The 5 biggest banking security threats and how to avoid them

Unauthorised mobile banking fraud has hit record levels, as fraudsters look to take advantage of a rise in banking app usage
Chiara CavaglieriSenior researcher & writer
Many security cameras turned to face a smartphone open to a banking app

With more and more of us banking on the go, criminals are using this to their advantage, leading to record levels of unauthorised mobile banking fraud. 

Mobile banking fraud overtook internet banking fraud for the first time in 2023 and continued to rise in the first half of 2024.

Fraud levels were expected to increase in line with usage. There are now almost as many people using banking apps (60%) as online banking (62%), according to UK Finance, and fraudsters generally view customers as the weakest link, regardless of the banking methods we use. 

So, what are the biggest threats to your bank account and how can you combat them? Read on to find out. 

Make your money go further

Find the best deals, avoid scams, and grow your savings with our expert guidance. From only £4.99 a month.

Join Which? Money

Cancel anytime.

1. Account hacking

Mobile banking fraud occurs when a criminal uses your login details to hijack your account via a banking app downloaded to their device. 

The uptick in cases doesn’t point to any unique weakness of banking apps, but is a reflection of how criminals target customers, using text messages (SMS) to spread mobile malware and mimicking legitimate apps to capture data.

What are banks doing?

Banks must make identity checks when you log in to your account. These multi-factor authentication (MFA) checks must include at least two components, such as a password or Pin (something only you know), a card reader or registered mobile device (something only you possess) or your digital fingerprint (something unique to you). 

Chase, Monzo, NatWest and Starling ask customers to pass face and voice checks (via a ‘selfie video’) to make certain account changes. Weaker checks rely on security codes sent via SMS, which can be intercepted by Sim swap scammers, though the industry is slowly phasing these out. 

We want banks to let you view any devices connected to your account so that you can take action if you spot one you don’t recognise. Most now offer this, although some big names – the Co-operative Bank, Lloyds Banking Group (including Halifax and Bank of Scotland) and Santander – still lag behind. 

The Co-operative Bank and Santander told us this feature is in the works. Lloyds Banking Group said that all devices are automatically distrusted after 30 days of inactivity, so customers don’t need to be notified of new devices, but this is standard practice for Apple, Google and most email providers.

key information

What can you do?

  • Set long, random and unique passwords for your accounts and use a password manager so you don’t need to remember them. Use MFA on every website that offers it. 
  • Avoid public wi-fi and never download apps from unofficial sources (use the Amazon, Apple or Google Play app stores instead, as these are vetted). Rogue apps still slip through (many reportedly pose as QR code reader and PDF apps), so read reviews before you download anything. 
  • Keep your device operating system and key applications, such as your web browser, up to date and use reputable antivirus software on all devices, scanning regularly for threats. 

2. Stolen card details

Most card fraud is done remotely, for example by using details leaked through third-party data breaches. However, losses were the lowest reported for nine years in 2023 (£361m) thanks to more stringent verification processes when you shop online. 

Card ID theft is a growing problem. This is where stolen cards or details are used to take over an existing account or open a new one. Last year, cases and losses were at the highest level ever recorded.

What are banks doing?

Beyond identity checks, banks can use artificial intelligence (AI) and machine learning to identify unusual patterns and flag potential fraud in real time. Helping customers spot fraud more easily is also essential. 

Digital banks Monzo and Starling led the way for instant push notifications of incoming and outgoing payments, meaning customers can quickly flag transactions they don’t recognise. Most banks now offer this, but not the Co-operative Bank, Nationwide, Santander or TSB.

key information

What can you do?

  • Avoid storing your card details on retailer websites (use wallets such as Apple Pay and Google Pay or PayPal instead). 
  • Review your privacy settings on social media sites and stay vigilant to phishing attempts.
  • Always check web addresses carefully, particularly if you’ve been directed from adverts or QR codes
  • If your card is lost or stolen, most banks let you freeze it via the app (the Co-operative Bank is a notable exception).

3. Phone theft

Thieves snatching expensive handsets may ‘shoulder-surf’ victims to watch them entering Pins and passwords. 

If you’ve used the same or similar passwords for multiple accounts, a thief could easily pass security checks. If they can’t crack them, they will try to use your Sim in their own device. 

What are banks doing?

Some banks make it extremely difficult for thieves to reset your login details or register the app on a new device (Chase, Monzo and Starling ask for photo ID or a selfie video, for example). 

However, in early 2023, a spate of phone thefts – many of which involved gym lockers being raided – led Which? to expose holes in some bank’s defences. A few required only basic information to reset app login details. For example, Halifax and MBNA only asked for credit card details and a security passcode sent via SMS to the same phone. We think this is too weak, although SMS is slowly being phased out.

Banks have other tools such as transaction monitoring and behavioural biometrics, which detect subtle deviations in the way a device is used. Most also use geolocation data to verify the physical location of customers during transactions and identify unusual activity. Santander is the only current account provider we surveyed that doesn’t use either.

key information

What can you do?

  • Add a unique Pin to your Sim (under 'Settings', look for ‘Sim Pin’ or ‘Lock Sim’) to prevent it being used in another phone. Disable preview notifications (‘Lock screen’ or ‘Notifications’), as these messages can flash up on your phone screen even when your phone is locked, meaning a thief could view text messages or emails sent by your bank. 
  • Register for a tracking app such as Apple’s 'Find My' or Google’s 'Find My Device', so you can quickly mark your device as stolen and remotely wipe its data if needed. Check if your phone manufacturer offers any tools too, such as Apple Stolen Device Protection and Android Theft Protection. 
  • Finally, avoid keeping your debit and credit cards in your phone case.
 

