Phishing is a common type of internet fraud. Phishing emails are designed to appear as though they are from a legitimate source, but intend to steal personal information that can be used to access your account.
Do not respond to any email that asks for any information in relation to your internet banking log in details. If you have received a suspicious email, do not respond and call us if you need any further information.
Our Contact Team are available from 8am-6pm Monday-Friday, and 10am-4pm on weekends for fraud-related enquiries only. Outside of these hours you can request a call back using our automated system. Our Contact Team will call you back as close to the time you request as is operational possible. Alternatively please email us at firstname.lastname@example.org from the registered email address we hold for you and mark it urgent in the subject line.
Was this helpful?
Money mules are people used to help launder money, often without realising that’s what they’re doing. They help move illegitimate funds (money gained illegally) between accounts so that the money then appears to be legitimate. They may be asked to receive money into their account, then withdraw it and put it into another account, sometimes in another country. Sometimes the money mules are offered compensation or commission.
Even if money mules don’t know the money they’re transferring is fraudulent, they are still committing fraud and money laundering, and could be sentenced to time in prison or to pay a fine.
Money mules are often recruited into this activity through false job adverts, or social media posts that promote quick money-making opportunities. Sometimes they are duped by fake social media profiles that pretend to want a romantic relationship with the victim to gain their trust and affection before asking this favour or blackmailing them. This is also known as romance fraud.
Never move money between accounts you don’t know and trust, especially because someone else has asked you to, or if you don’t know where that money has come from. If you are suspicious of money laundering, call us immediately on 0330 355 0355.
Was this helpful?
Vishing is where a fraudster uses voice messages or phone calls to try to steal identities, and financial information like your PIN, card details and Digipass code.
The term comes from the combination of ‘phishing’ and ‘voice’. Phishing is where fraudsters use email, regular phone calls and fake websites to dupe people into giving them personal details and financial information.
Vishing is specifically the use of a VOIP service (Voice Over Internet Protocol, or an internet phone service), which enables fraudsters to communicate with their potential victims via automated voice messages and the phone keypad.
Vishers can create fake caller ID profiles so that their phone number seems legitimate, and vishing requests sound urgent, to panic the victim into acting without thinking.
Examples of vishing:
- Your bank account has been compromised
You receive call from what appears to be Triodos Bank’s phone number. When you answer, you hear a recording pretending to be from Triodos, saying that your bank account has been compromised, and you need to call a freephone number to reset your security details. Calling this number, you would hear another automated message asking for your bank account number, Digipass code or other personal details via the phone keypad.
- You’re eligible for a loan
You are offered loan or credit terms too good to be true (they probably are), and to receive the money, you just need to pay an upfront fee or provide your security details.
- You’re due a refund
You receive a message that says you are due a refund. This is usually someone claiming to be from a trusted organisation. If you opt in – usually by pressing a number on your telephone - you will be redirected to a call centre agent who will attempt to defraud you or steal your information.
- Don’t miss this investment opportunity
An automated voice message tells you about an investment opportunity too good to turn down. You’ll be encouraged to transfer money to invest in a company or service that doesn’t exist.
- You’ve won a prize
Victims hear an automated voice message about a free offer or prize, and just need to pay postage, redemption or admin fees to claim. There’s often a deadline to hurry people into handing over their card details.
What you can do
If you receive an unexpected phone call with an automated response, hang up, search for the company’s genuine contact details online and check whether the call was legitimate. If it was, the company will be able to help you, and if it was a vishing attempt, letting the company know enables them to take action, and you will have protected yourself from fraud.
How to report a vishing scam
If you think you have been a victim of a vishing attack, call us immediately on 0330 355 0355. Then report to the FCA using their reporting form.
If you have lost money to suspected investment fraud, report it to Action Fraud on 0300 123 2040.
Was this helpful?
Bank impersonation fraud is when a fraudster impersonates someone from the bank in order to trick a victim into making payments to a fraudulent account.
What a fraudster might do:
- A fraudster usually calls their victim, though may use email or another contact method. It’s likely they already know information about the victim, including their name and who they bank with.
- While impersonating the bank staff member, the fraudster might tell the victim their account is under threat and they need to make payments to a “safe account” or set up payments in order to “block the funds”.
- The fraudster might ask for details from the Digipass so they can access the account and make payments to the fraudulent account themselves.
- The fraudster might ask the victim to download screen sharing software so they can view or control the victim’s computer. This can make it easier to take control of the account.
- In any scenario, the fraudster will foster a feeling of panic in order to get the victim to comply with their requests as quickly as possible.
- Fraudsters might also impersonate other well-known, trusted companies such as Microsoft, Apple, BT or HMRC.
What Triodos Bank will never do
- We’ll never call you to tell you to log into internet banking or to make a payment to a “safe account”. If we believe your account to be under threat, we can block the account ourselves and do not need you to do anything from your end.
- We’ll never ask you for your full Digipass number or your Digipass PIN.
- We’ll never ask you to download any software onto your PC or mobile phone.
