As you'd expect from a bank, we take security very seriously - here are some things we do to keep you safe. To help you spot fraud, we’d also like you to know the things we’d never do.

What we do

• Provide around the clock debit card transaction monitoring.
• Provide 24/7 phone support to answer your questions about your debit card.
• Give you the ability to block your card in the Triodos App or Internet Banking.
• Temporarily block accounts and debit cards if fraudulent activity is suspected.
• Automatically log you out of Internet Banking and the app after a period of inactivity.
• Keep you up to date with fraud protection advice.
• Send text alerts when online or card transactions are made.
• Temporarily suspend your Internet Banking if left dormant for a long time.
• Monitor payments to assess whether the payment you are making is likely to have been made as part of a scam.

What we’ll never do

We will never contact you out of the blue to ask you:

• For your mobile app passcode.
• For your digipass PIN.
• For your card number or PIN.
• To transfer money out of your account.
• To click a link in an email to our Internet Banking.
• To download any software onto your PC or mobile phone.
• To authorise or cancel card payments through the app, or approve “refunds”.

If in doubt, call us on the number on our website, or delete the email without opening it.

Learn more about how to stay safe online or visit the action fraud website.

If the text is from a sender you know, or from a shortcode (five to eight digits long):

• Reply ‘STOP’. You shouldn’t be charged for this, and it will let the sender know you don’t want to receive their text messages.
• If you’re unhappy about receiving the text or continue to receive them after asking the sender to stop, you can complain to the Information Commissioners Office (ICO) on 0303 123 1113 or online.

If the spoof text message (sometimes known as smishing) is from an unknown sender, or from an organisation you’re not familiar with:

• Do not reply or click on a link in the text. Responding confirms your number is active and could result in you receiving more messages or calls.
• Report the spam text to your network operator. Simply forward the text to 7726. An easy way to remember ‘7726’ is that they’re the numbers on your phone keypad that spell out the word ‘SPAM’. You may get an automated response thanking you for the report and giving you further instructions if needed, like forwarding on the number the spam text message was sent from. You won’t be charged for forwarding spam texts to 7726.
  

Investment fraud comes in many forms, but is typically when someone poses as an investment service provider, Financial Advisor or fund manager to convince you to transfer large sums of money into a company or service that doesn’t actually exist.

They can create convincing-looking websites and adverts, and send you emails, texts and automated voice messages offering investments that sound too good to be true. They often are.

Before you transfer any money:

• Always check the FCA's ScamSmart webpage for advice on being a ScamSmart investor
• Always check the FCA register to see if the investor is regulated and what they are regulated to do
• Always confirm the company exists by checking Companies House
• Always call the company on the number on their FCA register listing to confirm the correct payment details.

Genuine financial services will never:

• Cold call you
• Put pressure on you to invest
• Ask you to transfer immediately to lock in a deal or take advantage of a time-limited offer or special discount

As a general rule, if it sounds to good to be true, it probably is. Beware of promises of high returns and guaranteed returns with no risk.

>More fraud advice

Useful resources

• Money Advice Service - advice for choosing a financial advisor
• Age UK – Investment Scams

This is when fraudsters send fake invoices claiming to be from a real business you work with. Sometimes they hack the emails of your supplier to send the invoice, so the email address is genuine, but the payment details are changed to those owned by the fraudster. It’s sensible to call your suppliers on the number on their website to verify their payment details before you pay new account details for the first time.

Steps you can take to protect against invoice fraud:

• Check invoices carefully
  All staff who process supplier invoices and have the authority to change bank details should check supplier names, addresses, invoice amount and bank details to ensure they’re correct.
• Verify payment changes
  If a supplier asks to update their payment details, always verify it with them by calling the number on their website.
• Follow up invoice payments
  When you pay a supplier invoice, let the supplier know the payment has been made, confirming the amount and bank details paid into.
• Check bank statements carefully
  Report all suspicious debits to your bank immediately.
• Call suppliers back
  If you are suspicious about a phone request, say you’ll call the supplier back. Use the number published on their website or saved to your phone so you know it’s the genuine number you’re calling.
• Review public information about your suppliers
  Fraudsters often thoroughly research suppliers of organisations so that they can convincingly impersonate them. It may be a good idea to remove any information about your suppliers from your website and other public materials.

If you receive a call from Triodos, we’ll be happy for you to question who we are and call us back on the number published on our website, just to make sure. If you can, call us back from a different phone, as an extra safety precaution. Fraudsters can clone numbers, so it may look like the number we use to call you.

We will never call you to ask you to transfer money or for your Digipass codes, and we will never ask you to download software onto your device. If someone calls pretending to be from Triodos, and they ask you to do these things, hang up immediately and report it to us on 0330 355 0355.

