The best and worst banks for online safety

Picking a bank that offers protection from scammers is just as important as an account that delivers interest, cashback or overdrafts

Businesswoman using laptop and mobile phone logging in online banking account
(Image credit: Getty images)

Online security should be a crucial consideration for all of us when picking a bank account.

Most of us tend to focus on the individual features offered by the bank account when choosing where to keep our money. It might be that it pays a leading rate of interest on in-credit balances, or cashback on your household bills

Alternatively, we might prioritise banks that offer a fee-free overdraft, or even a welcome bonus that can be worth hundreds of pounds.

However, just as important when selecting a bank is how well it can protect you from scammers and fraudsters. And a new study from Which? highlights some of the best and worst banks for online security. 

What makes a secure bank?

Which? teamed up with the security experts at Red Maple Technologies to assess more than a dozen banks and how secure their customer-facing features are. 

Banks were scored in four categories for their online banking security and app security:

  • Log-in
  • Navigation and logout
  • Account management
  • Encryption

Issues which would result in a score being marked down included failing to block weak passwords, sending passcodes or other sensitive information in text messages (which it argued were the least secure method) and leaving customers logged in even after five minutes of inactivity.

Other reasons for dropping points included allowing access to accounts from multiple web browsers at the same time, and sending notifications to customers that include a phone number or weblink. Which? argued that these can open the door to scammers, since they can be replicated easily by scammers and con people into sharing their details.

The best banks for online safety

According to Which?, the standout bank when it comes to online safety is Starling Bank.

Starling is an online-only bank ‒ you aren’t going to find a Starling branch on your local high street, for example. However, the fact that it is online-focused evidently means that it knows what it’s doing when it comes to protecting customers.

The Which? study gave Starling a score of 82% for online banking security, and 80% for its app. The app is useful for all customers, in that it is used to authorise online logins, while it also provides alerts whenever there is any sensitive activity. The bank scored five stars in virtually every category of the Which? tests.

It was followed by HSBC, which was the top performer in last year’s version of these tests. It scored 80% for online banking, and actually outperformed Starling in the app tests, managing 82% ‒ the highest of any bank assessed.

The worst banks for online safety

At the other end of the scale, Virgin Money was the worst performer on online safety of all of the banks tested by Which? and Red Maple Technologies.

On online banking, it scored a paltry 52%. Issues pinpointed included the navigation and logout, as well as its account management, where it got just two stars out of five. It scored 54%, which was partly down to the poor score of two stars for its encryption.

According to the investigation, Virgin Money was using six web applications which were potentially vulnerable to scammers. Issues include failing to block insecure passwords, and including phone numbers in notifications, while the bank was also criticised for not carrying out security checks when users want to pay someone new, adapt an email address, or edit the details of a payee.

Another bank that came out poorly in the tests was TSB. It managed a score of just 57% for its app, which was the second lowest in the investigation, though it received a more respectable 66% for its online banking.

It was criticised for issues including asking basic security questions to recover login details, as well as its poor password requirements ‒ only six characters were needed, while TSB was found to fail to block insecure passwords.

The bank also lost points for failing to send alerts when sensitive changes were made to accounts, while phone numbers were included in new-payee notifications.

Keeping yourself safe online

Checking studies like this are a good idea when opening a new bank account, so that you can be confident that your money will be protected from scammers.

However, there are measures you can take too which will also keep fraudsters at bay. Examples of steps you can follow to keep safe when banking online include:

  • Don’t click on links you receive in unsolicited messages
  • Use up-to-date security software
  • Improve your phone’s security, such as by turning on the auto-lock after a period of inactivity
  • Remove any personal information, such as your date of birth or email address, from your social media profiles
  • Change the password on your home router from the default password.
John Fitzsimons
Contributing editor

John Fitzsimons has been writing about finance since 2007, and is a former editor of Mortgage Solutions and loveMONEY. Since going freelance in 2016 he has written for publications including The Sunday Times, The Mirror, The Sun, The Daily Mail and Forbes, and is committed to helping readers make more informed decisions about their money.