Online banks have been attacked for offloading the responsibility to avoid phishing scams to their customers.

Heise Security claims that four online banks have failed to secure their sites despite its warnings of serious security issues a month ago.

The company told U.K. banking sites they were taking insufficient steps to protect customers from phishing scams on September 20th, demonstrating how the sites could be easily used by scammers.

Heise inserted a fake page on to several online banks’ websites, and claimed users would have almost no chance of detecting the spoof. The security firm said the test still worked on the Cahoot, Bank of Scotland and First Direct websites this morning. Natwest has taken some steps to plug the hole, while the Bank of Ireland had fixed its site.

The security firm said banks should do more to protect their customers, quoting recent research from Apacs (the Association of Payment Clearing Services) which warned that users were still unaware of basic security measures when banking online.

Apacs, a trade association for the U.K. payments market, also reported that the number of phishing attacks has surged by 800 percent over the past year.

"It is a pity that the report does not also ask if the banks themselves are aware of the most basic security measures that could make their customers safer when online," said Heise. "Perhaps the banking industry should set its own house properly and promptly in order before blaming its customers."