Identity theft is when someone steals your personal details. They might go through your post or rubbish to find bank and credit card statements. Or they might use social media sites, forums and other online platforms to steal your personal information.

Identity fraud is when someone uses your stolen identity to buy products or services, like credit cards, loans or mobile phone contracts.

You might not know your identity has been stolen until you get a bill, invoice or delivery for something you didn’t buy. Or until you receive a letter from debt collectors for debts that aren’t yours.

There are ways you can protect yourself, however. Read our How-to guide on how to protect yourself from identity theft and identity fraud.

Fraudsters often look for data on people that they can use to impersonate or defraud them.

They may research you or your colleagues, so we advise that you educate your staff about protecting their data and ensure they are fraud aware too.

What kind of data might a fraudster steal?

• Personal details, such as your name, address, date of birth and National Insurance number.
• Contact details like your mobile phone, landline, work number and email address(es).
• Memorable information used for security and passwords, such as mother’s maiden name, schools or university attended, pet names, car makes and names of family members.
• Your bank account number, sort code and card details.
• PINs, passwords, Digipass number or other login details.

Ways fraudsters might get hold of your data:

• Social media and online forums – LinkedIn, Facebook, Twitter, Instagram, Reddit – all public platforms could hold a wealth of information about you, your employees, your business and your customers.
• Your company website – if your business has a website, consider what information you include. We advise you not to put your bank details on your website, as fraudsters can use this to impersonate you or your bank.
• Competitions and quizzes – particularly those found on social media websites.
• Calling you and pretending to be a trusted organisation.
• Companies who sell your email address or phone number - always read terms and conditions when signing up for a product or service.
• Bank statements, post and paper documents. Always lock away documents that hold sensitive information and destroy them when no longer required.
• Hacking into email accounts. Ensure your IT systems are secure and be wary of using shared internet connections outside of work. Consider that your suppliers, customers and partners can also have their emails hacked. We recommend that you do not share sensitive data via email – if you need to, encrypt the information with a password.
  

Social media fraud can be many things. It could look like:

• An unusual message from a friend, colleague or family member on Facebook, Twitter, LinkedIn or other social media platform. Fraudsters sometimes hack social media accounts to scam people into sending them money or personal data. If you get an unusual request like this, call your friend on a number you trust to make sure the message is real.
• A request to connect with you or a message from an account you don’t know. Often these have lots of spelling mistakes or a messy layout, but not always. It’s best not to accept a request to connect with someone or give consent for them to message you unless you know who they are and trust them.
• Competitions and quizzes. If you have to give personal details to enter a competition or quiz, make sure you trust the owner of the quiz or competition and that they are a genuine company. Quizzes and competitions are often created to capture participants’ personal information, which they can later sell or use against you.
  

No-one wants to imagine that one of their employees would commit fraud, but sometimes this happens. There are a few things you can do to protect your organisation:

• Never share your Digipass or PIN
  Digipasses are unique to each account operator, so if you allow someone else to use your Digipass it will be recorded as a payment authorised by you. If you have new staff or need to change an account operator, download the Business Banking change of account operator form and post it to Freepost TRIODOS BANK. We can set up each new staff member with their own Digipass and internet banking access. If you remove an account operator, please send the Digipass back to us.
  
• Employee checks
  Review your recruitment procedures and ensure you’ve got appropriate checks and references in place for candidates hoping to join your organisation, such as criminal record checks and references from previous employers. See the ACAS website for advice.
  
• Be aware of who has access to sensitive information
  Regularly check who can access important data and systems, such as customer or membership data, or financial information. When employees leave your organisation their access should be stopped. Access should only be given to employees who really need access to these systems or data.
• Create a whistleblowing policy
  This can support your employees to anonymously report suspicious activity they see in the organisation. Promote the policy so all staff feel confident and safe in reporting suspicious activity. For more advice on whistleblowing, see the gov.uk website.
  

Business (or corporate) identity theft is a type of fraud that involves a criminal stealing a company’s identity and using it to buy goods and services by establishing lines of credit with banks or retailers.

Organisations are often targeted because:

• They have bigger account balances
• They have higher credit limits
• Making large payments regularly isn’t suspicious
• Information is often freely available on their website or on the internet

How to protect yourself:

1. Protect company information
   Don’t share anything about your business online or publicly that could put your organisation at risk. Write a policy for your staff that includes guidance around social media use. Educate your employees about business identity theft so that they know what to look out for, how to help avoid identity theft, how to spot it and how to report it to minimise the impact.
2. Regularly review accounts
   Regularly review all account statements, credit reports, and business registration information.
3. Install security or anti-fraud software
   Invest in software that can assess risks and help identify fraud or suspicious activity.

