Security Centre
Protecting you against fraud is our priority. We work tirelessly to keep your money and identity safe and to help you spot anything suspicious.
If you suspect fraud or have any concerns, call our Fraud team any time 24 hours a day on 0151 372 0388. You can also speak to your Firco adviser.
If you receive a fraudulent or suspicious email, please forward it to info@FircoGroup.co.uk. If you have responded or clicked any links call us immediately.
If you receive a suspicious text message, please forward it to info@FircoGroup.co.uk. Again, if you have responded or clicked any links, call us straight away.
The Basics
- Never disclose your PIN or online security codes to anyone. Your bank will never, ever ask you for them by phone, text or email
- Be wary of clicking on links or attachments in emails, particularly if you are not expecting to receive it
- Install anti-virus/firewall software on all of your devices (eg computers, tablets, phones, etc) and update it regularly
- Remember that caller display cannot always be trusted and callers may not be who they say they are. If in doubt, hang up and call us back on a number you recognise from a different phone
- Choose strong passwords and do not use the same PIN and password for everything
- Keep your us and your bank updated with any new contact details
- Check your statements and report anything you do not recognise
- Securely store financial and other valuable documents, such as your passport
- Ensure you dispose of documents diligently (for example, use a cross cut shredder to destroy statements when no longer required)
Protect Your Payments From Scams
Please read our advice before proceeding with any payments.
I’ve been asked to transfer money unexpectedly
Who has asked you to transfer money?
Fraudsters may contact you pretending to be from the Bank, the Police or other organisations you trust and ask you to transfer money to another account.
Remember: A bank or genuine organisation will never contact you out of the blue asking you to move your money to keep it safe.
If this sounds familiar, do not make the payment and end contact with the individual immediately.
I’m making an investment
Before you make the payment, consider whether this opportunity is genuine.
Scammers will do their homework and make it their business to know as much about you as possible, this doesn’t mean the offer is genuine.
Always seek independent advice before you commit to an investment. You can get more guidance on investment scams and check if an organisation is authorised by the Financial Conduct Authority at fca.org.uk. If they’re not authorised, it’s likely to be a scam.
I’m paying for a service or making a purchase
Always double check the bank details of the person you’re paying by contacting them on a number you can trust.
Fraudsters can intercept emails and invoices and change payment details. If you send money to a different account than the one you intended it can be very difficult for us to recover it and you may lose your money.
When buying goods or services from someone you don’t know consider using your debit card or credit card, or a payment method which offers additional protection against scams, like PayPal or Google Pay. Only pay for goods and services via bank transfer if you know the person you’re paying or are satisfied the business is genuine.
I’m sending money to someone I’ve never met
Always ask yourself how well you truly know the person and how reliable they are.
Dating and romance scams can have a serious financial and emotional effect on victims. The scammer will build a relationship with you before asking you to transfer money due to a personal emergency or to cover travel expenses. Remember, never send money to someone you haven’t met in person.
Are you amending payment details?
Fraudsters may contact you and ask you to change details of a saved payee.
Only change the details if you know the person or business and they have proof that their bank details have recently changed. A simple phone call to the person on a number you trust could protect you from losing your money.
Further information and support
Never be pressured into transferring money. If you’re unsure, we suggest you take a day or two to think about what’s being asked and talk it through with someone you can really trust.
If you think you’re the victim of a scam, contact us immediately. If you want more information use the menu above to review further advice about how to stay safe online.
Online fraud is becoming increasingly sophisticated, with malware and phishing allowing cyber criminals to access computers, account numbers and other personal information. Antivirus software is vital for your security, but criminals are constantly seeking new and smarter ways to steal your identity and take money from your bank account.
- Installing Antivirus – helps to stop threats by scanning your device and looking for suspicious files. Install anti-virus software on all of your devices (eg computers, tablets and phones) and update it regularly
- Installing a Firewall – hides your computer from attackers and helps stop criminals getting data in and out of your computer
Common Scams
Card Scam
Often this will start with an unexpected phone call from an individual who claims to be from the Bank’s fraud department or law enforcement. The caller will advise that they have identified fraudulent transactions on your account and that your card has been compromised.
To gain your trust, the caller will prompt you to verify the call by phoning the telephone number printed on the back of your card or providing you with an unverified telephone number. However, fraudsters often use techniques to hold your phone line open, so that when you try to dial out they can intercept and re-answer the call.
