Banking online is very convenient but you must protect your password and personal details to prevent criminals from accessing your account in your name.

The risks

  • You could be tricked by phishing emails or vishing phone calls into disclosing your password and other confidential details.
  • Identity theft caused by viruses or spyware, giving criminals access to your bank account and other personal information stored on your computer.
  • Malware on your computer that sends information to your bank that is different from that which you intended – for example the recipient of a payment. Malware could also introduce false fields such as ‘enter your complete password’ on an otherwise genuine site, by interfering with your browser. This is sometimes called a ‘Man in the browser’ attack.

Safe banking

  • Never disclose passwords or other personal information in response to an email, phone call or letter purporting to be from your bank or other financial institution. Banks will never send you emails asking you to divulge such information. Any communication from banks will use your actual name (not ‘Sir’ or ‘Madam’) and possibly another verification of authenticity such as your postcode or part of your account number. If you are unsure if an email is genuine, contact your bank via other means.
  • Always make sure you are using a secure internet connection to connect to your bank. Never use free public Wi-Fi – however convenient – as this may not be secure and your online banking could be eavesdropped on
  • Look for ‘https’ at the beginning of the address and the padlock symbol in the browser frame.
  • Only ever visit your bank’s website by entering the address into your browser or using a bookmark you have created using the correct address. If you believe your details may have been compromised in some way, always contact the bank (See Safeguarding Identity).
  • Use strong passwords and PINs.
  • Ensure you have effective and updated antivirus/antispyware software and firewall running before you log in to your bank account.
  • Use a different password and PIN for each website.
  • Do not reveal your passwords or PINs to anybody else or write them down to remember them.
  • Always check your statements, and if you notice any unusual transactions, report them immediately.
  • Switch off paper statements and register for online banking with mobile alerts. Paper statements are easily intercepted and read.
  • Get the latest Windows updates.
  • Be careful when using public computers to access your bank.
  • Be aware of ‘shoulder surfers’ viewing your screen.

Two- and multi-factor authentication

Many banks use two factor authentication to obtain stronger evidence of who you are than simply using passwords. Two factors are ‘something you know’ (typically your user name and password) and ‘something you have’ which is either your bank card with a card reader, or else a standalone device like HSBC’s SecureKey. The code generated is personal to you, and different each time you log in.

It is expected that more banks and other financial serivces organisations will increase security levels in the light of mobile- and app-based banking, using up to five factor authentication which could include using location-based services to prove that the mobile device is in the same place as the account holder, and sophisticated voice recognition.


Some banks offer additional security software specifically designed to protect you during online banking. Rapport software, as it is known, is a free download from these banks and secures financial transactions in addition to normal internet security software.

More information

All banks carry online security information on their websites, including information about known frauds.

Also visit: The Global Anti-phishing Working Group.

Jargon Buster

A Glossary of terms used in this article:


A local area network which uses radio signals instead of a wire to transmit data.


Personal Identification Number.


An attempt at identity theft in which criminals lead users to a counterfeit website in the hope that they will disclose private information such as user names or passwords.


Software used or created by hackers to disrupt computer operation, gather sensitive information, or gain access to private computer systems. Short for ‘malicious software’.