Safety announcements - Bank Pekao S.A.

Safety Announcements

Read the latest announcements regarding cyber threats and actions you should take when such circumstances arise. If you have any questions or doubts, please contact our hotline numbers 801 365 365 or +48 42 683 82 32.

  • Beware of false BLIK code requests
    • Beware of the messages from your family and friends sent via social media (mainly Facebook and Messenger). Cybercriminals who manage to take over your friend’s account, send messages to his/her most frequent contacts. In these messages, they ask you to provide the BLIK code as they must urgently pay for something and they do not have the money at this particular moment. They promise that they will pay you back as soon as possible.

      Please remember not to give your BLIK code to third parties. If you have well-founded concerns (e.g., you received a non-standard request from the people close to you), contact such people in any other way, e.g. by the phone. This way, you can confirm whether the request actually comes from your friend.
       

  • Warning of the Polish Financial Supervision Authority against phishing attacks in connection with the PSD2 Regulation
    • From 14 September 2019, payment service providers (including banks, Credit and Saving Unions, payment institutions) are subject to the UE Implementing Regulation to the Directive PSD2, regarding strong client authentication as well as open and safe communication standards. The Regulation aims to increase, among other things, the level of security measures used while providing payment services via electronic channels (Internet banking, payment card payments, online payments), and thus, increasing clients safety in their dealings with payment service providers.

      Electronic transaction safety will be increased as a result of strong client authentication. As a result of new solutions introduced by payment service providers, what changes mainly is the method the clients use to log in to electronic banking services. It will be required, in particular, to use additional authorisation method apart from login and password. The choice of specific solutions falls within the discretion of relevant payment service providers. Further details on this matter are available on such providers’ websites. Within the card payment domain, the changes will concern Internet transaction authorisation method – not involving a physical use of the card as well as contactless payments where, more frequently than in the past, and not only when exceeding the amount of PLN 50, it will be required to confirm the transaction with a PIN number.


      Polish Financial Supervision Authority [Urząd Komisji Nadzoru Finansowego] notes that the necessity of increased contacts of payment service providers with their clients, resulting from the implementation of new solutions, may be used by cybercriminals to initiate phishing attacks, and as a consequence to steal identities or funds.

      Therefore, the Polish Financial Supervision Authority notes the necessity to stay particularly alert and urges financial institution clients to comply with the communication standards set out by these institutions. All types of emails, text messages and phone contact attempts invoking the introduction of new solutions where a client is requested to provide information including sensitive data, should give rise to well-founded suspicion, in particular:
      • electronic banking login details;
      • authorisations codes and PIN codes;
      • personal data;
      or information about a blocked account or if you are required to: 
      • click on the link sent via email or text message;
      • change the password or other login details by means of a link sent online;
      • open a suspicious attachment, run or install an application sent;
      • make a suspicious online payment or transfer.

      If you have any doubts, we advise you to contact directly the given payment service provider. At the same time, we recommend you to update your knowledge regarding safe use of financial services by visiting the websites of financial institutions, where you can find detailed information and warnings regarding safe use of their services.

      The above announcement was published on the UKNF website on 06 September 2019.
       

  • Beware of fake websites pretending to be instant payment intermediaries. Users of the Internet and mobile banking, who shop online, are vulnerable to such attacks
    • If you suspect that you are a victim of Internet fraud, report it to your bank as soon as possible, and further to the Incident Response Team CERT.PL (at https://incydent.cert.pl/) and your nearest police station. The above-mentioned institutions will inform you on further steps.

      You also have the right to make a complaint to your bank. Please read the entire wording of the announcement of the National Public Prosecutor’s Office, Polish Police Headquarters, Office of Competition and Consumer Protection, European Consumer Centre and FinCERT.pl – Banking Cybersecurity Centre ZBP.

      Remember! Do not log in using the address or link sent via email or through a social network.

      The bank never requests you to provide the full password to the website.

