Online Banking Safety — A UK Guide
Online banking fraud costs UK consumers and businesses hundreds of millions of pounds each year. Most successful attacks rely not on hacking your bank — which is extremely difficult — but on tricking you into handing over credentials or authorising fraudulent payments yourself. Understanding what your bank will and will not do is the most effective protection.
What Your Bank Will Never Do
Memorise this list. Any communication that does any of the following is fraud — regardless of how convincing the caller, email, or text appears:
Ask for your full password, PIN, or online banking password over the phone or by email
Ask you to move money to a "safe account" to protect it from fraud
Send a courier to collect your bank card
Ask you to confirm a transaction by providing your card details over the phone
Send you a link to log in to online banking via email or text
Ask you to download remote access software to help investigate fraud
Six Safe Banking Habits
Type the address directly
Never click a link to online banking from an email or text. Type your bank's address directly into the browser address bar.
Check the domain carefully
Criminals use domains like barclays-secure.co.uk or hsbc-support.com. Your bank's real domain is simple: barclays.co.uk, hsbc.co.uk. Check the full address every time.
Enable transaction alerts
Most UK banks offer free text or app notifications for all transactions. Enable these so any unauthorised payment is flagged to you immediately.
Use your bank's official app
The official app (from the App Store or Google Play) is more secure than browser-based banking on most devices. Keep it updated.
Never bank on public Wi-Fi
Public Wi-Fi in cafes, hotels, and airports is potentially monitored. Use mobile data or a VPN if you must bank away from home.
Enable 2FA on your banking app
Most UK banks now require 2FA by default. If your bank does not, check your settings — it may be available as an option.
What to Do If Something Goes Wrong
- 1Call your bank immediately — use the number on the back of your card, not any number from a message
- 2Tell them exactly what happened — banks have specialist fraud teams available 24 hours
- 3Report to Action Fraud at actionfraud.police.uk or 0300 123 2040
- 4Keep records of everything — screenshots, emails, bank statements
- 5Under the UK Contingent Reimbursement Model, banks are often required to refund victims of authorised push payment fraud — push for this if applicable
Get your free personalised cybersecurity plan
Answer a few quick questions and we'll build a step-by-step plan tailored to your situation — no jargon, no credit card required.
Start for free →Related guides
Frequently asked questions
How do I know if an online banking site is genuine?
Type your bank's web address directly into the browser address bar — never click a link from an email or text. Look for the padlock icon in the address bar, which confirms the connection is encrypted. Check the domain exactly: barclays.co.uk is genuine; barclays-secure.com is not. If in doubt, go to a branch or call the number on the back of your card.
What do I do if I think I have been a victim of bank fraud?
Call your bank immediately using the number on the back of your card. Do not use any contact details from the suspicious message. Your bank has a 24-hour fraud line. Also report to Action Fraud at actionfraud.police.uk or 0300 123 2040. Under the UK Contingent Reimbursement Model (2024), banks are often required to refund victims of authorised push payment fraud.
Is mobile banking safe?
Yes, when done correctly. Use your bank's official app (downloaded from the App Store or Google Play, not from a link). Keep the app updated. Use biometric login (fingerprint or face). Never access banking on public Wi-Fi without a VPN. Avoid jailbroken or rooted devices for banking.