Secure banking

How to protect your money from fraudsters?

Never give your User ID, PIN-codes or card info to anyone (even if they claim to be bank employees).
Don’t confirm transactions or login attempts in internet bank or app, which are not initiated by you.
Avoid transferring money if you have any doubts.

Types of bank fraud

Fraudsters use various methods and channels to try to trick you out of your money. Take a look at how the most common scams work and how you can protect your money.

1. Internet bank fraud

2. Investment fraud

3. Credit fraud

4. Lottery and inheritance frauds

5. Romance fraud

6. Work-related frauds

1. Internet bank fraud

How it works?

It looks like you are contacted by Swedbank via phone call, e-mail, or SMS.
Reason for contacting is usually something urgent related to your account, for example to block some wrong transfer.
Through an e-mail or SMS you are directed to a site that looks like the internet bank login screen. In a call you are asked for your internet bank User ID, PIN-codes or card numbers.
After you have provided the information or entered your login details, your account is hacked, and all your money is transferred to the fraudster’s account.

How to avoid?

Never share your bank details (User ID, card information or PIN-codes) anywhere. The bank will never ask you for those!
Do not download any attachments from e-mails. Check that e-mails from the bank end with @swedbank.ee.

2. Investment fraud

How it works?

You will see an advertisement for a risk-free investing opportunity with high growth rate.
This ad leads you to a website that appears to be legitimate or a well-written investment article, where you can read more or subscribe.
Then you can log in to the investing platform where you can deposit a small amount (100, 250 or 500€). After deposit you will see a very good, but fake growth numbers that trick you to deposit even more.
You might also receive a sales call offering you an opportunity to invest bigger amounts. They might talk to you about recent news that created a good opportunity for you to invest now.
Problems arise when you want to withdraw your investments. They charge you extra fees for withdrawal, but even if you pay, you cannot get your money back.
Bear in mind, that afterwards fraudsters keep contacting you for years and keep offering you ways to get your money back with interest if you pay more fees.

How to avoid?

Do not transfer and deposit money if you have any suspicion!
Investment opportunities are likely to be fake when they are risk-free and offer fast and big returns with the condition that you act quickly.
Background checks won’t probably work because fraudsters mimic real companies.
Do not give anyone access to your computer or allow to download any program (AnyDesk or TeamViewer) that would allow them to take over your computer remotely.

3. Credit fraud

How it works?

You will see a loan offer with a very good interest rate on the Internet and social media.
You are asked to pay various fees to apply for a loan:, contract fees, loan insurance fee etc.
You are asked to transfer money to a bank account in another country. Often to a person, not a company.

How to avoid?

Be especially careful about loan offers that require you to make payments to the borrower before you can get a loan. Check the background of the service provider and use the services of a transparent company. If the trader is unknown and rushes you, and if the offer seems too good to be true, it is probably a fraud.

4. Lottery and inheritance frauds

How it works?

You receive an e-mail from an unknown address claiming that you have won a lottery or inherited a large amount of money.
They want to transfer you a large sum of money (for example 1 000 000 EUR or more).
To receive that money, you need to pay some fees: notary fee, a fee for opening an account in a foreign bank, a fee for a bank card, card shipping costs, etc.

How to avoid it?

If you haven’t bought a lottery ticket or don’t know the person whose inheritance you’re supposedly receiving, then it’s probably a scam.
If you need to pay any fees before you receive your inheritance or lottery win, then it is fake. Do not transfer any money!

5. Romance fraud

How it works?

You meet a foreigner online. Usually, the person will introduce themself as a US soldier or a ship captain.
You start writing to each other frequently. At some point, the other party asks you for some money for an emergency situation or for a plane ticket because they want to meet you or to send you a package etc.

How to avoid?

Do not transfer any money for any purposes like buying a plane ticket, for investment or emergency.
Refuse any suspicious requests for money and if the person asking for funds refuses to accept your response or gets irritated, it is probably a fraud.

6. Work-related frauds

What are they?

BEC fraud – you receive an e-mail from your company’s email address asking you to transfer money to some account. Probably your company e-mail server has been hacked and e-mail is actually from fraudsters.
CEO fraud – your manager asks you to pay some bills or transfer company’s money to some account. This fraud is typically directed at accountants.

How to avoid?

Ask your employer or colleague via call or in person if they really asked you to make a transfer.

you have noticed any suspicious actions in your account
you suspect that third persons have received access to your Internet Bank
you have faced fraudulent actions aimed at obtaining your login data or misappropriate your funds

We will block your card or access to your Internet Bank account immediately and no one else will be able to access money in your bank accounts.

