencies aren’t regulated by the Financial Conduct Authority (FCA) which means that they are not protected by the UK’s Financial Services Compensation Scheme. The FBI’s Internet Crime Report 2023  noted that in America “investment fraud was the costliest crime category” with losses rising 38% from the previous year to $4.57 billion. Crypto-related investment scams accounted for most of this, jumping 53% to nearly $4 billion. 

• Overpayment Scams: If you provide services or sell products online, you could fall victim to an overpayment scam. The fraudster will overpay for an item, then ask for the excess money back. After this, the payment will be defunct as the fraudster will have used a scam account, leaving the seller without their item and money. This often involves a check payment but can also involve online transactions. Read the Royal Bank of Scotland’s overpayment fraud guidance to learn more. 

• Romance Fraud: With Romance Fraud victims are convinced to make a payment to a person that they have met, generally online through dating apps or social media, with whom they believe they are in a relationship. Fake profiles are used to trick victims into trusting the scammer, who will then find a way to ask for money. It’s important to be vigilant when communicating with people online that you haven’t met in person. 

Further Cyber Secure Banking guidance:

Cyber Secure Banking: Best practice for individuals

Cyber Secure Banking: Best practice for organisations