Bank Security UK 2026 — FSCS Protection, Scam Prevention, Complaints and Your Rights

Safe Online Banking UK — How to Protect Your Money

Complete guide to online banking security in the UK. How to stay safe, avoiding fraud, what banks do to protect you, and what to do if things go wrong.

· · Last reviewed: · 8 min read

Part of the Bank Security UK 2026 guide.

Online banking is among the safest ways to manage your money — but it requires security awareness. UK banks invest heavily in fraud detection and customer protection; the weak point in almost every successful attack is human behaviour, not the bank’s systems. This guide covers exactly what your bank does to protect you, what you must do yourself, and your rights if something goes wrong.

How Banks Protect You

Security Features

UK banks are required to implement Strong Customer Authentication (SCA) under the Payment Services Regulations 2017 — meaning at least two of three factors must be verified for sensitive operations.

ProtectionWhat It Does
End-to-end encryptionScrambles all data in transit — the padlock symbol confirms it
Two-factor authentication (2FA)Second verification step via app, SMS, or card reader
BiometricsFingerprint or face recognition — faster and more secure than passwords
Real-time fraud monitoringAutomated systems flag unusual patterns and can block suspicious payments
Automatic session timeoutLogs you out after inactivity — limits exposure if you forget
Secure in-app messagingEncrypted communication — safer than email for sensitive queries

Authentication Methods

MethodHow It Works
Password + memorable informationSomething you know
Card reader deviceSomething you have
Mobile app push notificationSomething you have
SMS one-time passcodeSomething you have (weaker — can be SIM-swapped)
Biometrics (fingerprint/face)Something you are — strongest option

Account Protection Features

FeatureWhat It Prevents
Real-time transaction alertsUnknown transactions spotted immediately
Instant card freeze via appLimits damage if card stolen or lost
Spending limitsCaps daily ATM and payment amounts
Trusted payee listAdditional confirmation required for new recipients
Cooling-off periodsDelays large transfers to new payees — gives time to spot scams

Your Security Responsibilities

Strong Passwords

DoDon’t
Use 12+ charactersUse pet names, birthdays, or addresses
Mix letters, numbers, and symbolsUse the same password on multiple sites
Use a password managerWrite passwords in a notebook or phone note
Make it unique to your bankShare it with anyone — including family
Change it immediately if you suspect compromiseTell it to callers claiming to be your bank

Secure Logins

Best PracticeWhy It Matters
Type your bank’s URL directly into the address barPhishing sites use near-identical URLs
Check for the padlock symbol and correct domainConfirms you are on the real encrypted site
Use your bank’s official app, downloaded from the App Store or Google PlayThird-party apps may be malicious
Log out fully after each session — don’t just close the tabActive sessions can be hijacked
Never log in from links in emails or text messagesThese are the primary phishing vector

Device Security

ProtectionAction Required
Keep your operating system updatedSecurity patches close vulnerabilities
Use reputable antivirus softwareParticularly important on Windows
Lock your phone with a PIN, fingerprint, or facePrevents access if lost or stolen
Do not root or jailbreak your phoneRemoves security protections
Only install apps from official storesSideloaded apps may contain malware

Avoiding Common Risks

Phishing — What It Looks Like

Phishing is the most common method used to steal online banking credentials. Fraudsters send emails or texts that appear to be from your bank, creating urgency to make you act without thinking.

Phishing SignWhat to Do
Unexpected email or text from “your bank”Do not click any links
Urgent message: “Your account has been suspended”Creates panic — log in directly via the app instead
Link to “verify your details”Leads to a fake site — check the URL carefully
Generic greeting: “Dear customer”Your bank uses your full name
Sender address doesn’t match the bank’s domainCheck carefully — fraudsters use slight misspellings

What Banks Will Never Ask For

No genuine UK bank will ever ask you for:

They Will Never AskWhy It Matters
Your full passwordThey cannot see it and do not need it
Your PINNever, under any circumstances
One-time passcodes to read out to themYou use the code; you do not share it
To transfer money to a “safe account”There is no such thing — this is always fraud
To allow remote access to your computerNot for security purposes

Public Wi-Fi

Never access online banking on public Wi-Fi — coffee shops, hotels, airports, and other shared networks can be monitored, and fraudsters sometimes set up fake networks with convincing names. Use your mobile data connection instead. If you must use a shared network, a reputable VPN adds a layer of protection.

