Four in 10 leading banks failing on email fraud protection

One-third of leading UK challenger banks have failed to implement a vital email protocol that protects consumers from email fraud, while 8% of traditional banking institutions have also neglected this fundamental defence system.

This is the finding of an analysis of the email security defences of the top 10 traditional and challenger banks by data-driven cyber security firm Red Sift, despite increased cyber attacks targeting financial institutions and increased competition in the sector.

The domain-based message authentication, reporting and conformance (Dmarc) protocol is the only sure-fire way to prevent email spoofing, which for too long has been blamed on the user being duped by social engineering, the security firm said.

Red Sift believes that implementing Dmarc is a strong indicator of an organisation’s overall willingness to adopt adequate cyber security measures to protect its consumers.

While 67% of traditional banks have implemented Dmarc and configured it to reject all spoof email, the study found that 25% have implemented the government-endorsed tool but have not configured it for full protection.

And although two-thirds of challenger banks have implemented Dmarc, only 25% have configured it to reject all spoof email.

Randal Pinto, COO at Red Sift, said: “As challenger banks continue to disrupt the sector with digital banking service innovations, we wanted to assess the cyber security health of the whole sector to understand whether new entrants into the market were factoring in the likely threat impact as part of the product innovation process and if this was driving traditional providers to up their security game.

“However, the results are not encouraging. Only a quarter of challenger banks, and 67% of established banking institutions, have deployed the highest level of email fraud protection to prevent fake emails reaching customers’ inboxes.”

The traditional banking sector has struggled to keep pace with an ever-changing cyber threat landscape, said Pinto. “Reliance on ageing computer systems to maintain vast global banking empires is causing all manner of problems when it comes to ensuring organisation security,” he said.

“We have recently seen UK retail banks, including Santander, Royal Bank of Scotland, Barclays and Tesco Bank, having to limit or shut down their systems due to attack. Analysis of these types of attack shows it is basic systems such as email that are being duped, accounting for significant losses, mainly via phishing.

“We saw £354m of UK money lost to authorised push payment scams last year alone, so we are calling for both long-established and new challenger banks to implement basic email security defences in order to safeguard customer data, finances and loyalty.”

In March 2019, another study revealed that email security in UK government organisations is lagging far behind that of central government, with less than one-third implementing Dmarc.

The study showed that only 28% of gov.uk domains have been proactive in implementing the Dmarc protocol. However, this finding is in sharp contrast to central government departments, where 89% have implemented Dmarc, according to the National Cyber Security Centre (NCSC).

Attackers sending fake emails purporting to be from the government has been one of the biggest problems in UK cyber security, according to the NCSC. But much of it is preventable by adopting the Dmarc protocol, which helps to authenticate an organisation’s communications as genuine by blocking emails pretending to be from government.

Dmarc is also an effective tool for preventing domain impersonation attacks, which are the most common and most harmful kind of phishing attacks.

Government departments with Dmarc that are using Mail Check are blocking 35% more spoofed emails than those not using Mail Check, achieving a more secure Dmarc configuration, according to an NCSC blog post.