Be more money savvy

free newsletter

Get a firmer grip on your finances with the expert tips in our Money newsletter – it's free weekly.

This newsletter delivers free money-related content, along with other information about Which? Group products and services. Unsubscribe whenever you want. Your data will be processed in accordance with our Privacy policy

4. Hijacking your phone number

Criminals can trick your mobile network into transferring your phone number to a Sim card in their possession – a scam known as Sim swapping

They can then redirect calls and texts to a new device, to intercept security codes and hijack your bank accounts or payment wallets such as Apple Pay and Google Pay. 

What are banks doing?

Mobile networks bear most of the responsibility for preventing this scam, although many banks use Sim-swap detection (flagging recently swapped Sims as high risk). 

The likes of Chase, Monzo and Starling have no need, as they never use SMS to authenticate customers at login. But we were disappointed to learn that Lloyds Banking Group and Nationwide are yet to adopt these measures, as both still use SMS-based identity checks. 

key information

What can you do?

  • Ask your network provider about additional security, for example, you may be able to set up a unique Pin or password which must be provided to approve account changes in-store or over the phone. 
  • Call your provider immediately if you receive unsolicited texts or emails about your Sim being ported, a PAC request, or you unexpectedly lose phone service. 
  • Use MFA that doesn’t require SMS where possible – for example, apps such as Microsoft Authenticator are tied to a physical device, not your phone number.

5. Impersonation scams

Scammers often contact potential victims posing as banks, law enforcement and telecoms providers to trick them into sending money or divulging security codes that they can use to authorise payments. 

What are banks doing?

Banks can block attempts to spoof their phone numbers in calls and texts, by adding them to something called the Do Not Originate (DNO) list (a database of helplines that can only receive calls, never make them). 

When you send money to new accounts, detailed fraud warnings and Confirmation of Payee are now the norm, helping to prevent you sending money to a scammer. If the name of the account doesn’t match the name of the person or business you intend to pay, your bank will alert you to this. 

key information

What can you do?

  • Stay cautious when receiving unsolicited calls, emails and texts. Avoid clicking on links and double-check any ‘urgent’ notifications supposedly from banks or other businesses. 
  • Contact from unknown numbers is a red flag, but even if the number appears legitimate, contact the company using a trusted method such as the phone number on your debit card. 
  • Never share your password, Pin or security codes – anyone asking for these is a scammer – and don’t download screen sharing or remote-access software, as this enables scammers to take full control of your device.
  • Pay attention to fraud warnings from your bank, as these are designed to protect you. Never lie to your bank about the reason for a payment, as fraudsters are known to coach victims into bypassing security checks. 
  • If the worst happens, report any losses immediately so the banks can freeze accounts and try to recover your money. 

First in Which? Money magazine

This story first appeared in Which? Money magazine. Join for reviews, features and investigations, plus 1-to-1 guidance from our experts.

Sign up now

More on this

Related articles

About Us

Which? Limited is registered in England and Wales to 2 Marylebone Road, London NW1 4DF, company number 00677665  and is an Introducer Appointed Representative (FRN 610689) of the following:


1. Inspop.com Ltd for the introduction of non-investment motor, home, travel and pet insurance, who are authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635). Inspop.com Ltd is authorised and regulated by the Financial Conduct Authority (FCA) to provide advice and arrange non-investment motor, home, travel and pet insurance products (FRN310635) and is registered in England and Wales to Greyfriars House, Greyfriars Road, Cardiff, South Wales, CF10 3AL, company number 03857130. Confused.com is a trading name of Inspop.com Ltd. 


2. LifeSearch Partners Limited (FRN656479), for the introduction of Pure Protection Contracts and Private Health Insurance, who are authorised and regulated by the FCA to provide advice and arrange Pure Protection Contracts and Private Health Insurance Contracts.  LifeSearch Partners Ltd is registered in England and Wales to 3000a Parkway, Whiteley, Hampshire, PO15 7FX, company number 03412386.


3. HUB Financial Solutions, for the introduction of equity release advice and an annuity comparison service, who are authorised and regulated by the Financial Conduct Authority (‘FCA’) to provide advice and guidance on financial products for those who have retired or are approaching retirement (FCA Firm Reference Number: 455713). HUB Financial Solutions is registered in England and Wales to Enterprise House, Bancroft Road, Reigate, Surrey RH12 7RP, company number 05125701.


4. Alan Boswell Insurance Brokers Ltd (FRN 301), for the introduction of non-investment landlord insurances, who are authorised and regulated by the Financial Conduct Authority to provide advice and arrange insurance contracts. Alan Boswell insurance brokers Ltd is registered in England at Prospect House, Rouen Rd, Norwich NR1 1RE, company number 02591252.


Other financial services:

Mortgage service provided by London & Country Mortgages (L&C), Unit 26 (2.06), Newark Works, 2 Foundry Lane, Bath BA2 3GZ. London & Country are authorised and regulated by the Financial Conduct Authority (registered number: 143002). The FCA does not regulate most Buy to Let mortgages. Your home or property may be repossessed if you do not keep up repayments on your mortgage.


We do not make, nor do we seek to make, any recommendations or personalised advice on financial products or services that are regulated by the FCA, as we’re not regulated or authorised by the FCA to advise you in this way. In some cases, however, we have included links to regulated brands or providers with whom we have a commercial relationship and, if you choose to, you can buy a product from our commercial partners. 


If you go ahead and buy a product using our link, we will receive a commission to help fund our not-for-profit mission and our campaigns work as a champion for the UK consumer. Please note that a link alone does not constitute an endorsement by Which?.