Avoid scams that pose as a financial institution
Text you asking for details to “confirm” it’s you. Your financial institution may well text you – for instance to confirm a transaction on PC – but financial institution texts will not, ever, ask you to confirm details, or for passwords in a text. financial institutions also won’t update their apps in this way. If you’re suspicous, don’t click links, don’t call any numbers in the text. Instead, call your financial institution on its “normal” number – Google it if you don’t know – and check whether the text is from them.
Give you a deadline of 24 hours before your financial institution account erases itself. Many legitimate messages from your financial institution will be marked “urgent” – particularly those related to suspected fraud – but any message with a deadline should be treated with extreme suspicion. Cybercriminals have to work fast – their websites may be flagged, blocked or closed down rapidly – and need you to click without thinking. financial institutions just want you to get in touch – they won’t usually set a deadline.
Send you a link with a “new version” of your banking app. Your financial institution will not distribute apps in this way – instead, download from official app stores, and ensure yours is up to date.
Use shortened URLs in an email. Cybercriminals use a variety of tricks to make a malicious web page appear more “real” in an email that’s supposedly from your financial institution – one of the most basic is URL-shortening services. Don’t ever click a shortened link, whether in an SMS or an email from your financial institution. Go to the financial institution’s website instead (the usual URL you use),, or call them on an official number (ie not the one in the email).
Send a courier to pick up your “faulty” financial institution card. The courier scam is a new one – your phone rings, it’s your financial institution, and they need to replace a faulty financial institution card. One of the new services they offer is courier replacement – and the financial institution tells you that a courier will arrive shortly to collect the faulty card. A courier turns up, asks for your PIN as “confirmation” – and your money magically vanishes. If your card is faulty, a real financial institution will instruct you to destroy it, and send you a replacement by mail.
Call your landline and “prove” it’s the financial institution by asking you to call back.
A common new scam is a phone call from either “the police” or “your financial institution”, saying that fraudulent transactions have been detected on your card. The criminals will then “prove” their identity by “hanging up” and asking you to dial the real financial institution number – but they’ve actually just played a dial tone, and when you dial in, you’re talking to the same gang, who will then ask for credit card details and passwords.
Email you at a new address without warning. If your financial institution suddenly contacts you on your work address. Financial institutions will not add new email addresses without your permission. If you want to be ultra-secure, create a special email address just for your financial institution, don’t publish it anywhere, or use it for anything else – that way, emails that appear to be from your financial institution probably ARE from your financial institution. As ever, stay cautious.
Use an unsecured web page. If you’re on a “real” online banking page, it should display a symbol in your browser’s address bar to show it’s secure, such as a locked padlock or unbroken key symbol. If that symbol’s missing, be very, very wary. This is one reason why it’s best to browse an online banking page from your PC – on a smartphone browser, it can be more difficult to see which pages are secure.
Address you as “Dear customer” or dear “firstname.lastname@example.org”. Financial institutions will usually address you with your name and title – ie Mr Smith, and often add another layer of security such as quoting the last four digits of your account number, to reassure you it’s a real email, and not phish. Any emails addressed to “Dear customer” or “Dear [email address]” are instantly suspicious – often automated spam sent out in vast quantities to snare the unwary.
Send a personal message with a blank address field. If you receive a personal message from your financial institution, it should be addressed to you – not just in the message, but in the email header. Check that it’s addressed to your email address – if it’s blank, or addressed to “Customer List” or similar, be suspicious.
Email you asking for your mother’s maiden name. When financial institutions get in touch – for instance in a case of suspected fraud – they may ask for a password, or a secret number. What they won’t do is ask for a whole lot more information “to be on the safe side”. If you see a form asking for a large amount of information, close the link and phone your financial institution.