Security flaws the websites of banks are putting customers at increased risk of falling victim to fraud, according to an investigation from Which?.

Tests conducted by Which? found that some banks were failing to log users out of systems after periods of inactivity, not adequately blocking weak passwords or sending sensitive information via SMS.

The consumer body also discovered that some banks allowed access to accounts from multiple web browsers or IP addresses at the same time, without flagging this as a potential cyber attack.

Other banks were sending customer notifications which included a phone number or a weblink. Which? said that these can be a gift to scammers, who often replicate texts and emails to trick people into calling them or entering their details on a fake website.

Virgin Money ranked the lowest in the investigation, with Which? saying the bank did not adequately block insecure passwords and remove phone numbers from notifications.

Virgin Money also lacked the necessary security checks to pay someone new, change an email address or edit the details of a payee, it said.

A spokesperson for Virgin Money said: “The safety and security of our banking services is our top priority, and we are continually monitoring, assessing and improving our security controls. A number of the points raised in this research relate to decisions we’ve taken to enhance the digital user experience while ensuring our robust, multi-layered controls remain in place to protect customers’ accounts.”

Over 29,100 cases of remote banking fraud were reported to UK Finance in the first half of 2022, this included scammers gaining access to customers’ bank accounts and making an unauthorised transfer of money from the account.

Commenting on the news Sam Richardson, Which? Money deputy editor, said: “Banks should not be leaving these open doors for scammers to exploit and must up their game to protect their customers properly.”

He added: “By making improvements, such as blocking weak passwords, banks can take an important step in preventing unscrupulous fraudsters from attempting to steal money and personal data from consumers.”

Share Story: