Dos:

Keep your Digipass to yourself

Digipasses are unique to each account operator, so if you allow someone else to use your Digipass it will be recorded as a payment authorised by you. If you have new staff or need to change an account operator, download our change of account operator form and post it to Freepost TRIODOS BANK. We can set up each new staff member with their own Digipass, access and security details.

Be suspicious of unexpected emails

Even if you think you recognise the sender, don’t click on any links or attachments unless you are sure they are genuine.  Spelling mistakes can often indicate a fraudulent email.

Confirm new supplier/customer bank details over the phone

If you receive an invoice by email, consider that your emails or the sender’s emails could have been hacked by a fraudster. If anyone asks you or your employees to change a supplier’s payment details, always call that supplier back separately on the number published on their website to verify the request.

Use anti-virus software to protect your devices

There’s plenty of software that you can use to help you assess risks and detect fraud, including alerts for risky activity on a corporate device.

Review who can authorise payments and how much

Review your internet banking payment limits and authorisation. How many people have access to your internet banking and have their own Digipass? What levels of authorisation do they need? Decide if you need two people to authorise a payment to ensure each payment is double checked.

Introduce a fraud policy and train your staff

Make a policy that’s clear how employees can use their work devices, and ensure they understand it and follow it carefully. They should also be sensitive about what they share on social media and what they email to their personal email addresses from their work account.

Carry out employee checks

Review your recruitment procedures and ensure you’ve got appropriate checks in place for candidates hoping to join your organisation, such as criminal record check, and references from past employers.

Be aware of who has access to sensitive information

Regularly check who can access important data and systems, such as customer or membership data, or financial information. When employees leave your organisation their access should be stopped. Access should only be given to employees who really need access to those systems or data, and data should be deleted as soon as it’s no longer in use.

Create a whistleblowing policy

Support staff to anonymously report suspicious activity they see in the organisation. This gives staff the confidence to speak up, which can help you identify and address fraudulent activity early on.

Don’ts

Don’t share your Digipass or security details

Don’t share your Digipass with another colleague. Don’t share your full Digipass number and PIN or internet banking passwords with anyone. We will never ask you for your Digipass number and PIN - even to reverse or cancel a ‘fraudulent’ payment. Fraudsters can use these codes to take money from your accounts. If you’re unsure, end the call and call us on the number on our website to check.

Don’t login to internet banking because a caller asks you to

Don’t login to your computer or internet banking just because a caller asks you to. If the call is unexpected, then the caller might not be who they say they are. If you’re not sure, hang up and call back using a trusted number (not the number the caller is using or asks you to use).  

Don’t assume a cold caller is genuine

Don’t assume a caller is from the business they claim they are from, even if your caller ID says that they are, because phone numbers can be cloned. Call the organisation back on the number on their website to check.

Don’t move money to a ‘safe account’

Never move money if a caller says to do this for “security purposes” to a “safe, secure, holding account”.

Don’t be pressured

Fraudsters want to worry you to force you to do something quickly.

Don’t download software to your device

Don’t download software, or other tools to your device if asked to do so in an email or call from someone unexpected. Don’t or give control of your computer to an unexpected caller.

Don’t login to internet banking through a link in an email or text

Always type the address into your browser or use a bookmark you have saved through visiting our genuine site.

Don’t put your bank details online

We advise you not to put your bank details online - that includes on your website and PDFs you may have uploaded. Fraudsters can find these and use them to convince you that they are calling from Triodos, for example.