Block your card - you can block your cards in our app or internet bank. In internet bank log in, go under Cards > My cards > choose a card you wish to block and use slider “Block card”. Via the Swedbank mobile app, under “Cards” by switching the setting from “Active” to “Blocked”.
Order a new card - If you want to remove your card information from the merchant, order a new card instead of replacing it. Replaced card information is automatically updated at some merchants.
Report a security flaw – if you notice anything suspicious that may potentially be a security flaw, report it! How to notify us.

You shouldn’t confirm transactions or logins to internet bank or app, which are not initiated by you under no circumstances.
You shouldn’t ever disclose your personal data or data used for login to internet bank & app to other persons, including family members, friends or bank employees, unless you are calling to the bank.
Do not write down, send by e-mail, SMS, etc. or otherwise save any confidential codes and passwords to unlock the screen of your computer or mobile phone. Create complex passwords, that are difficult to guess, memorise them and change them regularly. When creating PIN codes, be sure to make PIN codes in random number combination. Do not use combinations, such as 1111, 1234, dates of birth other personal details etc.
Remember that your User ID number is as important as your personal code, thus pay a great deal of attention to its security.
Keep in mind that after login you will have access to many services including external ones which do not require additional authentication.

We will also automatically block access to Internet Bank if incorrect login data (User ID or code from the PIN code generator) is entered 5 times in a row.
You can unblock it by calling us at 6310310 / 6132222 (from 8:00 to 20:00 on working days, and from 9:00 to 16:00 on Saturdays). In case of a repeated block, you will have to visit the bank’s branch. You should book a visit in advance. Have you discovered any unauthorised transactions on your account performed prior to the blocking of Internet Bank access? Review your account statement and submit the information to us.

The login session is terminated when no activity happens for 5 minutes. You will be asked to re-enter your login details. Time limits are used for security reasons, to prevent Internet Bank access if a user forgets to log off from his/her account after finishing using the Internet Bank.
Once you finish Internet Bank session, log off (by clicking 'Logoff') and close the browser.

On the computer:

By clicking on the lock sign you should see the correct Swedbank certificate:

On the smart device:

Before entering your login data, make sure that the website domain is “swedbank.ee”.

When accessing internet bank via a laptop or stationary computer, follow these safety measures:

Install antivirus software and configure it to automatic update of the virus definitions database (at least one auto-update per day).
Install the local firewall. It should be configured so that it prevents connections from the Internet to your computer.
Use the latest browser and operating system available.
Turn on automatic updates for all software. If it cannot be updated automatically, regularly check on its ESTest software.
Set your browser to block pop-ups.

Check computer safety.

More information on the ways to secure your device and to safely use other Internet services is available on the following websites:

https://www.ria.ee/en.html

Do not forget to follow safety measures when accessing internet bank via mobile devices:

Download applications only from trusted sources such as the App Store, Google Play or Windows Phone Apps – Microsoft Store.
Do not jailbreak your mobile device to get around limitations set by your mobile network operator or device manufacturer. It will remove protections built into the device to defend against mobile threats.
Always screen lock your smart phone or any of your computers. If several levels of screen lock security are offered, always use the highest security level.
Do not allow other persons to use your phone or tablet where the Swedbank mobile app is installed.
Do not reveal the screen lock codes to other persons and do not allow to unlock your phone with other persons’ biometric data.
Use antivirus software.
Always adhere to the requirements or security alerts of the manufacturer of your phone device.

When shopping online, be cautious with your personal and financial data. Properly assess the threats, which you may encounter on the internet. We recommend ensuring protection of personal devices and always following these safety tips:

Only shop in reliable shops. It is always safe to buy goods and services in well-known Estonian and foreign e-shops with a good reputation. Take a critical approach to unknown sellers and try to find out more information about their activity. Study public internet feedback about a specific online shop. Find out whether the website presents detailed contact data of its administrator (address, phone, email, etc.), and make sure it does not contain various errors in their links (additional words or letters, strange symbols), popup windows, advertisings, a great number of links instead of informative content.
Be cautious about discounts. You have found a high-quality product offered at a particularly low price? Before making a payment order, be sure that the company that offers the product really exists and is trustworthy. Be careful about advertisements in social networks. They may lead you to a fake online shop.
Safe shopping by card. When shopping in foreign e-shops, the most common way of payment is by card. In this case you will have to indicate the details of your payment card. If an online shop participates in international security programmes, special logos such as “MasterCard SecureCode”, are used in this shop. You may be redirected to internet bank to confirm payment transaction by logging in. Learn more about “Safe online shopping” programme here. Before making a payment in an online shop, please evaluate safety of the online shop and study public internet feedback about its activity.
Safe payment via electronic banking system. When shopping in Estonian online shops, usually you will be redirected to Swedbank internet bank account. You will recognise it from the Swedbank logo and internet bank address: https://www.swedbank.ee/banklink. It confirms that payment is made directly through the bank system. After you enter your login details, the website will automatically display the generated payment form.
Third party providers. As of 14/09/2019, when you shop online, you might be offered to use payment initiation service, offered by payment institution (PISP), other than the bank, to pay for goods or services. If you choose to initiate payment from your account, kept with the bank, you might be asked to fill in the payment order form in the PISP’s environment, and give your consent to transfer data, necessary for performance of payment transaction, and later to confirm payment order with the Swedbank internet bank authentication mean. If you have noticed any transaction in the account statement, not authorised by you, inform us immediately by calling 6310310 (for private clients) or 6132222 (for business clients).

