Banking online safely

When you’re managing your bank account it's important that you keep yourself safe and secure online.

Learn how to spot a scam, what to do if you are contacted unexpectedly, and advice on how to stay safe online.

Suspicious calls

Fraudsters phone people pretending to be Bank of Scotland, the police, or other well-known companies. They do it to get you to send money, let them access your bank account or take control of your device to steal your personal data. Stop and think – is this call genuine?

Telephone fraudsters sound convincing and professional. Here are a few tips on how you can protect yourself and tell a genuine phone call from a scam.

Spotting a phone scam

Do you really know who’s calling? - If the call is unexpected, then they might not be who they say they are. If you’re not sure, say you’ll call back. Always use a trusted number (not the number the caller is using or asks you to use), and don’t assume a caller is from Bank of Scotland even if your caller ID says that it is. For Bank of Scotland, use the number on the back of your card. If the caller says they are from the Police you can call back on 101.

Is the caller putting pressure on you? - Fraudsters want to create a sense of urgency to force you to make quick decisions. The scammer might also ask you to “keep it quiet” and not tell anyone about the call. Don’t trust anyone trying to silence you or hurry you up.

Never let a caller trick you into transferring your money - Never transfer money if a caller says you must do this for “security purposes” to a “safe/secure/holding account”. Fraudsters might also say they’re from Bank of Scotland telling you that you are due a refund, or that you must complete a test transaction. We’ll never ask you to do this so hang up the phone!

It’s very rare for the Police or Scotland Yard to call people unexpectedly. If they do, they’ll never ask you to move your money. And they’ll always follow up with a visit from a Police Officer with photo ID and a warrant number.

The Police will never ask you to transfer money to a new account, and neither will we.

Don’t log in to your computer for a caller - If an unexpected caller claims there is something wrong with your computer or asks you to download something, this is almost certainly a con. The caller might claim to be from a broadband provider or trusted software company (even the one you use). But unless you asked for this phone call, it is likely to be a fraud.

If a caller asks you to log in to your computer, tell them you’ll make you own arrangements and hang up. Never tell a caller what you can see on your screen or allow anyone remote access (control of your machine) unless it's a company that you called first. Be very wary if the caller claims they have accidentally sent you money and ask you to send it back. If in doubt, put the phone down. 

Suspicious messages

Find out how to protect yourself, and tell a scam email or text message from a real one.

Suspicious emails

Is the email asking for financial and personal info? - Fraudsters pretend to be well-known companies like Bank of Scotland be wary even if you think you recognise the sender. Genuine companies never ask for Internet Banking login details or card details in an email. Don’t reply, and don’t click on any links or attachments.

Do you know who really sent the email? - If in doubt, phone the company on a trusted number or visit their website by typing their web address directly into the address bar. Don't click on a link or copy and paste from the email itself. 

Is the email trying to scare you into action? - Emails from reputable companies should sound reasonable and calm. Phishing emails often contain threats of account suspension or immediate risk of fraud. If you’re not sure about an email that looks like it’s from Bank of Scotland you can always phone us on the number on the back of your card.

How to tell a suspicious email from a real one

  • We always greet you by title and surname, as in ”Dear Mrs Smith”. We always include part of your main account number, or part of your postcode if you don't yet have an account number.
  • We never ask you to confirm personal or financial information in an email.
  • We do not scare you with urgent warning messages and we never use email to warn you of suspicious activity on your account.
  • Scam emails often look odd, with a messy layout and spelling mistakes.
  • Our email addresses always end with bankofscotland.co.uk. All genuine emails come from bankofscotland.co.uk. There should never be another word in between bankofscotland and .co.uk. (for example name@mail.bankofscotland.co.uk is correct but name@bankofscotland.mail.co.uk is wrong). If you share a suspicious email with our email scams mailbox, the automatic reply will come from bankofscotland.co.uk.
  • We never link directly to our Internet Banking login page, or a page that asks for security or personal details.
  • We never ask you to carry out a test payment online or move money to a new sort code and account number, even if it’s described as a “secure", "safe” or ”holding” account.

Suspicious text messages

Is the text message asking for financial and personal info? - Fraudsters pretend to be well-known companies: be wary even if you think you recognise the sender. Genuine companies never ask for Internet Banking login details or card details in a text. Don’t reply, and don’t click on any links or attachments.

Do you know who really sent the text message? - If in doubt, phone the company on a trusted number or visit their website by typing their web address directly into the address bar. Don't click on a link or copy and paste from the message itself.