The fraudster will advise that your bank card(s) must be collected in order to protect your card and/or account and assist with any investigation. They will normally ask you to put your card into an envelope and then ask you to either key your PIN via the phone keypad or to write it down and insert it into the envelope with the card.
The fraudster will then arrange for a courier or someone dressed as a law enforcement officer, to come to your home and collect the card and provide you with a fake reference number. Once the fraudster obtains your card(s) and PIN(s), they can gain access to your account and carry out fraudulent transactions.
Please note that from time to time the bank may genuinely call you for fraud prevention purposes to verify whether a transaction is genuine. However, we and your bank will NEVER ask to collect your card as part of a fraud investigation or ask you to disclose your PIN, card details or any online banking credentials.
Phishing
Phishing can also involve sending malicious attachments or website links in an effort to infect computers or mobile devices (this is known as malware – malicious software). Very often these appear to be authentic communications from legitimate organisations. Embedded links within the message can direct you to a hoax website where your login or personal details may be requested. You may also run the risk of your computer or smartphone being infected by viruses.
Once your personal details have been accessed, criminals can then record this information and use it to commit fraud crimes such as identity theft and bank fraud.
Phishing messages generally try to convince the recipient that they are from a trusted source.
Spear-phishing
This technique is used by criminals to use personal information to earn trust and lower the intended victim’s defences increasing the chances they may open attachments or embedded links.
Reporting suspicious emails
If you have received a fraudulent or suspicious email, and not responded to it please forward the email to info@FircoGroup.co.uk
However, if you have responded to the e-mail, and/or you suspect that any of your accounts with us have been accessed online by someone other than yourself, please contact our dedicated fraud team immediately on 0151 327 0388.
Overpayment Fraud
The business reimburses the fraudster with the excess amount of money that was apparently paid to it in error, before the cheque gets returned unpaid.
Not only does the business not get paid for the goods or services, but also loses further money because of the ‘excess payment’ it paid the fraudster.
Cheque overpayment fraud is often a method used in employment opportunity scams or transactions for goods and services sold through classified adverts.
Protecting Yourself From Fraud
Card Fraud
- Always shield your PIN when using a cash machine or while making purchases.
- Try to use cash machines inside bank branches where possible.
- If your card is taken by a cash machine call your bank straight away. Your card may have been taken by a cash machine due to a fault but occasionally fraudsters will attach card trapping devices to cash machines. Once you leave the machine the fraudster will remove the card from the slot. Your bank will cancel your card straight away, order your new card and endeavour to ensure that you have access to cash if needed.
- When purchasing online only use secure websites – those with an address beginning with ‘https://’ where the padlock symbol is displayed. Also be careful if the product is being offered at a huge discount.
- If you are experiencing any issue with your card call your bank straight away. It may be that your card has been damaged or there is another reason why your card is not working as expected.
Online Verification
One of the main benefits of Internet shopping is the extra time it gives you to enjoy life offline.
Most banks have introduced additional layers of security for your cards that will make online shopping less obtrusive but no less safe. The new service will also be easier to use as there is no need to register or remember a password.
Online Verification uses the latest technology to help protect you against fraud and confirm it is really you making an online payment with your debit or credit cards. For more details on how this service works, please ask your bank.
Cheque Fraud
- Don’t accept cheques from anyone unless you know and trust them, especially when of a high-value. Consider alternative means of accepting payment for high-value items – electronic payments are ideal.
- Be especially wary if the buyer is unwilling to pay or split the relatively small cost involved involved in sending electronic payments are ideal.
- Before releasing any goods ensure you are fully aware of the cheque clearing timescales and if you are in any doubt about whether a cheque has cleared then call your bank.
- Keep your cheque book in a safe place and report any missing cheques immediately.
- If posting cheques consider confirming receipt with the beneficiary or send by secure post.
Scams Involving Cheques
Counterfeit cheques are manufactured or printed on non-bank paper to look exactly like genuine cheques. Usually the bank details quoted are correct. Fraudsters may send the cheque to you, or directly to the bank requesting that it be credited to your account without you ever seeing the physical cheque.
A common method used by fraudsters is known as ‘overpayment’. This is when you are paid for more than the agreed value using a fraudulent cheque. The fraudster will likely provide an excuse for the additional amount and request that the difference is sent back to them before the cheque has cleared, leaving you potentially out of pocket. This type of scam has targeted business and individuals, especially those who buy and sell items online.