It is important for us at Swedbank that our customers can feel safe and secure when managing their monetary affairs with our electronic channels. Therefore, we seek to ensure the highest security level in IT systems. Despite this, an error may slip by. If you have found a security flaw, we would like to hear more about it to be able to correct the problem as soon as possible.

How do you report?

Send an email to us in your local language at responsible-disclosure@swedbank.com. Optionally, you can use our public PGP key to protect the information you send over. Make sure to have included the following information:

Detailed description of the vulnerability containing such info as URL and type of vulnerability.
The necessary information that we need to resolve the problem.
If applicable, a screenshot of the vulnerability you have found.
Contact information, name and surname, email, phone number, and your public PGP key (if you have one).

This personal data submitted by you will be processed by Swedbank in order to inform you about the analysis of IT security flaws noticed by you and their correction, and, if necessary, to contact you regarding the revision of the information submitted by you. More information about Swedbank’s data processing procedure is available in the Swedbank Principles of Processing Personal Data.

What can you report?

You can report security flaws that you have found in any of our services. Examples of security flaws are cross-site scripting, flaws in encryption or flaws with security implications in logic controls. The reporting service is not designated for other logical errors, errors in texts, questions about our services, questions about the security of our services or similar.

What can you expect from Swedbank?

We will confirm that we have received your description, continuously keep you updated while we process the issue, and inform you when the issue is fixed. Claims for compensation as a condition for sending in a vulnerability are not accepted.

What is required from you?

It is important for both us and our clients that you follow good practice, i.e. that:

You do not use the vulnerability to access or attempt to access information that does not belong to you.
You do not use the vulnerability to remove or modify information.
You do not affect the availability of our services.
You give us an opportunity to fix the reported vulnerability before going public with it.

Can you file a report anonymously?

Yes, but we won’t be able to respond and keep you updated on the status.

PGP key

Use this PGP key if you want to send us an encrypted e-mail. But using it is not required.

Key ID: 0x0AD6CCAF

Control code: 2D14 4030 6D4B 68C3 F286 3AC6 333B E8E4 0AD6 CCAF

We encourage you to update your browser and operating system version as soon as an update is released. These updates can be set up automatically for better security and experience in our digital channels. We officially support these browser versions:

Google Chrome 85 and later;
Microsoft Edge 85 and later;
Mozilla Firefox 80 and later;
Safari 14 and later.

Do not share your personal authentication means. If you want to give your family members or your employees rights to manage funds on your accounts, please, request the Bank to grant them respective rights. They will be able to use company’s accounts on behalf of their own and by using their own personal authentication means. You can revoke these rights at any time. It is also possible to order a supplementary card linked to your account for a family member to use. Sharing the same authentication mean between the employees or family members is strictly forbidden.
Remember, that security of all your data (User ID, PIN codes, mobile phone number provided to the bank, personal number, etc.) is the key for protecting an access to your money.
If you’re using a public computer, avoid entering personal information as there might be malware that records your details.
Do not keep User ID number together with authentication means and their confidential codes.
Never send authentication data by email.
Never disclose your login information, unless you are initiating the call with the bank. No one has the right to request you to provide your personal number and authentication mean by phone. If you receive a call from a person stating he is an employee of the bank, end the conversation immediately.
Your Smart-ID or PIN code generator PINs should not coincide with any part of your phone number or the sequence of numbers.
Always compare control number and read “see what you sign” if available.
By entering PIN2 of Smart-ID you are usually confirming a payment or an agreement. Be extra careful when doing it.
You will get an SMS when new Smart ID account is created. Contact bank immediately if it wasn’t you who created Smart ID.

How to stay safe? Read more on our blog.