Is the text message trying to scare you into action? - Does it sound reasonable and calm, like a message from a reputable company? Phishing text messages often contain threats of account suspension or immediate risk of fraud. If you’re not sure you can always phone us on the number on the back of your card about a message that looks like it’s from Bank of Scotland.

How to tell a suspicious text message from a real one

  • We never ask you to confirm personal or financial information.
  • We never link to our Internet Banking login page, or a page that asks for security or personal details.
  • We never ask you to carry out a test payment online.
  • We never ask you to move money to a new sort code and account number, even if it’s described as a “secure", "safe” or ”holding” account.

Protecting your devices

There are threats that can harm your devices even if you’re not aware that anything is wrong. But there are simple steps you can take to protect yourself.

Remember - always log out from your Internet Banking and lock your device with a PIN or password. Never leave it unlocked and unattended, and safeguard your device.

You can keep most viruses out if you:

  • Keep up to date. Always keep your operating system (like Windows or iOS), your internet browser (like Internet Explorer) and software up-to-date. See ‘Update' regularly for more information.
  • Use anti-virus software. Install it on your computer, keep it up-to-date and make sure it scans at least once a week. Act when prompted. Don’t keep putting it off – it’s there to protect you
  • Listen to your anti-virus software. It should tell you when a site is unsafe to visit or a file is unsafe to open.
  • Download carefully. Never download files and programs unless you are absolutely certain they are genuine and come from a source you trust. Always download mobile apps from an official store such as the App Store or Google Play.
  • Never switch off your firewall - unless you’re a computer expert and know what you’re doing.
  • Never use the password that came with your Wi-Fi router or hub - Change it to a strong password; something that no one can guess or use without your permission.
  • Only connect to secure Wi-Fi - if you use Wi-Fi on the go, make sure you’re using a genuine, secure connection. Fraudsters can set up hotspots in cafes and other public areas. You should avoid logging into online accounts that store any payment or banking info (like Internet Banking, Paypal or online shopping sites) if you’re using public or free Wi-Fi.

Protect your information online

Protect yourself by using security settings, PINs and passwords wherever you can. Think carefully about what you post in tweets, on Facebook, Instagram and other social media.

Think about what information you should not share online and how you can keep your account as safe as possible.

Passwords are key to online security on your Internet Banking, computer, tablet and smartphone. Choose secure passwords, don’t share them and change them often.

Make your password as secure as possible:

  • Never let anyone else use your Internet Banking. Not even if you share a joint account. And never let anyone know your password or 2nd password (your 'memorable information').
  • Use a different password for every website. If your data is stolen from any of the sites you use and your passwords are the same, criminals will try them on other accounts (like bank accounts). This is often referred to as a “hack” or a “data breach” in the news.
  • Don’t use anything obvious. Choose carefully; don’t make it too short or easy. Don’t use your child or pet’s name, birthdays or anything else that can easily be guessed.
  • Create a strong password. An easy way to create a strong password is to combine three completely unrelated words. For example: Radio, Marmalade and Sunny together make Radiomarmaladesunny. (But obviously, don’t use this specific example).
  • Try not to write passwords down. If you have to – avoid writing them down in full, keep them in a safe place and don’t mention what they are for.
  • Don’t recycle passwords. Like going from password2 to password3.
  • Make it harder for criminals to access your computer, tablet and smartphone by protecting them with PINs and passwords. Use a different PIN and password for every device or for every site you visit.

If you think anyone else knows your Internet Banking password, report it immediately.

Social media security

Follow these simple tips to stay safe online:

  • Always think twice before sharing information online. Could a criminal use the information to guess your passwords or commit identity theft?
  • Set your account to private on social media. Don’t forget to check your privacy settings on websites like Facebook and Twitter regularly.
  • Only connect on social media with people you know in real life. Remember that your friends’ real accounts might be ‘cloned’ by a fraudster. If you’re not sure, contact your friend directly.
  • Check a person’s identity if you get a strange request on social media or by email. Remember that your friends’ real accounts might be ‘hacked’ by a fraudster. Don’t respond if you’re unsure who you’re talking to. Don’t send money or share your account details.
  • Be cautious when you register on other websites and forums. Personal information like your date of birth, mobile number, address and information about your family can be used for identity theft and to hack your account.

Our security systems

Real-time fraud detection systems - When you are using Internet Banking, we use real-time fraud detection systems to decide whether it's really you or a fraudster. We use your data strictly according to the terms and conditions and your data privacy rights. If we see activity on your account that may be suspicious, we'll ask you to call our Fraud Department to confirm it's really you. If it's really you making the payment it will take you a few extra minutes, but this means that we are able to stop most fraud attempts and protect your account. We’ll also send you a text message and display a message in your Internet Banking account overview to confirm recent requests that might be suspicious.

