Vishing is where a fraudster uses voice messages or phone calls to try to steal identities, and financial information like your PIN, card details and Digipass code.

The term comes from the combination of ‘phishing’ and ‘voice’. Phishing is where fraudsters use email, regular phone calls and fake websites to dupe people into giving them personal details and financial information.

Vishing is specifically the use of a VOIP service (Voice Over Internet Protocol, or an internet phone service), which enables fraudsters to communicate with their potential victims via automated voice messages and the phone keypad.

Vishers can create fake caller ID profiles so that their phone number seems legitimate, and vishing requests sound urgent, to panic the victim into acting without thinking.

Examples of vishing:

• Your bank account has been compromised
  You receive call from what appears to be Triodos Bank’s phone number. When you answer, you hear a recording pretending to be from Triodos, saying that your bank account has been compromised, and you need to call a freephone number to reset your security details. Calling this number, you would hear another automated message asking for your bank account number, Digipass code or other personal details via the phone keypad.
• You’re eligible for a loan
  You are offered loan or credit terms too good to be true (they probably are), and to receive the money, you just need to pay an upfront fee or provide your security details.
• You’re due a refund
  You receive a message that says you are due a refund. This is usually someone claiming to be from a trusted organisation. If you opt in – usually by pressing a number on your telephone - you will be redirected to a call centre agent who will attempt to defraud you or steal your information.
• Don’t miss this investment opportunity
  An automated voice message tells you about an investment opportunity too good to turn down. You’ll be encouraged to transfer money to invest in a company or service that doesn’t exist.
• You’ve won a prize
  Victims hear an automated voice message about a free offer or prize, and just need to pay postage, redemption or admin fees to claim. There’s often a deadline to hurry people into handing over their card details.

What you can do

If you receive an unexpected phone call with an automated response, hang up, search for the company’s genuine contact details online and check whether the call was legitimate. If it was, the company will be able to help you, and if it was a vishing attempt, letting the company know enables them to take action, and you will have protected yourself from fraud.

If the call relates to an investment opportunity, check the FCA register to see if the investor is regulated, and confirm the company exists by checking Companies House.

How to report a vishing scam

If you think you have been a victim of a vishing attack, call us immediately on 0330 355 0355. Then report to the FCA using their reporting form.

If you have lost money to suspected investment fraud, report it to Action Fraud on 0300 123 2040.

Phishing is a common type of internet fraud. Phishing emails are designed to appear as though they are from a legitimate source, but intend to steal personal information that can be used to access your account.

Do not respond to any email that asks for any information in relation to your internet banking log in details. If you have received a suspicious email, do not respond and call us if you need any further information.

Our opening hours are published on our help and support page. 

It can be very difficult to spot a fraudulent call. The best thing you can do if you get an unexpected call – especially if the person is asking you to make a payment or move funds, or rushing you to make a decision – is to call the organisation back on the number published on their website.

Fraudsters may call you or someone in your team and pretend to be a well-known business like BT, the bank, HMRC, the police, a supplier or even another person in your business.

Examples of what a fraudster might ask you to do:

• Move your money to a safe, secure holding account
  Fraudsters often call businesses pretending to be from their bank. They may ask you to move your money to a safe account because of suspected fraud or risk to your account. In reality, this ‘safe’ account is controlled by the fraudster. Hang up and report it to Action Fraud UK and your bank.
  
• Change the payment details of one of your suppliers
  Fraudsters often impersonate suppliers and ask businesses to pay into a new account – controlled by the fraudster. Check the caller is genuinely your supplier by calling back on the number on their website or, better still, by calling your direct contact at the company.
• Download something – software, a programme, app or other online tool
  Fraudsters may tell you there’s something wrong with your computer and it’s not secure. By downloading some software, they’ll be able to fix it for you. They might even offer you compensation or a refund for this inconvenience. In reality, the downloaded software could give them access to your computer. They may ask you to log in to your internet banking so they can issue your refund, when really they’re asking you to authorise payments into their own account. Triodos will never call you out of the blue and ask you to transfer money into another account, or download something onto your device.
• Tell them your Digipass codes
  Your Digipass codes give permission for money to leave your account. Never give these codes, no matter what they tell you. We will never ask you for these codes.
  