      Never provide your confidential information on the imitation websites purporting to represent the genuine website of the Bank. If you use SMS codes to authorise your operations on the website, always verify whether the text message with the authorisation code is compatible with your operation. Pay special attention to the account number and transaction amount.

      Inform the bank immediately about any suspicious situations!

      If you have any doubts, please contact our TelePekao consultant or our hotline number (801 365 365), where you will be advised on further steps.
       

      • Beware of fake text messages from courier companies, including links to log in to Pekao24
        • In connection with the increasing number of online store shopping transactions, as noticed lately, Pekao S.A. Bank informs about the identified threat in this domain.

          Shortly after making payment via an online store, you get a text message informing you that the shipment of your goods will be more expensive and you have to pay extra money, e.g.: PLN 1. If you do not pay, your order will be cancelled.

          A widely known courier company, e.g. InPost, DHL, DPD is indicated as the text message sender.

          Exemplary text message:
          “The shipment to your address is more expensive. Please pay PLN 1 extra. If you do not pay, your order http:………………….. will be cancelled”.

          The link attached to the text message redirects you to a fake website of payment intermediary, e.g.: Dotpay, where your login and transaction authorisation data are phished. Such data allow cybercriminals to log in using your client details and make a fraudulent transaction.

          Finally, the victim must confirm the operation instructed by cybercriminals with the SMS code.

          Given the above, we would like to remind you the following:
          Do not log in using the address or link sent via text message, email or through a social network.
          The bank never requests you to provide the full password to the website.
          Never provide your confidential information on the imitation websites purporting to represent the genuine website of the Bank.

          Do not use payment handling services, which request you to provide your client number, password or operation authorisation code.
          Verify whether the website login page features the following address https://www.pekao24.pl/

          Verify whether you can see the padlock icon on the screen, which means that the connection is encrypted (if yes, the address starts with https instead of http).

          If you use SMS codes to authorise your operations on the website, always read carefully the Bank’s text message content to verify whether the text message with the authorisation code is compatible with your operation. Pay special attention to the account number and transaction amount.

          If you notice any non-standard request to provide your sensitive data, please contact immediately the Bank’s hotline consultant (801 365 365 or 42 68 38 232), who will advise you on further steps.
           

      • Beware of malware for mobile devices (tablets, mobile phones), pretending to be the banks’ or other institutions’ applications.
        • We would like to warn you against a new type of malware for mobile devices (tablets, mobile phones). Such malware, pretending to be the banks’ or other institutions’ application, attempts to phish your sensitive data such as login, password, PIN or credit card details. Such malware makes it also possible to intercept text messages and phone calls incoming to the infected phone.


          Please stay alert and pay special attention to the applications you install on your mobile devices. If your phone gets infected, it may have serious consequences impacting not only bank-related processes (e.g., intercepting text messages with authorisation codes), but also your everyday life (e.g., phone conversation eavesdropping or reading private text messages).

          You should pay special attention to the applications originating from the links you received via email or text message.
          Currently, the installations of cryptocurrencies-related applications pose the biggest threat of infecting your device.
          Below, you can see the example of how the malware works. Once the user has run the bank’s application (e.g., mobile application PekaoToken), it displays “overlays” designed to phish your electronic banking login details.

          We would also like to remind you that the Bank never requests you to provide the full login password (unmasked) during the login procedure.

          Below, you can see fake screens from applications:

          If you notice any non-standard request to provide sensitive data, please contact immediately the Bank’s hotline consultant (801 365 365 or 42 68 38 232), who will advise you on further steps.
           
      We would like to remind you that the basic safety rule is to refrain from providing your login details to Pekao24 to other entities or third parties. Do not use payment handling services, which require from you to provide your client number, password or operation authorisation code. If you provide such information, it may allow third parties to gain unauthorised access to the Pekao24 service, change your personal data or use them for criminal purposes. Remember also that revealing your data required to log in or authorise, is against the Pekao24 Rules and may result in service blocking.

      Please read the warning of the Financial Supervision Authority.

