A growing number of cybersecurity experts are calling on UK financial institutions to make multi-factor authentication (MFA) mandatory after a case in which an 84-year-old woman lost approximately £23,000 from her bank accounts. The thieves gained access by exploiting reused passwords from a previous data breach, then set up spam filters in her Gmail account to block bank alerts about the fraudulent transfers.
The victim's bank initially refused to reimburse the stolen funds, with fraud investigators reportedly asking whether a family member could have been responsible. The money was eventually returned after weeks of pressure, but experts warn that not all victims are so fortunate. Under UK rules, banks must refund unauthorised transactions unless they can prove the customer acted with 'gross negligence' — a standard that can be difficult to meet for older or less tech-savvy users.
Gregory Shein, CEO of Nomadic Soft, a SaaS company serving fintech clients, said: 'Many consumers assume every bank requires two-factor authentication, but that's not the reality. Some financial institutions still treat it as optional because they're balancing security against friction. Every extra login step can reduce conversions and frustrate less technical customers.' Major US banks including Bank of America, Chase, Capital One, and Citibank leave MFA optional, and several UK high-street banks still allow customers to disable it.
The UK's Information Commissioner's Office (ICO) has previously urged organisations to adopt 'robust authentication' under the Data Protection Act, while the EU's AI Act — which will affect UK firms operating in Europe — is expected to mandate stronger identity verification for high-risk financial systems. For UK businesses, the cost of implementing mandatory MFA is relatively low, but the reputational and regulatory risk of failing to do so is mounting. The Financial Conduct Authority (FCA) is currently reviewing whether to tighten rules on authentication after a surge in authorised push payment (APP) fraud, which reached £460 million in 2025.
For UK consumers, the lesson is clear: enable MFA on every financial account — including email — even if the bank does not require it. Criminals are increasingly targeting email accounts as a gateway to reset passwords and intercept security codes. 'The weakest link is often not the bank's security, but the customer's password hygiene and the lack of a second factor,' said cybersecurity researcher Dr. Amara Singh of the University of Bristol.