Fraudsters try getting money from organisations by sending fake emails and texts to gain access to their internet banking details. It can be difficult to spot a fraudulent email, but there are things you can check for clues it’s a fraudulent email.

• Check the sender email address
  Always check the sender’s email address to make sure it’s from the person you think. Fraudsters can change the ‘From’ name so it can look like it’s come from your bank, or a person’s name. If you hover over the name, the sender’s email address should be displayed. If it’s a company email address, an online search of the email address will often tell you if it’s a genuine address.
• Call the sender
  If you get an unusual request from someone you know, asking you to transfer money or download something onto your computer, and the email address looks genuine, there’s a possibility their email account was hacked. To be safe, it’s best to call them to make sure they sent the email and really made the request.
• Look for spelling mistakes
  Scam emails can often look odd, with a messy layout and spelling mistakes.

Common email and text scams to look out for:

• CEO fraud
  Fraudsters email employees pretending to be the owner or CEO of the organisation, asking them to make a payment or transfer.
• Supplier fraud
  Fraudsters pretend to be your supplier letting you know their payment details have changed.
• Invoice fraud
  Fraudsters send fake invoices claiming to be from a real business you work with. Sometimes they hack the emails of your supplier to send the invoice, so the email address is genuine, but the payment details are changed to those owned by the fraudster. It’s sensible to call your suppliers on the number on their website to verify their payment details before you pay new account details for the first time.
• Pretending to be a business
  In these messages, texts or emails, you might be asked to click a link that takes you to a fake website – for example, the website might claim to be the Triodos Bank website (See ‘How to check that a website is genuine’). On this site you could be asked to give your internet banking details. We will never send you a link to the login pages of internet banking.
• Spyware in links
  Some scam emails ask you to download something onto your computer or network – this could be a link to a website or an attachment. This tool could spy on your computer or lock you out until you pay a ransom or reveal your bank security details.
• Smishing (fraudulent text messages)
  These are text messages that appear to be from well-known businesses, claiming you need to click the link to update your details. Often the links are disguised with short links – like bitly links, e.g. https://bit.ly/2kwosxu. Tempting as it is to use the link, contact the company using the details on their website to verify that they sent the text, and that it’s safe to click on the link. Fraudsters will impersonate these companies to obtain your valuable information.
  

Business (or corporate) identity theft is a type of fraud that involves a criminal stealing a company’s identity and using it to buy goods and services by establishing lines of credit with banks or retailers.

Organisations are often targeted because:

• They have bigger account balances
• They have higher credit limits
• Making large payments regularly isn’t suspicious
• Information is often freely available on their website or on the internet

How to protect yourself:

1. Protect company information
   Don’t share anything about your business online or publicly that could put your organisation at risk. Write a policy for your staff that includes guidance around social media use. Educate your employees about business identity theft so that they know what to look out for, how to help avoid identity theft, how to spot it and how to report it to minimise the impact.
2. Regularly review accounts
   Regularly review all account statements, credit reports, and business registration information.
3. Install security or anti-fraud software
   Invest in software that can assess risks and help identify fraud or suspicious activity.

Do not respond to any email that asks you for information about your internet banking log in details. If you have received a suspicious email, do not respond and call our Contact Team as soon as you can during our opening hours on 0330 355 0355 to check if it is a genuine email.

Our opening hours are published on our help and support page.

If the text is from a sender you know, or from a shortcode (five to eight digits long):

• Reply ‘STOP’. You shouldn’t be charged for this, and it will let the sender know you don’t want to receive their text messages.
• If you’re unhappy about receiving the text or continue to receive them after asking the sender to stop, you can complain to the Information Commissioners Office (ICO) on 0303 123 1113 or online.