• Use a different, strong password for every social media account you have – ideally with special characters, numbers and lower and upper case letters.
• Don’t create passwords that contain personal information - fraudsters scan social media accounts for personal details and try to guess passwords and steal identities.
• Some fake accounts are created to capture personal information, so don’t give personal information to anyone you don’t know and trust.
• Don’t click on links if they’re not from a trusted website - some links can put a virus on your device.
• Always log off to prevent someone else accessing your account.
• Be mindful of what you share and post on company social media channels whose services you use. Social media is great for contacting companies directly to solve problems or give feedback. If you mention or message your bank, phone network or utility provider on social media, be aware that this information is public and fraudsters can use it to convince you they’re calling from these companies.
  
  

For card related fraud, block your card in the Triodos Mobile Banking App or in Internet Banking. Then, please call us on 0330 355 0355 (or +44 (0)1179 739339 if calling from abroad) to speak to our 24/7 card services department.

For other fraud issues and queries, we're available 8am-6pm Mon-Fri (9am-6pm Thu), and 10am-4pm weekends.

We’ll ask you for all relevant information related to the scam, loss or theft and in some cases may ask you to report this to the police.

We’ll advise you on any next steps, and we may provide you with advice to help keep your account secure whilst we investigate.

Where Fraud is confirmed you should also report it to Action Fraud – the UK’s national fraud and cyber crime reporting centre:

• Call: 0300 123 2040
• Report it online: actionfraud.police.uk

If your card or security details are used to make a payment or transfer without your permission, we will refund the full amount (minus £35 where applicable) of the payment as soon as is operationally possible. This includes repayment of any interest or charges incurred as a result of the payment. However, you must notify us as soon as possible and no later than 13 months after the debit date. After this time we will not be able to issue a refund.

You may have to pay up to £35 if:

• Your card is used after being lost or stolen
• You fail to keep your security details safe

You may be responsible for money taken from your account up until the point you report it to us, if you:

• Don’t keep your card or security details secure
• Don’t tell us as soon as possible that your card is lost or stolen
• Share your card, digipass or security details with a third party
• You were aware that your account had been compromised at the time that the payment was made and you failed to tell us.

You will not be responsible if you’re unable to notify us because our phone lines are unexpectedly unavailable or closed, as long as you call us when our lines open the next day.

Identity fraud happens when someone steals and uses your personal information to buy products or services. They get hold of this information in many ways - taking post from your bin, looking for information about you online, or contacting you directly, pretending to be from a real organisation.

There are several things you can do – offline and online - to protect your personal information. Here are a few tips.

Protect yourself offline:

1. Shred your post
   Shred or cut up your post before putting it in the bin, so your name and address cannot be stolen.
2. Redirect your post
   If you move house, ask Royal Mail to redirect your post for at least a year.
3. Be tidy
   Don’t leave things like bills or personal documents lying around for others to see. Even on your work desk.
4. Know your bank
   This sounds like an odd one, but knowing how your bank will and won’t contact you can help you spot fraudulent emails, texts or calls claiming to be from your bank. If a bank statement or new bank card doesn’t arrive, tell your bank or card company immediately.

Protect yourself online:

1. Create complex passwords
   Create strong passwords and different passwords for every online account you have (email, online banking, social media, retail websites etc). Avoid using personal information in passwords, like names of family, school, pets, cars. This will reduce the likelihood that someone could guess or hack your password and access other platforms you use. You might find a password management tool useful.
2. Use anti-virus software
   Protect your internet-connected devices with up-to-date security software, and make sure you install all official software updates and security fixes on your devices.
3. Connect with those you know
   Don’t accept invitations from people you don’t know on social media sites.
4. Be wifi wise
   Public wifi connections and Hotspots can be hacked and used to see what you’re doing online. Whilst it’s fine to use public wifi for browsing, never use it for buying something, logging in, online banking, filling in forms – or anything else that requires your personal or card data.
5. Be private
   Double-check that your social media profiles are private so that you’re only sharing information with people you know.
6. Think before you post
   Before you post anything on social media, forums or online platforms, make sure you’re not revealing any personal information – even pictures of your car registration can be used to get your address from DVLA records.

It can be very difficult to spot a fraudulent call. The best thing you can do if you get an unexpected call – especially if the person is asking you to make a payment or move funds, or rushing you to make a decision – is to call the organisation back on the number published on their website.

Fraudsters may call you or someone in your team and pretend to be a well-known business like BT, the bank, HMRC, the police, a supplier or even another person in your business.

