A moment’s distraction is all it takes to fall into a fraudster’s trap, such as an urgent phone call from ‘your bank’ during a busy day, but there are many simple ways to protect your financial accounts.
I’ve spent more than a decade researching threats and battling to get bank fraud victims their money back, yet I’ve never felt unsafe using online or mobile banking. Staying alert to phishing attempts, keeping software updated and making use of your bank’s and mobile phone’s security features will stop most bank scammers in their tracks.
Read on for my top five tips to keep your bank accounts secure.
1. I’d never use an unsupported device for banking
If your PC, tablet or mobile phone is no longer receiving security updates, don’t use it for banking.
Windows 10, for example, is ending security support in October 2025, which means it won’t get security updates or fixes after this date. Your PC won’t become riddled with viruses overnight (so don’t panic), but it may become more vulnerable over time.
Unsupported devices are more prone to malware and other cyberattacks because criminals will try to abuse known weaknesses. All apps and software should be kept up-to-date to protect you from the latest threats, though you might be surprised to learn that some brands only support devices with these vital security patches for as little as two years.
Most banks won’t let you download their apps if you have a mobile or tablet with a very old operating system, though they may allow existing customers to continue using apps on unsupported devices. The safest option is upgrading or replacing unsupported devices, no matter what your bank allows.
- Find out more: Check our smart tech security tool to see if your devices are still supported and discover the best free and third-party antivirus software following our latest tests.
2. I’d never download an app outside of an official app store
If you want to install a new app, stick to your phone’s app store, eg Apple’s App Store or Google Play, as they vet apps and remove rogue developers. Installing an app from alternative sources puts you at much greater risk of malware and privacy violations.
Malicious apps still slip through in official stores (many reportedly pose as QR code readers and PDF apps), so it’s sensible to read any negative reviews carefully and check the app’s permissions. One red flag is requesting access to your contacts without a clear reason why this is necessary.
- Find out more: Keep your personal information hidden from prying eyes with 10 ways to keep your smartphone data safe.
3. I’d never give remote access to an unsolicited caller
Tools such as AnyDesk, LogMeIn and TeamViewer (or its QuickSupport app) are legitimately used by IT professionals to fix problems from afar, including Which? Tech Support – but scammers abuse these to get into bank accounts.
They may pretend to be from your bank, broadband provider or even a retailer such as Amazon, perhaps claiming they can help you ‘secure your account’ or offer ‘technical support’.
Some use stolen branding to convince you they’re legitimate. For example, this image shows how criminals used Revolut’s logo to make an AnyDesk account appear to be a genuine IT helpdesk for the e-money firm. This enabled them to take remote control of victims’ devices and drain their business accounts in minutes.
If a cold caller wants you to share your screen or give them access to your device, this should be an immediate red flag.
Never share bank security codes (those used to log in to online accounts and authorise payments) either. Your real bank will never ask to share these over the phone or in a message. You should only enter security codes online when you’re fully aware of what you are authorising. And only a scammer will tell you that you need to move your money to a ‘safe account’.
4. I’d never trust Caller ID
Number-spoofing technology means scammers can start to convince you even before you pick up the phone.
That call or text may appear to be from ‘Barclays’, but there’s no guarantee it’s not a scammer, using software to mimic an official phone number or Sender ID. Spoofed texts can even appear in the same message thread as genuine ones, making it impossible to distinguish between the two.
A common tactic is to refer to unauthorised transactions or another security breach to create panic. The same scammers may try both tactics. For example, I’ve previously warned about fake delivery texts being followed up by bank impersonation scams over the phone. This can be extremely effective, as they only need to refer to the initial bogus text to establish trust.
Industries and regulators are working hard to stop spoofing. Ofcom told phone providers they must identify and block calls from abroad that falsely display a UK landline from January 2025. This crackdown is long overdue, but you’ll need to remain cautious of Caller ID as it won’t wipe out spoofing entirely.
Call your network immediately if you receive an unexpected message about your Sim being ported or a PAC request, or if you unexpectedly lose phone service.
- Stay safe: Don’t give out sensitive information on an incoming call. Hang up, wait for 15 minutes and either call the firm on a trusted number (such as on the back of your debit card or on their official website) or dial 159 to connect to your bank’s fraud team. Barclays, Monzo and Starling also offer caller verification within their apps.
5. I’d never use the same Pin or password twice
Two-factor authentication, or 2fa, is usually the first thing I tell people to put in place to secure their online accounts, as it means that even if a scammer steals or guesses your username and password, they will need to pass an additional security check to get in. You can find a list of companies and services that offer it at 2fa.directory/gb.
Even with 2fa, don’t be tempted to use the same Pin or password twice, as this is still your first line of defence. If an attacker has got hold of your login details for one online account, perhaps following a data breach, or stolen through a phishing message, they will use automated software to test these login details across other accounts.
The same goes for your mobile too, as we’ve reported on cases where fraud victims were ‘shoulder-surfed’ by thieves who carefully watched them entering Pins to unlock their phones and then tried the same, or very similar, combinations to access their banking apps.
- Stay safe: Pick strong, unique passwords. Combining three random words, such as ‘checktwistapple’, is considered ‘long enough and strong enough’ by the National Cyber Security Centre (NCSC). You can use a password manager such as Bitwarden or Dashlane so that you don’t need to remember them.
