Bank email scam alert for Santander, Royal Bank of Scotland and HSBC customers: warning and what to do if you’re a victim
Scammers are taking advantage of new security measures being rolled out by banks in order to steal your banking information.
These are the signs to look out for and what to do if you have a dodgy looking email in your inbox.
What to look out for
With banks, card providers and retailers across the EU asking customers to provide up to date contact information in line with their new checks for online card payments - known as strong customer authentication (SCA) - scammers have hijacked these security measures to attempt to steal your banking credentials and personal data.
Imitating the emails being rolled out by banks, scammers include links to sites that are set up to steal the personal data of the victim which can be used to then hack into their bank account.
The emails state that if you fail to confirm your details then your bank account could be suspended.
Consumer group Which? has reported scammers impersonating emails from Santander, Bank of Scotland and HSBC. They also say that they “expect more of these to surface over the next 18 months during the phased implementation of SCA”.
Which? has compiled a checklist to look at if you’re unsure about the validity of an email. They advise:
- A scam email will usually have a strange email address. Sometimes they’ll try and spoof a genuine sender name, but you can check the email address by right-clicking on the sender name, that will allow you to see the email address behind it. The email addresses being used in this instance are things like “email@example.com” and long strings of random letters, which are obviously not from real banks
- Does the email open by greeting you impersonally - simply using terms like “customer” or your email address rather than your real name?
- Is it asking for personal or bank details? “If an email is asking you to update or re-enter your personal or bank details out of the blue, it is likely going to be a scam,” Which? Says
- Check the link without clicking on them. If you’re looking at the email on your computer, hover your mouse (without clicking) over the link in order to preview where the link will take you to
- Does the email have bad spelling, grammar or is laid out poorly? While scammers have gotten more sophisticated, this is still a tell tale sign of a scam. In the RBS scam email, it says “5Th/July/2019”, which is unlikely to appear in a legitimate email
Which? says, “More common is to see a real lack of consistency with the presentation of the email, which may include several different font styles, font sizes and a mismatch of logos.”
The bottom line is that if you’re unsure about the email in any way, you should operate on the side of caution and get in touch with the organisation to verify that it's real.
What is SCA?
Additional security checks, under the Payment Services Regulations 2017, will become more common for those doing online shopping or banking within the UK or EU.
You might have already been asked for extra details when shopping on a new website (or with a new card) and over the next few months, these checks will become routine for payments over €30 (or the equivalent in GBP).
There are two of three possible methods that your bank or card issuer will use to check your identity:
- With something you own, such as texting your mobile phone with a one off passcode
- Something you know, such as a password or passphrase
- Something physical, such as a fingerprint authentication, voice pattern or facial recognition
This will be in addition to your usual card details you need when online shopping or banking.
It’s up to the individual banks and card issuers to decide which methods they want to use and they will inform you of the details you might need.
What to do if you’ve clicked a dodgy link
Citizens Advice is a network of 316 independent charities throughout the UK that give free, confidential information and advice regarding the likes of money, legal, consumer and other problems.
They say that if you’ve been a victim of email fraud, you need to:
- Protect yourself from further risks
- Check and see if you can get your money back
- Report the scam
They advise that if you think your account details or PIN have been stolen that you contact your bank immediately so that they can work on protecting your account.
“After you’ve told your bank about the scam, keep an eye on your bank statements and look out for any unusual transactions,” states Citizens Advice.
You should also change your passwords as soon as possible, for all of your accounts.
As well as reporting the scam to your bank, you should also report it to Action Fraud, the National Fraud and Cyber Crime Reporting Centre.
You can use their online reporting tool or you can call 0300 123 2040, Monday to Friday, 8am to 8pm.
If you’ve been victim of a scam and have lost money, Which? has created a guide to help you reclaim your money.
The steps you’ll need to take will depend on the method of which your money was stolen, either via:
- Credit card
- Debit card
- Bank transfer
- Money transfer wire service
- Or a payment that you didn’t authorise