Identity Theft
- Never write down or divulge your security identification answers or passwords to anyone, unless you are certain that you are talking to a banks member of staff.
- If in doubt hang up and call your bank back on a known telephone number.
- If you provide your bank with new contact details, you will usually receive a call from the security team to validate the details.
- If you provide your bank with a payment instruction you may receive a security call back.
- Always securely store your banking, financial and valuable personal documents, such as your passport.
- Shred all financial documents before you throw them away, ideally with a cross cut shredder.
- Be aware what personal information you share on social networking sites, for example, date of birth.
- A variety of ‘harmless’ communications in different formats can be used together to steal your identity or commit fraud.
If you are concerned about someone using your identity, here are some useful links.
Checking your credit file
Fraud Prevention Service
Social Media
- Be aware what personal information you share on social networking sites, for example, date of birth.
- Children can be targets who unwittingly reveal personal information, such as birthdays, schools, holidays and pet names to ‘friends’.
- Media and press interviews can be used to quickly build up a picture of an individual, when taken with information available through social media.
- Don’t let your audience know if you’re going away on business or holiday.
- Be aware of what friends post about you and your family’s activities.
- Be aware that sites such as Instagram, Pinterest and YouTube can carry the same risks as Facebook and Twitter.
- Understand your security settings and who you’re sharing your information with.
A variety of ‘harmless’ communications in different formats can be used together to steal your identity or commit fraud.
If you are concerned about someone using your identity, here are some useful links.
Checking your credit file
Fraud Prevention Service
Telephony Fraud And Vishing
Often a fraudster will call the victim and claim to be from the bank or a police official and ask for bank account details, card details, three-digit security numbers, PINs, online banking passcodes or telephone banking security passwords.
- Don’t assume anyone who has called you or left you a voicemail message is who they say they are.
- Never disclose online passcodes, security codes, PINs or card details to anyone who phones you. Your bank will never, ever ask you for them by phone, text or email.
- Remember that caller display cannot always be trusted and callers may not be who they say they are. If in doubt, hang up and call the bank back on a number you recognise from a different phone.
- If you receive a call about your bank account or a transaction and have any doubts about the person’s true identity, hang up and call the bank back on a known telephone number from a different phone.
General Online Fraud Advice
- Ensure that your operating system and software are kept up to date.
- Anti-malware application/software are able to assist recovery of your device or remotely wipe its data.
- Always enable PINs or password to access your device in the event that it is lost or stolen.
- When purchasing online only use secure websites – those with an address beginning with https:// where the padlock symbol is displayed.
- Be wary of clicking on links or attachments in emails, particularly if you are not expecting to receive it.
- Not all phishing e-mails are sent to large groups of random people.
- Spear-phishing is a term used when fraudsters target a specific individual with an email and attachment that the target is more likely to open as it will typically contain something of interest. For example, an email purporting to be from your gym with changing opening times, or a parcel that could not be delivered to you.
- Never provide your personal details, including your card details, online username or passcodes in response to an email or telephone call.
Useful Links
The UK’s national fraud and internet crime reporting centre, Action Fraud provides a central point of contact for information about fraud and financially motivated internet crime. Should you become a victim of fraud, incidents reported to Action Fraud will be designated a police crime reference number.
Visit action fraud >>
Take Five to Stop Fraud
Take Five is a national campaign that offers straight-forward and impartial advice to help everyone protect themselves from preventable financial fraud. This includes email deception and phone-based scams as well as online fraud – particularly where criminals impersonate trusted organisations. Led by Financial Fraud Action UK Ltd. (FFA UK), it is being delivered with and through a range of partners in the UK payments industry, financial services firms, law enforcement agencies, telecommunication providers, commercial, public and third sector.
Visit Take Five to Stop Fraud >>
Get Safe Online
Get Safe Online is the UK’s leading source of unbiased, factual and easy-to-understand information on online safety.
Friends Against Scams
Friends Against Scams is a National Trading Standards (NTS) Scams Team initiative, which aims to protect and prevent people from becoming victims of scams by empowering communities to “Take a Stand Against Scams”.
Visit Friends Against Scams >>
Bank Safe Online
The UK banking industry group serves as a good source of information about phishing, money mules and trojans.
