16 Dec 2025

How safe is online banking?

We explain how to stay safe when banking online or by smartphone app

Chiara CavaglieriSenior researcher & writer

Chiara is an award-winning investigative reporter who specialises in banking and fraud, joining Which? in 2015 following six years as a personal finance journalist at a national newspaper.

A young woman in a plaid shirt looks stressed while holding a credit card, staring at her laptop in a café setting.

In this article

Is online banking safe?
Is mobile banking safe?
What is Strong Customer Authentication?
What is Confirmation of Payee?
Take our fraud risk quiz
How can you protect yourself against bank fraud?
What to do if you're a victim of bank fraud

Is online banking safe?

Chiara Cavaglieri, Which? banking expert, says:

I’ve never felt unsafe using online banking or mobile banking apps, despite many years spent researching threats.

Headlines about criminals using AI to create shockingly convincing impersonation scams or bypass ID checks make for sombre reading, but don’t forget banks have this technology at their disposal, too.

The shifting nature of cybercrime means the financial industry can never rest on its laurels, and our investigations repeatedly suggest there’s more than a little room for improvement. But, it’s been exciting to see anti-fraud tools launched by the likes of Monzo and Santander to keep customers safe.

Criminals will always try to exploit multiple channels, such as social media, online ads, phone calls and texts to get at your money. We want companies in different sectors to share intelligence to better understand how they operate and prevent scams reaching consumers.

You can do your bit too, by staying alert to phishing attempts, keeping software updated and making use of any security features offered by your bank or built in to your device.

For ultimate security, bank at home on a secure private network, on a dedicated up-to-date browser used only for finances, and use antivirus on your computer.

Find out more: 5 things I would never do as a banking expert

Get a year of super-useful advice

Get the best deals, avoid scams and grow your savings with expert guidance all year for only £36.75 – that’s 25% off.

Join Which? Money

Offer ends 8th January 2026

Is mobile banking safe?

The biggest threat to banking security comes from using a compromised device. And this applies whether you're using a computer or a smartphone.

Although phones are more easily lost or stolen, you can mitigate the risk by registering for Google 'Find My Device' and Apple 'Find My iPhone' so that it can be located, locked and even wiped of data remotely if it's lost or stolen.

It's difficult to plant a keylogger in an Android or iOS device (software used to track every key you press and potentially steal usernames and passwords).

But mobile banking isn't risk-free – fakes can turn up in app stores and malware does exist that specifically targets mobile phones. Always download apps from the official app stores as these are vetted by Apple and Google, and check the reviews carefully.

Keep your software updated as manufacturers and app developers will usually release software updates which contain security patches and new security features.

Make use of any security features offered by your bank or built into your mobile phone:

Protect your mobile Add a unique Pin to your Sim card; register for Google’s Find My Device or Apple’s Find My iPhone; and disable preview notifications. These flash up messages even when your phone is locked.
Instant card freezing All of the banks we tested let you temporarily block your card in-app without having to call or visit a branch, except The Co-operative Bank.
Block remote payments If you bank with Barclays, Chase, Lloyds Banking Group, NatWest, Santander, Starling, or TSB you can also block remote purchases made online, over the phone and by mail order. Many also let you freeze gambling and international transactions too.
Real-time notifications These notifications make it much easier and quicker to spot fraudulent transactions. High-street banks have followed suit, though some still a way behind the digital challenger banks.
Caller verification Barclays, Monzo and Starling currently offer security features designed to help you spot phone scammers at present. If someone calls claiming to be from Barclays, you can ask them to send a secure notification to your Barclays app via 'app ID'. If you're a Monzo or Starling customer, look for 'call status' warnings to see if someone from the bank is genuinely on the phone to you or not (Monzo shows this under its security settings, Starling within the payment screen).

What is Strong Customer Authentication?

When you log into online banking, or use your card to pay online, you may notice more checks from your bank.

Strong Customer Authentication (SCA) involves multiple ID checks such as providing a password plus a single-use passcode generated on a card reader or sent via text message to your mobile phone.

We want banks to phase out using text messages to send sensitive data as it can open the door to Sim-swap fraudsters.

Banks must identify every customer using at least two of these independent factors:

something only you know (a password or Pin)
something only you possess (a card reader or registered mobile device) and
something only you are (a digital fingerprint or voice pattern).

Some banks offer a physical device to generate unique one time passcodes (OTPs) that serve as evidence of 'possession'. Card readers require you to insert your debit card to generate the OTP, other devices generate codes when you enter a Pin.

Most banks also let you authenticate yourself at login via the mobile banking app (you can usually simply use fingerprint or face ID to let them know it's you logging in).