      Remember!
      The bank never requests you to provide the full password to the website.
      Do not use payment handling solutions, which require from you to provide your client number, password or operation authorisation code.
      Never provide your confidential information on the imitation websites purporting to represent the genuine website of the Bank.
      Verify whether the login page features the following address https://www.pekao24.pl/
       

  • Beware of dangerous emails including links redirecting you to a fake Pekao24 website

    • Please stay alert and have limited trust against emails including links redirecting you to an imitation website trying to phish your Pekao24 login and authorisation details. The bank never sends emails with links to Internet banking systems and the requests to log in with their use.

      The above-mentioned emails have been fabricated by cybercriminals in a way to pretend to be sent by the Bank. If you open the link attached to such email, you may be redirected to a website forged by the cybercriminals, resembling the Pekao24 login page.

      The aim of such phishing attack is to intercept the Pekao24 service login and authorisation details as well as your personal data, which may be used by cybercriminals to make a fraudulent transaction or steal your identity.

      Remember!
      The bank never requests you to provide the full password to the website.

      Do not log in using the address or link sent via email.

      The bank never contacts its Clients by the phone to request from them the codes to authorise an operation (from a one-time code list or text messages).

      Never provide your confidential information on the imitation websites purporting to represent the genuine website of the Bank.

      Verify whether the login page features the following address https://www.pekao24.pl/

      Verify whether you can see the padlock icon on the screen, which means that the connection is encrypted (if yes, the address starts with https instead of http).

      If you find the padlock icon, click on it twice to verify whether the displayed certificate is valid and whether it has been issued to the Pekao S.A. Bank and the https://www.pekao24.pl/address

      For more information about the Internet banking safety go here.
       

  • Beware of the Trojan replacing bank accounts pasted from the “clipboard”
    • There is a new Trojan version on the Internet called Banapter.
      The users of electronic banking using such browser as Firefox, Internet Explorer or Opera are particularly prone to such cyber-attacks.

      Banapter is distributed by the criminals as an attachment to spam emails sent to private mailboxes. The content of such email and the attachment filename (e.g., information regarding an allegedly unpaid VAT invoice) aim to prompt the victim to open the attachment, thus resulting in computer infection.

      Banapter allows cybercriminals to replace remotely the bank account number copied by the Client to the “clipboard”, and further “pasted” to the transfer form.

      Stay alert, always verify whether the account number of the transfer’s recipient is correct, prior to authorising it.

      If you have any doubts, please contact our TelePekao consultant or our hotline number (801 365 365), where you will be advised on further steps.

      Please read the latest announcement of the Polish Banking Association regarding this type of threat.


       

  • Protect the confidential data of your payment cards
    • Remember!

      Stay alert and have limited trust in the emails originating from unknown senders.
      We recommend not replying to such emails and not opening the attachments and links sent as well as not to providing confidential information on the websites purporting to represent the genuine website of the Bank.

      Do not trust the email sender. Scammers know how to fabricate an email so it seems as sent by a person or institution you trust.

      Never send any confidential data regarding your payment card via email. Banks and other financial institutions never request you to send such data via email.

      Cybercriminals make specially fabricated websites, messages, registration forms or emails purporting to represent the genuine version. They seem authentic to an inexperienced Internet user. The aim of the phishing attack is to manipulate the victim so he/she is not aware that the information provided by him/her is transferred to cybercriminals instead of the authorised institution. Disclosing confidential data regarding your payment card to an unauthorised person may result in using them to make a fraudulent transaction.

      Confidential data of your payment card include:
      • Card number
      • Details of the card holder
      • Card expiration date
      • Card Verification Value 2
      • Card Verification Code 2

      Notice!
      If you have disclosed your card’s details to an unauthorised person, you should block it as soon as possible. Immediately call our 24/7 hotline number 801 365 365 or + 48 42 68 38 232.

      Inform the bank immediately about any suspicious situations!

      If you have any doubts, please contact our TelePekao consultant or our hotline number (801 365 365), where you will be advised on further steps.