Credit Check Agencies
Equifax and Experian
Credit check agencies provide reports which consumers can use to understand, manage and control their credit score.
Visit Equifax >>
Visit Experian >>
OTHER
CIFAS
Provides fraud prevention services to individuals and organisations using the latest technology
Citizens Advice
Offers free, impartial and independent advice relating to fraud and other topics.
Financial Services Register
A public record of all firms, individuals and other bodies that are regulated by the Financial Conduct Authority.
Visit Financial services register >>
Financial Conduct Authority
The FCA regulates the financial industry in the UK.
Visit the Financial Conduct Authority >>
UK Finance
UK Finance shows how financial services firms can help if you are a victim of financial abuse.
Security Disclosure Policy
Security Disclosure – SUBMISSION TERMS
We run an amnesty for security researchers who, in good faith, identify vulnerabilities our online systems.
A Security Disclosure is something you want to tell us about which impacts the confidentiality, integrity, or availability of the company or client data or systems.
If you have identified a potential vulnerability you can email us after reading the Security Disclosure Submission Terms, which contain all the information you need to be aware of before making a submission.
If you discover or submit a vulnerability you should:
- Not break any laws.
- Make the Security Disclosure voluntarily
- Be aged 16 or over, unless you have a Parent or Guardian’s permission.
Staff or their family members should follow the published internal process.
Email us at: info@FircoGroup.co.uk
Important information
Disclosure Scope
We want to hear from you if you discover a site, application or system with a vulnerability on:
Do’s and Dont’s
Do:
- Act in a responsible way
- Provide complete details so we have maximum opportunity to resolve any issues.
- Assume penetration testing experts will be reviewing your submission.
- Report common vulnerabilities but don’t explain the problem and the impact, just point out where it lies.
- Report esoteric or very new issues and fully explain the problem.
- Cite references or sources
Don’t:
- Put any Client or Firco data at risk, degrade any of our system’s performance, or conduct any type of Denial of Service attack.
If our security operations centre identify your actions this will be treated as an attack and not a Security Disclosure submission. We may take action against any attacks, including reporting them to the police.
What to include in your submission
We want to get as much information from you so we can validate and fix any potential vulnerability quickly. Please try to provide as much information as possible, including:
- A description of the vulnerability including the exploitability and impact if not a common attack type.
- Steps required to exploit the vulnerability including: URL(s)/application(s) affected Prior conditions required (for example, logged in, not logged in, previous actions ) and how to demonstrate the problem.
- IPs used when the vulnerability was discovered.
- If post authentication, the user ID used when the vulnerability was discovered.
- A Proof of Concept.
- Names of any files uploaded to our systems.
If you do not include everything in this list, this could delay or prevent us from validating and fixing the vulnerability. Responses to Low/Informational issues will be de-prioritised. Save all your logs as we will ask you to make them available to us.
Submissions we won’t respond to
We won’t respond to or analyse submissions covering:
- Vulnerabilities dependent upon social engineering techniques (e.g. shoulder attack, stealing devices, phishing, fraud, stolen credentials).
- Denial of service (DOS).
- Self-XSS (User defined payload).
- Vulnerabilities which require a jailbroken mobile device.
- Most vulnerabilities within identified test, UAT, lab, bankofapis or staging environments.
- Outdated web browsers: vulnerabilities contingent upon outdated or unpatched browsers, including Internet Explorer versions prior to version 8.
- Vulnerabilities involving active content such as web browser add-ons.
- Disclosure of public information or information that does not present risk to us or our clients (for example, web server type disclosure).
- Vulnerabilities contingent on a client system previously being compromised.
Recognition and thanks
We may highlight anyone who has made a submission which has significantly helped us keep our clients safe and secure. We will always ask for your consent before doing this.
Confidentiality
Information relating to our technology and information security arrangements is confidential. Any information you receive or collect about us or any Firco user as part of your research prior to making a Security Disclosure submission as detailed in this Policy and these Terms must therefore be kept confidential and only used in connection with the Security Disclosure. You may not use, disclose or distribute any such information without our prior written consent. Any such information should be deleted once your submission has been received.
* We may change this Security Disclosure Policy and the Security Disclosure Policy Terms from time to time. We may also cancel them and our Security Disclosure programme at any time. We’ll let you know on this page if we do this.