How secure is online banking?
Online banking has come a long way since it was first launched in the early days of the internet. These days it is generally very safe - the banks have a lot to lose if they get it wrong!
There are still certainly risks to be aware of, but as long as we (as customers) aren't negligent in how we use it, then even if something does happen our banks will often ensure that we're not out of pocket.
The main threats come from our logon details being stolen by viruses and fake websites, as well as scams that persuade us to send money to the wrong recipient. But with a few basic steps we can easily protect ourselves against most of these - keep your computer updated, use antivirus, and learn about phishing emails & scams. This is all pretty easy to do - read on to find out more!
Keep your computer secure
One of the biggest threats to online banking are viruses that capture your password as you type. These viruses, known as 'keyloggers', are often sent out in phishing emails, although they can spread by other means too.
Whilst banks do have some defences against these, the best thing you can do is to protect your computer by following a few simple tips:
- Don't open unexpected email attachments: This is a common way for criminals to spread viruses.
- Keep your computer software updated: Viruses work by finding weaknesses in your computer's software. Developers regularly push out software updates so make sure your computer is set to install these automatically.
- Install good antivirus software: Some banks even provide antivirus programs for free; ask in branch or check your bank's website.
- Follow your bank's advice: Some banks also offer a free program called "Rapport" by Trusteer. This little program sits in your browser and detects if any other program (such as a virus) is listening for and sending away your bank details.
It's also advisable to avoid doing online banking from a public computer too; you never know how up-to-date the antivirus or the computer software is. Logging in from your own PC, or one from your place of work, is much safer.
Watch for fake websites and phishing
An example of a phishing email - not all are as obvious as this one!
Another popular trick amongst criminals is to fool us into simply giving them our banking login details.
How often do you receive emails claiming to be a security alert from your bank? These emails - a type of 'phishing' - try to scare you into taking action, often asking you to log in and confirm your details.
The links provided in these emails though take you to a spoofed version of your bank's website - one which the criminals control - where they can record everything you type. They then simply re-use your password and log in to your real account.
To avoid becoming a victim it helps to remember the following (we also have several pages dedicated to how to spot a phishing email):
- Never trust an email or text message just because it claims to be from your bank. That may sound obvious, but with our busy lives it can be easy to let our guard down. Whilst these emails are sent at random, every so often you'll receive one that by chance will look to have come from your bank.
- Be alert to scare tactics. These emails will often have a sense of urgency to scare you into acting quickly, before you have time to properly think.
- Check where any links in an email takes you. Hover your mouse over a link to see the address it points to. If it looks suspicious don't click it.
- Double check the address of the website. Banks will use their name - and their name alone - as their web address, for example www.hsbc.com. Be suspicious of any variations you see such as www.hsbc-online.com or www.hsbc-securityalert.com.
Whenever you receive one of these emails simply delete it - genuine banks will never ask you to follow a link in an email to login. If you're ever in doubt contact your bank; call the phone number on the back of your bank card or on your statement (don't rely on any contact details in the email).
See our Phishing pages for more tips & examples, and see if you can spot the fakes yourself!
How else do hackers get my login details?
Most banks these days also use a form of 2 Step Verification (2SV) or 2 Factor Authentication (2FA) as an extra layer of security when logging in. This may sound complex, but basically all it means is that your bank send you a security code to enter in addition to your password.
The methods by which banks send you this code varies - it could be an app on your phone, from a physical device they give you in advance, or sent by text message. The first 2 of these methods (app & physical device) are pretty secure; the third (text message) is not.
Some hackers who are specifically targetting an individual can perform a type of hack known as a "sim swap". This is where they convince your phone provider that you've changed your phone, meaning that any text messages are sent to them instead. The hackers will now receive the security code from your bank, and not you.
This type of attack takes effort to do and (thankfully) is still fairly rare. But that's not to say it doesn't happen - Metro Bank in the UK suffered this, as did the food blogger Jack Monroe. If your bank sends security codes via text message then consider changing banks; it's a sign they don't take security as seriously as they should.
If you ever receive communication from your phone operator that your number is being transferred (when you didn't request it) then contact them, and your bank, immediately.
Be aware of money transfer scams
Another type of email scam involves fraudsters trying to trick you into transferring your money directly to them.
This could be by impersonating your CEO, hacking the email of the solicitor dealing with your house purchase, or phoning you up and claiming to be from the bank's fraud team.
Check out our guide to common money transfer scams, and always verify who it is that you're sending any money to.
Keep your connection private
All banks try to keep the communication between your computer and their website private by scrambling up any data passing between you and them; this is known as 'encryption'.
If you're using a web browser on a PC (as opposed to a dedicated banking app on your phone) then always check the connection is secure by looking for https:// at the start of the web address (the 's' stands for 'secure'), as well as a padlock symbol in the address bar.
Look for the padlock symbol and 'https' in the address bar. This example screenshot was taken whilst using the Chrome browser, but you'll see similar details on all web browsers.
If you're using a mobile phone (where there's not the screen width available to display everything) then note that some browsers may not always show the "https". Do however always make sure that a padlock is showing!
How secure websites appear on mobile browsers
Using public wifi
Letting your browser protect your web traffic is secure. Or at least, it normally is.
In practice, https (which scrambles your data) is not perfect, and in some circumstances it can be silently broken - and your data read - by people with the right tools and know-how.
This can only be done by someone sharing the same internet connection as you, and so for this reason - where possible - you should avoid doing online banking on any public wifi connection such as in a coffee shop or hotel. The vast majority of the time you will be fine, so go ahead and use it if you absolutely need to, but if you can wait until you get home then it's certainly advisable to do so.
If you know how, and are in a position to do so, then using your phone as a mobile hotspot is generally more secure than using public wifi.
If you use public wifi a lot then you might want to consider installing some software called a 'VPN' (Virtual Private Network). This wraps a strong tunnel around your connection, preventing any nearby hackers from intercepting and reading your data.
We have a full page of other advice too for using public wifi securely.
Using a mobile phone or tablet?
Banking from your phone or a tablet is becoming common these days, with most banks offering dedicated apps. These can be more convenient than using a simple web browser, and are theoretically more secure too. But again there's a few top tips to help you stay safe:
- Only install genuine apps from the official app store. For iPhones use Apple's App Store, or if your phone is an Android use the Google Play store. Ensure you only install the official app from your bank - follow links from their website, or ask for help in branch.
- Keep your phone software up to date. Just as with your PC, your phone manufacturer will occasionally send out software updates to fix any known issues. Try to keep your phone as up to date as possible.
- Don't use "rooted" phones. The act of "rooting" a phone can give a user more control over their phone, but removes many inbuilt security protections. Never heard of "rooting"? That's a good thing - there's no need to worry about this issue in that case. If your phone was rooted you'd almost certainly know.