What you can do to protect yourself
- Never give out your personal details to someone who has called you unexpectedly.
- Never download any software onto your PC or mobile phone when asked by someone over the phone or by email – even if you think you are speaking to a trusted organisation.
- Never give anyone your Digipass number or your Digipass PIN. Triodos will never ask for this information.
- Do not let someone else use your Digipass – even a colleague or family member. Your Digipass is assigned to you as an individual and must only be used by yourself. If you leave your place of work, please let us know and we can arrange for your Digipass to be cancelled.
- If you are unsure about someone who has called you claiming to be from the bank or another company, hang up and call back on the company’s published telephone number.
Was this helpful?
CEO Fraud is when cyber criminals hack into company email accounts to impersonate the CEO, Managing Director or senior staff and ask an employee to make payments to an account managed by the fraudster. They’ll typically target a company's finance department, but may also target other employees who have authority to make payments.
Usually the request sounds urgent, to panic the employee into acting without thinking and going through the usual checks and balances. The kinds of payments they’ll ask you to make are invoices for a supplier, utility or service, or products the company needs.
Was this helpful?
No-one wants to imagine that one of their employees would commit fraud, but sometimes this happens. There are a few things you can do to protect your organisation:
- Never share your Digipass or PIN
Digipasses are unique to each account operator, so if you allow someone else to use your Digipass it will be recorded as a payment authorised by you. If you have new staff or need to change an account operator, download the Business Banking change of account operator form and post it to Freepost TRIODOS BANK. We can set up each new staff member with their own Digipass and internet banking access. If you remove an account operator, please send the Digipass back to us.
- Employee checks
Review your recruitment procedures and ensure you’ve got appropriate checks and references in place for candidates hoping to join your organisation, such as criminal record checks and references from previous employers. See the ACAS website for advice.
- Be aware of who has access to sensitive information
Regularly check who can access important data and systems, such as customer or membership data, or financial information. When employees leave your organisation their access should be stopped. Access should only be given to employees who really need access to these systems or data.
- Create a whistleblowing policy
This can support your employees to anonymously report suspicious activity they see in the organisation. Promote the policy so all staff feel confident and safe in reporting suspicious activity. For more advice on whistleblowing, see the gov.uk website.
Was this helpful?
Business (or corporate) identity theft is a type of fraud that involves a criminal stealing a company’s identity and using it to buy goods and services by establishing lines of credit with banks or retailers.
Organisations are often targeted because:
- They have bigger account balances
- They have higher credit limits
- Making large payments regularly isn’t suspicious
- Information is often freely available on their website or on the internet
How to protect yourself:
- Protect company information
Don’t share anything about your business online or publicly that could put your organisation at risk. Write a policy for your staff that includes guidance around social media use. Educate your employees about business identity theft so that they know what to look out for, how to help avoid identity theft, how to spot it and how to report it to minimise the impact.
- Regularly review accounts
Regularly review all account statements, credit reports, and business registration information.
- Install security or anti-fraud software
Invest in software that can assess risks and help identify fraud or suspicious activity.
Was this helpful?
Social media fraud can be many things. It could look like:
- An unusual message from a friend, colleague or family member on Facebook, Twitter, LinkedIn or other social media platform. Fraudsters sometimes hack social media accounts to scam people into sending them money or personal data. If you get an unusual request like this, call your friend on a number you trust to make sure the message is real.
- A request to connect with you or a message from an account you don’t know. Often these have lots of spelling mistakes or a messy layout, but not always. It’s best not to accept a request to connect with someone or give consent for them to message you unless you know who they are and trust them.
- Competitions and quizzes. If you have to give personal details to enter a competition or quiz, make sure you trust the owner of the quiz or competition and that they are a genuine company. Quizzes and competitions are often created to capture participants’ personal information, which they can later sell or use against you.
Was this helpful?
This is when fraudsters send fake invoices claiming to be from a real business you work with. Sometimes they hack the emails of your supplier to send the invoice, so the email address is genuine, but the payment details are changed to those owned by the fraudster. It’s sensible to call your suppliers on the number on their website to verify their payment details before you pay new account details for the first time.
Steps you can take to protect against invoice fraud:
- Check invoices carefully
All staff who process supplier invoices and have the authority to change bank details should check supplier names, addresses, invoice amount and bank details to ensure they’re correct.
- Verify payment changes
If a supplier asks to update their payment details, always verify it with them by calling the number on their website.
- Follow up invoice payments
When you pay a supplier invoice, let the supplier know the payment has been made, confirming the amount and bank details paid into.
- Check bank statements carefully
Report all suspicious debits to your bank immediately.
- Call suppliers back
If you are suspicious about a phone request, say you’ll call the supplier back. Use the number published on their website or saved to your phone so you know it’s the genuine number you’re calling.
- Review public information about your suppliers
Fraudsters often thoroughly research suppliers of organisations so that they can convincingly impersonate them. It may be a good idea to remove any information about your suppliers from your website and other public materials.