Examples of what a fraudster might ask you to do:

• Move your money to a safe, secure holding account
  Fraudsters often call businesses pretending to be from their bank. They may ask you to move your money to a safe account because of suspected fraud or risk to your account. In reality, this ‘safe’ account is controlled by the fraudster. Hang up and report it to Action Fraud UK and your bank.
  
• Change the payment details of one of your suppliers
  Fraudsters often impersonate suppliers and ask businesses to pay into a new account – controlled by the fraudster. Check the caller is genuinely your supplier by calling back on the number on their website or, better still, by calling your direct contact at the company.
• Download something – software, a programme, app or other online tool
  Fraudsters may tell you there’s something wrong with your computer and it’s not secure. By downloading some software, they’ll be able to fix it for you. They might even offer you compensation or a refund for this inconvenience. In reality, the downloaded software could give them access to your computer. They may ask you to log in to your internet banking so they can issue your refund, when really they’re asking you to authorise payments into their own account. Triodos will never call you out of the blue and ask you to transfer money into another account, or download something onto your device.
• Tell them your Digipass codes
  Your Digipass codes give permission for money to leave your account. Never give these codes, no matter what they tell you. We will never ask you for these codes.
  

CEO Fraud is when cyber criminals hack into company email accounts, or set up a fake personal email account, to impersonate the CEO, Managing Director or senior staff and ask an employee to make payments to an account managed by the fraudster. They’ll typically target a company's finance department, but may also target other employees who have authority to make payments.

Usually the request sounds urgent, to panic the employee into acting without thinking and going through the usual checks and balances. The kinds of payments they’ll ask you to make are invoices for a supplier, utility or service, or products the company needs.

Fraudsters try getting money from organisations by sending fake emails and texts to gain access to their internet banking details. It can be difficult to spot a fraudulent email, but there are things you can check for clues it’s a fraudulent email.

• Check the sender email address
  Always check the sender’s email address to make sure it’s from the person you think. Fraudsters can change the ‘From’ name so it can look like it’s come from your bank, or a person’s name. If you hover over the name, the sender’s email address should be displayed. If it’s a company email address, an online search of the email address will often tell you if it’s a genuine address.
• Call the sender
  If you get an unusual request from someone you know, asking you to transfer money or download something onto your computer, and the email address looks genuine, there’s a possibility their email account was hacked. To be safe, it’s best to call them to make sure they sent the email and really made the request.
• Look for spelling mistakes
  Scam emails can often look odd, with a messy layout and spelling mistakes.

Common email and text scams to look out for:

• CEO fraud
  Fraudsters email employees pretending to be the owner or CEO of the organisation, asking them to make a payment or transfer.
• Supplier fraud
  Fraudsters pretend to be your supplier letting you know their payment details have changed.
• Invoice fraud
  Fraudsters send fake invoices claiming to be from a real business you work with. Sometimes they hack the emails of your supplier to send the invoice, so the email address is genuine, but the payment details are changed to those owned by the fraudster. It’s sensible to call your suppliers on the number on their website to verify their payment details before you pay new account details for the first time.
• Pretending to be a business
  In these messages, texts or emails, you might be asked to click a link that takes you to a fake website – for example, the website might claim to be the Triodos Bank website (See ‘How to check that a website is genuine’). On this site you could be asked to give your internet banking details. We will never send you a link to the login pages of internet banking.
• Spyware in links
  Some scam emails ask you to download something onto your computer or network – this could be a link to a website or an attachment. This tool could spy on your computer or lock you out until you pay a ransom or reveal your bank security details.
• Smishing (fraudulent text messages)
  These are text messages that appear to be from well-known businesses, claiming you need to click the link to update your details. Often the links are disguised with short links – like bitly links, e.g. https://bit.ly/2kwosxu. Tempting as it is to use the link, contact the company using the details on their website to verify that they sent the text, and that it’s safe to click on the link. Fraudsters will impersonate these companies to obtain your valuable information.
  

Fraud can affect anyone, and you can help protect your friends, family and neighbours by telling them about different types of scams to help them be savvy about fraud.

You can also help by looking out for signs that could mean they are being targeted by fraudsters:

• lots of junk mail – postal or email
• unexpected or suspicious calls, texts or emails
• visits from strangers
• lots of deliveries for things they don’t seem to need
• an unexpected change in financial circumstances, or money troubles
• uncomfortable talking about money
• unnecessary work to their house or garden
• a new friendship that seems out of place somehow

Our card department provides 24 hour transaction monitoring on the Triodos Debit Card and will block a transaction or a card if required. In this event we will send a text message asking you to call us. We will not ask for the card PIN, three-digit CVV code on the back of the card or any information regarding your digipass.