If the spoof text message (sometimes known as smishing) is from an unknown sender, or from an organisation you’re not familiar with:

• Do not reply or click on a link in the text. Responding confirms your number is active and could result in you receiving more messages or calls.
• Report the spam text to your network operator. Simply forward the text to 7726. An easy way to remember ‘7726’ is that they’re the numbers on your phone keypad that spell out the word ‘SPAM’. You may get an automated response thanking you for the report and giving you further instructions if needed, like forwarding on the number the spam text message was sent from. You won’t be charged for forwarding spam texts to 7726.
  

If you receive a call from Triodos, we’ll be happy for you to question who we are and call us back on the number published on our website, just to make sure. If you can, call us back from a different phone, as an extra safety precaution. Fraudsters can clone numbers, so it may look like the number we use to call you.

We will never call you to ask you to transfer money or for your Digipass codes, and we will never ask you to download software onto your device. If someone calls pretending to be from Triodos, and they ask you to do these things, hang up immediately and report it to us on 0330 355 0355.

CEO Fraud is when cyber criminals hack into company email accounts, or set up a fake personal email account, to impersonate the CEO, Managing Director or senior staff and ask an employee to make payments to an account managed by the fraudster. They’ll typically target a company's finance department, but may also target other employees who have authority to make payments.

Usually the request sounds urgent, to panic the employee into acting without thinking and going through the usual checks and balances. The kinds of payments they’ll ask you to make are invoices for a supplier, utility or service, or products the company needs.

Contact us immediately on 0330 355 0355 (or if abroad on +44 (0)1179 739339) if:

• You’ve lost any of your security details or think they have been stolen
• You think someone else may be able to use your security details

For fraud related queries, we're available 8am-6pm Mon-Fri (9am-6pm Thu), and 10am-4pm weekends.

Once you've contacted us we'll ask you for all information you have about the loss or theft and may require you to report it to the police

We also advise you to report it to Action Fraud – the UK’s national fraud and cyber crime reporting centre:

• Call: 0300 123 2040
• Report it online: actionfraud.police.uk

Criminals are experts at impersonating people, organisations, and the police. They spend hours researching you for their scams, hoping you’ll let your guard down for just a moment. Stop and think. It could protect you and your business’ money. Before making a payment, follow the advice fromTake Five to Stop Fraud:

• Take a moment to stop and think before parting with your money or personal information. It could keep you safe.
• Ask yourself, could it be fake? It’s ok to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.
• Do your research and be suspicious of any too-good-to-be-true offers or prices.
• Remember, your bank or the police will never ask you to transfer money to a safe account.

When you are making a payment:

• Always follow any advice or warnings from your bank or payment service provider.
• Your bank might ask you extra questions about a payment. This is to help keep you safe. Always answer these questions truthfully. If someone is asking you to lie or telling you what to say to your bank, then it’s very likely to be a scam.
• It might take slightly longer for a payment to leave your account. This is so we time to do extra checks to keep you safe from fraud.
  

Social media fraud can be many things. It could look like:

• An unusual message from a friend, colleague or family member on Facebook, Twitter, LinkedIn or other social media platform. Fraudsters sometimes hack social media accounts to scam people into sending them money or personal data. If you get an unusual request like this, call your friend on a number you trust to make sure the message is real.
• A request to connect with you or a message from an account you don’t know. Often these have lots of spelling mistakes or a messy layout, but not always. It’s best not to accept a request to connect with someone or give consent for them to message you unless you know who they are and trust them.
• Competitions and quizzes. If you have to give personal details to enter a competition or quiz, make sure you trust the owner of the quiz or competition and that they are a genuine company. Quizzes and competitions are often created to capture participants’ personal information, which they can later sell or use against you.
  

Rules in place from 07 October 2024 mean that banks must reimburse Authorised Push Payment (APP) scam claims which meet the below criteria. If you have authorised a payment which does not meet the below criteria, please still contact us as soon as possible on 0330 355 0355 (or +44 (0)1179 739339 if calling from abroad) to report this.

Covered

⦁ Payments made within the UK. You are not covered for a payment sent overseas.
⦁ Payments made using Faster Payments (a quick way of sending money between bank accounts).
⦁ Payments made using CHAPS.
⦁ Payments from personal accounts if they are not being used for trade or business.
⦁ Payments made by micro-enterprises and certain charities.