Recognising Fraud Attempts

Phone Scams (Vishing)

Vishing — voice phishing — involves callers impersonating your bank’s fraud department. This is one of the most effective scams because callers can be highly convincing. For a comprehensive breakdown of the most common scam types and how to spot them, see our bank scams and fraud guide.

Common ApproachThe Red Flag
“We’ve detected fraud on your account”Banks monitor fraud without needing to verify via cold calls
“Please confirm your security details”They would not need to ask — they already hold them
“Transfer your money to a safe account for protection”Classic APP fraud setup — no safe account exists
“Don’t tell other bank staff — this is confidential”Any instruction to conceal is a scam
They know your name and partial account detailsFraudsters buy personal data — knowledge is not proof of identity

What to do: Hang up. Wait at least 5 minutes (fraudsters can hold the line open). Then call your bank directly using the number on the back of your card, or dial 159 — the Stop Scams UK hotline that connects you to your bank’s fraud team.

Email and Text Scams (Phishing and Smishing)

Warning SignCheck
Unexpected contact about your accountDid you initiate this?
Urgency — “act within 24 hours”Pressure to bypass rational thinking
Link to clickHover over it to see the real URL
Request for personal or financial informationBanks do not ask for this by email or text
Poor spelling or grammarOften present, though sophisticated scams may not have this

If Something Goes Wrong

Unauthorised Transactions

StepAction
1Call your bank’s fraud line immediately — use the number on your card or dial 159
2Do not use any device you suspect may be compromised
3Your bank will freeze affected accounts and issue replacement cards
4Report to Action Fraud: 0300 123 2040 or actionfraud.police.uk
5Change all passwords from a clean, trusted device

Your Rights

Under the Payment Services Regulations 2017, UK banks must refund unauthorised transactions promptly — typically by the next business day — unless they can prove you acted fraudulently or with gross negligence. “Gross negligence” is a high legal bar: forgetting to log out or being deceived by a sophisticated scam generally does not meet it.

For APP fraud (where you transferred money under false pretences), the PSR’s mandatory reimbursement rules from October 2024 require your sending bank to reimburse you up to £85,000 in most cases within 5 business days.

ScenarioWhat Your Bank Must Do
Unauthorised transaction (you didn’t approve it)Refund promptly — typically next business day
Card fraudAlmost always refunded
Account takeoverShould be refunded unless gross negligence
APP fraud (deceived into transferring money)Mandatory reimbursement up to £85,000 (PSR rules, Oct 2024)

If Your Bank Refuses to Refund

If your bank denies your refund claim or does not resolve it within 8 weeks, you can escalate to the Financial Ombudsman Service free of charge. The FOS can order your bank to pay compensation and is the most effective route if your bank is being unreasonable.

StepAction
1Request a written explanation of the refusal
2Submit a formal complaint to your bank in writing
3If unresolved within 8 weeks, escalate to the Financial Ombudsman
4The FOS adjudicates free of charge and can order refunds

Safe Online Banking Checklist

One-Time Setup

ActionDone
Enable two-factor authentication
Set a strong, unique password
Enable biometric login on the app
Turn on real-time transaction alerts
Register your device properly
Save your bank’s fraud line number

Regular Habits

ActionFrequency
Check transactions for anything unfamiliarWeekly
Update your banking appWhen available
Review account security settingsQuarterly
Monitor for data breach notificationsWhen notified

What Never to Do

NeverWhy
Share your password or PIN with anyoneIncluding family — your bank will not ask
Click email or text links to reach your bankGo direct via the app or type the URL
Bank on public Wi-FiRisk of interception — use mobile data
Read out one-time codes to callersCodes are yours to use, not share
Allow remote access to your computer for “security”Always a scam

Key Fraud Contacts

OrganisationContact
Stop Scams UK (any major bank)159
Action Fraud0300 123 2040 or actionfraud.police.uk
Barclays fraud line0800 400 100
HSBC fraud line0800 783 8330
Lloyds fraud line0800 072 8805
NatWest fraud line0800 161 5149
Nationwide fraud line0800 030 4057
Santander fraud line0800 171 2171

Always use the number on the back of your card or statement — never a number given to you by a caller or found in an email.

More from the Bank Security guide:

Sources

  1. National Cyber Security Centre — Cyber Aware guidance
  2. Action Fraud — Report and prevent fraud
  3. FCA — ScamSmart consumer protection
  4. Payment Systems Regulator — APP fraud reimbursement