Another option is OTPs sent via text message (SMS) to a mobile phone but we want providers to phase these out as SMS is vulnerable to Sim-swap attacks, where criminals intercept messages.

Which? has previously raised concerns that banks could exclude some customers because they don't own a mobile phone or have decent signal.

It's up to each bank and card issuer which methods they use, however, the Financial Conduct Authority (FCA) has said that customers without phones or mobile reception should not be excluded.

Your bank must make it clear that they offer alternative ways to authenticate yourself.

If you are struggling to receive codes sent by your bank via SMS due to bad reception, some networks offer Wi-Fi Calling which lets you connect via your wireless broadband.

A number of providers – Lloyds and TSB – ask if you want to 'trust' your device to avoid extra security checks at login. Others do the 'trusting' without you realising.

Banks should still monitor your accounts for unusual activity and make regular security checks in case your device has been compromised, for example, Lloyds asks you to reconfirm trusted status when you use a new browser or clear your browser history.

Many providers now let you instantly 'distrust' or deregister a mobile phone, in case it is mislaid or stolen, though this still isn't offered by Lloyds Banking Group, Santander, or The Co-operative Bank.

Chase also doesn't offer this feature but you can only log in to your Chase app via one registered device.

None of the banks tested currently let customers instantly revoke trust for laptops or desktop computers, though Barclays users can click profile>device history to see the devices which have been used to log on to online banking and follow instructions if they don’t recognise a device. Barclays says you wouldn’t see registered app devices on the web channel and vice versa, though it is currently working on enhancements that will allow you to see everything in one place.

What is Confirmation of Payee?

A name-checking system called Confirmation of Payee (CoP) prevents payments being made to the wrong bank accounts, and combat fraud.

It checks the name of the payee against the account details provided and alerts you if they don't match.

Not all banks offer it: while the six largest banking groups were forced to introduce this new system in 2020, others have been gradually introducing it.

Since then, over 300 financial firms have adopted it, meaning 99% of all transactions made through Faster Payments and CHAPS are covered.

Previously, all banks processed online transfers using the account details only and took no notice of the name entered.

This flaw causes misdirected payments if people accidentally enter the wrong digits and can be abused by criminals who impersonate trusted organisations to trick people into transferring money directly into accounts they control.

If CoP is in place, your bank checks if the full name matches the details held by the recipient's bank. If the name entered doesn't match - or only partially matches - the account details, you'll know something is wrong.

You can still choose to ignore these warnings and authorise the payment regardless, though banks make a point of stating that you do so at your own risk.

There are four possible CoP messages, though not all banks use identical wording:

Yes, exact match - the details match and you can proceed with the payment.
Partial or close match - some of the details are incorrect so look for spelling mistakes or typos.
No match - the details don't match so cancel the payment until you've made further checks
No name check - it has not been possible to check the name eg because the receiving bank doesn't offer CoP.

CoP checks payments using the Faster Payments system (including standing orders) and CHAPs (high-value payments), whether they are made online, via your mobile banking app or in a branch.

It doesn't apply to payments that are not in pounds sterling or BACS payments (including direct debits).

The most obvious benefit to CoP is that it significantly reduces the risk of you making a bank transfer to the wrong account.

Our most recent current account survey of the general public, in September 2020, found that 12% of people paid into the wrong account by accident in the past 12 months. We hope to see this figure drop when we ask again next year.

If your own bank or the receiving bank doesn't yet have CoP in place, be extra vigilant when adding payment details, particularly for large transfers.

Banks and building societies who offer Faster Payments must follow the credit payment recovery process if you do make a mistake, by contacting the receiving bank on your behalf within two days of you reporting the mistake.

As long as the recipient of the misdirected payment does not dispute your claim, you'll be refunded within 20 working days of notifying your bank.

However, there are no guarantees you'll recover the misdirected money - if the recipient claims the money is rightfully theirs, you should seek legal advice and may need to take court action against them.

It is hoped that CoP will also protect people from losing money to bank transfer fraud, also known as authorised push payment (APP) fraud.

A common tactic used by impersonation scammers is to trick victims into moving money to a 'safe' account. CoP can help 'break the spell' by highlighting when the name entered isn't as expected.

Fraudsters will try to convince targets to ignore these warnings, for example, by claiming that a business name is different because it's a related trading name, or they could set up a new business with a name that's deceptively similar to a legitimate one.

But banks will never ask you to disregard CoP warnings so it's important that customers take these messages seriously.

The payments regulator told the six biggest UK banking groups to implement CoP: Barclays, Lloyds Banking Group, NatWest Group (including RBS), Santander, HSBC (including First Direct) and Nationwide Building Society.