Not covered

There are some situations where you won’t be able to get your money back. This includes if:
⦁ you haven’t taken the steps needed to meet the Consumer Standard of Caution.
⦁ you paid using cash, a cheque, or a credit, debit, or prepaid card.
⦁ it’s a civil dispute: for example, if you've paid a genuine retailer or business but you aren’t satisfied with the product or service you’ve received.
⦁ you have acted fraudulently yourself – including if you have lied or misrepresented your circumstances for financial gain.
⦁ it’s a payment you have made to another account that you control.
⦁ the payment you made is unlawful: for example, if the payment was for an illegal item.
⦁ it is a payment to and from an account with a credit union, municipal bank, or a national savings bank.

If a payment is taken from your account by someone else without your permission it is called unauthorised fraud. For example, if your bank card is stolen and used to buy something in a shop or online. There are separate rules that cover this type of fraud. Contact us immediately if you spot any transactions that you do not recognise.

• Use a different, strong password for every social media account you have – ideally with special characters, numbers and lower and upper case letters.
• Don’t create passwords that contain personal information - fraudsters scan social media accounts for personal details and try to guess passwords and steal identities.
• Some fake accounts are created to capture personal information, so don’t give personal information to anyone you don’t know and trust.
• Don’t click on links if they’re not from a trusted website - some links can put a virus on your device.
• Always log off to prevent someone else accessing your account.
• Be mindful of what you share and post on company social media channels whose services you use. Social media is great for contacting companies directly to solve problems or give feedback. If you mention or message your bank, phone network or utility provider on social media, be aware that this information is public and fraudsters can use it to convince you they’re calling from these companies.
  
  

We take all incidents of fraud or suspected fraud seriously and understand it can be very worrying for our customers. We have systems in place to help monitor and protect against fraud but in some instances you may be concerned about a transaction. If so please contact us as soon as possible. For further information on safeguarding yourself against fraud please see the Take 5 campaign information.

Authorised push payment (APP) fraud happens when you are tricked by a criminal into sending money by bank payment to an account that they control and which you do not.

New rules effective from 07 October 2024 introduce requirements for all banks to reimburse victims of APP fraud.

Every claim will be assessed on a case-by-case basis. As part of the process we will consider the evidence presented by you, any service providers involved and – where relevant – a third party, such as the police. For more information about what is covered for reimbursement and what is not please see ‘When is a fraudulent authorised push payment (APP) payment covered?’.

We may not reimburse money lost in an APP fraud if you have not taken certain steps before and after you make the payment. These steps are known as the Consumer Standard of Caution, and are as follows:

• You need to follow any warnings from us, such as an alert that the payment you are making is fraud or could be fraud. You also need to follow any instructions from the police or the National Crime Agency.
• You must report the fraud as soon as you can, and no more than 13 months after the last fraudulent payment was made.
• We may ask you for additional information about your claim. You need to make sure you respond to these requests.
• Once you have made a claim, we may ask you to report the details of the fraud to the police.

If someone accesses your business account without your authorisation, we’ll refund the full amount of money taken from your account, as long as you:

• have not given someone else your security details (including your digipass PIN)
• have used reasonable care when using internet banking (e.g. logging out at the end of each internet banking session and not leaving your computer unattended while logged in)
• inform us as soon as possible of any security breach or potential breach
• have not acted fraudulently
• have taken all reasonable precautions to safeguard your personal and financial details. Read our terms and conditions below for more

• Every claim will be assessed on a case-by-case basis. As part of the process we will consider the evidence presented by you, any service providers involved and – where relevant – a third party, such as the police.
• If your claim is valid, in most cases your business account should be reimbursed within five business days of making a claim. Business days are Monday to Friday and exclude all UK bank holidays and includes additional holidays in Northern Ireland and Scotland.
• In some case it can take up to 35 days to be reimbursed. This is when we need extra time to gather information from you, the bank that received the payment, or a statutory body (such as the Financial Conduct Authority) to inform their assessment of the case.