Biometric analysis - We use behavioural analysis to help make sure it’s really you giving us instructions in your Internet Banking account. This technology builds a detailed profile of how you use Internet Banking (i.e. what’s ‘normal’ for you) which is very difficult for a fraudster to mimic. This data is used strictly in compliance with our Internet Banking terms and conditions, to protect your privacy and information about you.

DDOS protection - We aim to provide you with fast, accessible Internet and Mobile Banking, 24 hours a day. That's why we use state of the art DDOS (Distributed Denial of Service attack) protection, to stop hackers from blocking your access to your accounts online.

Bank name display - When you set up a new payment, we may display which bank account brand you’re sending money to, e.g. Barclays, HSBC, Tesco. By displaying this, we give you the opportunity to recognise if the new payment may be going to the wrong place, for instance if you were expecting to pay another Bank of Scotland account but it shows up as Lloyds Bank.

Helpful hints - You’ll see tiles and banners on the login page and throughout your Internet and Mobile Banking sessions once you’ve logged in, which will give you useful hints and tips on protecting yourself online.

Security checks

For certain instructions you give us in your Internet Banking, such as setting up a payment to a new account, we need to make sure it’s really you to prevent fraud. You can choose to do this via our secure App, or you can receive an automated phone call and enter the 4 digits shown on your device screen.

Phone calls

Always make sure the explanation is the one you’re expecting.

Telephone Authentication is the recorded call where you’re asked to enter 4 digits from your computer screen to complete an Internet Banking action such as payment to a new beneficiary, new products or registrations.

If someone tells you to ignore this explanation (for instance, if they say it's just a test transaction), or if you don’t recognise the action described in the automated call, then you are speaking to a fraudster

You will never be asked to complete this call to receive money into your account.

AppSign

This where you have chosen log in to your Bank of Scotland Mobile Banking App to authorise an action you’ve made on your computer or tablet such as payment to a new beneficiary, new products or registrations.

Read the explanation on screen carefully. If someone tells you to ignore this (for instance, if they say it's just a test transaction), or if you have not yourself requested the above actions, then you are speaking to a fraudster.

If we suspect fraudulent activity on your account we may contact you via telephone to confirm that you carried out the activity. We will confirm your identity by asking you to confirm questions from your credit file / details from your passport or driving licence. We will never ask you for your login details.

Report it to us:

  • If someone knows your Internet Banking passwords or has used your Internet Banking account without your permission
  • If money has fraudulently left your Bank of Scotland Internet Banking account
  • If you or someone you know has used a Bank of Scotland account to move someone else’s money

0345 600 7727 (Lines are open 24 hours a day) +44 1132 888 408 from outside the UK

If you have a hearing or speech impairment, you can contact us 24/7 using the Next Generation Text (BGT) Service. If you’re Deaf and a BSL user, you can use the SignVideo service.

For any other issues that you think may be related to fraud please call Action Fraud:

0300 123 2040
Lines are open Monday to Friday 9am-6pm. Text phone users can ring 0300 123 2050.

They’ll be able to log the incident and provide you with a Crime Reference number if needed. Action Fraud collects data from across the UK to help banks and other businesses combat fraud.

  • Bank of Scotland will never ask you to:

  • share Internet Banking account details (like username, password and memorable information) 
  • tell us your Personal Security Number (PSN) for Telephone Banking
  • tell us your PIN code, expiry date, CVV number (the last 3 digits of the security code on the back)  
  • move money to a so-called secure account (or safe or holding account)
  • move your money or ask you to transfer funds to a new sort code and account number that we provide.

We guarantee to refund your money (including charges and interest that you’ve paid or not received as a result) in the unlikely event that you experience fraud with our Internet Banking service. We will take steps to protect you 24/7, using technology and safeguards that meet or exceed industry standards, but you must also use our Internet Banking services carefully.

Being careful when you use our services includes, for example, that you:

  • Do all that you reasonably can to keep your Security Details (such as online and mobile username, password, and memorable information) secure, and you log out after each Internet Banking session.
  • Don’t let anyone else have access to your account or Security Details, or transact using them, even if they share a joint account with you through our Internet Banking services.
  • Tell us, as soon as you can if you think your Security Details have been lost, stolen, damaged or are being misused; or think someone may be accessing your accounts without your authority, or has discovered your Security Details.
  • Carry out regular virus checks on your devices.

If you've been grossly negligent, we will not refund any money taken from your account before you have told us your Security Details have been lost, stolen or could be misused.

We won't give you a refund if you have acted fraudulently.

For further guidance on using our online banking services, see our Internet Banking terms and conditions.