Monzo and Starling were the first banks to sign up for CoP voluntarily. Revolut, an e-money firm, started offering CoP checks in January 2021. Later in 2021, we saw The Co-operative Bank (April) and TSB (June) follow suit.

The following year it was the turn of Triodos, Virgin Money and Cambridge Building Society to implement CoP.

There are still some smaller names missing this vital layer of protection, so take extra care if your payment provider doesn't yet offer this.

Take our fraud risk quiz

How can you protect yourself against bank fraud?

Criminals are constantly inventing new ways to try to get their hands on your money.

Stay one step ahead by learning these how to spot a scam and follow these ten tips to keep the cash in your bank account safe:

1. Take your time

Treat unsolicited phone calls, letters, emails and texts with caution. Fraudsters use pressure tactics to persuade you to share personal and financial details so don't let anyone rush you and never share your Pin or online passwords (your bank will never ask for these in full).

2. Use a phone number you trust.

If you're in any doubt as to who's calling, hang up. Make sure the line is clear, and then call the organisation on a phone number you trust, such as the one on the back of your payment card.

3. Use antivirus software and keep your devices up to date.

Make sure your computer or laptop is protected with a good security program and antivirus software. Keep all devices, apps and browsers up to date. Updates contain security patches for new vulnerabilities. Visit our guide to choosing antivirus software so you can find the best package to keep you safe.

4. Create strong passwords

It's tempting to use the same password for lots of different websites and accounts, but this is a bad move: passwords get stolen in data breaches and sold to other hackers, who use software to try them on lots of websites in what's called a password stuffing attack.

Don't write your passwords down in full or share them with anyone. Consider using a password manager such as LastPass or Dashlane to generate unique passwords.

Find out how to create the perfect password.

5. Use a secure network

If you have a wireless network at home, activate the security settings on your router and replace the default password so no one else can access it.

Avoid logging in to your bank account from a public computer or unsecured wireless network. If you do use a public computer, never leave it unattended and always log out when you’ve finished.

6. Be wary of links

Avoid clicking links and downloading attachments from emails and texts.

Phishing emails are sent by criminals posing as genuine companies such as a bank or HMRC. Clicking on a link takes you to a fake website where fraudsters steal financial or personal details.

Or, the link might install malware on your computer as another means to capture details. Thieves can steal your password by tricking you into installing a program on your computer that secretly records your password when you type.

Type web addresses into the address bar of your browser manually instead.

7. Browse safely

Look for a padlock symbol in or next to the address bar in your browser and that the web address changes from starting with 'http' to 'https'.

This doesn't guarantee a site can be trusted, but it does mean the website is encrypted, so no one else but that website can read any card details or passwords you enter.

Some sites have an extended validation (EV) certificate, shown as a padlock alongside the company name. Again, it's not perfect, but it requires the company to undergo more rigorous checks.

8. Remove personal info from social media

Don't leave your email address, date of birth, or phone number on sites such as Instagram, Facebook and Twitter – it increases your risk of identity theft.

Only accept friend requests from people you know. Someone posing as an interesting person asking to become your friend may actually be an ID thief.

Check your privacy settings carefully and make sure only people you trust can view your profile.

9. Scan your statements

Regularly check your bank account and credit card statements for suspicious transactions.

If you spot something unfamiliar, report it to your bank or card provider as soon as you can.

10. Use ATMs inside the bank

Try to shield your Pin in case there are cameras fitted by criminals above the keypad. Or, stick to in-branch machines, which are less likely to have been tampered with than one on the high street.

What to do if you're a victim of bank fraud

Check your account online regularly to spot any irregularities and contact your bank as soon as possible if you think you've been a victim of fraud.

Also contact Report Fraud (formally Action Fraud) on 0300 123 2040, or Police Scotland on 101.

Your bank is legally required to refund unauthorised transactions and restore your account to the state it would have been in had the transaction not be made unless it can prove that you've acted fraudulently or been grossly negligent.

They can't refuse to refund you based on a hunch – they must investigate properly – but banks don't always get this right.

If you're unhappy with the way your bank has dealt with your complaint, you can refer the matter to the Financial Ombudsman Service (FOS).

How safe is online banking?

Is online banking safe?

Get a year of super-useful advice

Is mobile banking safe?

What is Strong Customer Authentication?

How do banks make SCA checks for banking?

What if I don't have a mobile phone?

Should I tell my bank to 'trust' my device?

What is Confirmation of Payee?

How does Confirmation of Payee work?

What messages will you see?

How does Confirmation of Payee prevent misdirected payments?

How does Confirmation of Payee prevent fraud?

Which banks and building societies offer Confirmation of Payee?

What if Confirmation of Payee fails to work?