Security for your online banking

Whenever you connect to a Commerzbank online application, the Commerzbank system automatically identifies itself via a certificate issued by an independent authority. Your device will not send data to the Commerzbank system until the authenticity of this certificate has been verified. The certificate guarantees that you are connected to the legitimate Commerzbank online system.

You have to log in to use the online applications. This means that you must enter your user ID or username together with your PIN code or password. This serves to verify your user identity; no one else can gain access to your data. If incorrect access data is entered three times in a row, access to the online account is automatically blocked.

Data exchange between your device and the Commerzbank online applications is fully encrypted. The encryption keys used for this are known only to your device and the Commerzbank system. For data spies, an encrypted message is merely a meaningless string of characters.

Encryption prevents third parties from changing the transmitted messages. And thanks to the Transport Layer Security (TLS) protocol used in the online banking system, the risk of manipulation by means of arbitrary tampering with characters is effectively eliminated.

Every single transaction must be authorised, i.e. approved, by you. In terms of Commerzbank’s online applications, you authorise transactions using the photoTAN app on your smartphone and/or the photoTAN reader.

Our security concept ensures that only one session at a time can be opened with your user ID. If there is no activity for an extended period during your session, it will be automatically terminated. The same applies if an error occurs for any reason whilst your device is connected to the application, in which case the session is ended automatically.

Data exchange between your device and the Commerzbank server is based on the Transport Layer Security (TLS) protocol. The level of encryption largely depends on the length of the keys. To ensure maximum security, Commerzbank encrypts the entire data exchange with at least 128 bits.

E-mails are the most commonly used form of business communication today. However, they also pose a high security risk and must therefore be effectively encrypted.

Securing e-mail communication with powerful encryption procedures has therefore become a must. The following methods have become standard procedures:

TLS is the minimum standard in Germany, as defined by the German Federal Office for Information Security (BSI). TLS-encrypted communication requires both the sender’s and recipient’s servers to be TLS-compliant. Commerzbank has been using this procedure for several years.

If none of these procedures are available to the recipient of a Commerzbank e-mail, Secure Mail offers another safe alternative for individual cases: the e-mail is sent as an encrypted PDF file that can be opened with a one-time password. The recipient receives this password by text message on their mobile phone.

How the fraud works:

A fake, seemingly internal e-mail instructs an employee to carry out a transaction. In most cases the instruction comes from management, e.g. indicating that the employee will receive a phone call from an entrusted lawyer. One of many familiar scenarios, intended to trick an employee, is an upcoming merger, which is strictly confidential due to the company’s stock market listing. The caller usually contacts the employee several times, giving them multiple orders. We are also aware of simulated telephone and video conferences. The payment recipients are often based in other European countries, in Russia, Southeast Asia or China.

What you can do to protect yourself:

• If you receive a suspicious e-mail, get in touch with your management by telephone immediately.
• Be aware of the information you and your employees publish about your company.
• Introduce clear absence regulations and unambiguous rules, e.g. for substitutes.
• Inform your employees about fraud scenarios.

What to do if you are affected:

Recall the transfer immediately via the account-keeping bank, including notification to the recipient bank. Amounts that have already been credited are usually very difficult to recover. Report the case to the police.

How the fraud works:

Potential victims receive an e-mail with the message “We have changed our bank account details,” along with a request to transfer the invoice amount to the fraudsters’ account. The payment recipient’s servers have been compromised beforehand and data, e.g. about e-mail correspondence, has been obtained. The fraudsters can use this information to send e-mails in the name of the payment recipient to provide false bank details.

What you can do to protect yourself:

• If you receive a suspicious e-mail, get in touch with your known contacts by telephone immediately. Under no circumstances should you use any telephone numbers provided in the e-mail. Use only the contact details you already have.
• Verify the bank account details once more by phone with your contact. Make sure to document this conversation for your records.
  

What to do if you are affected:
in the event of an incorrect transfer, recall the transfer immediately via your account-holding bank, including notification to the recipient bank. Amounts that have already been credited are usually very difficult to recover. Report the case to the police.

How the fraud works:

Fraud using remote maintenance software (remote access tools) is effective and very dangerous. For instance, internet fraudsters may claim to be IT technicians from Microsoft and alarm the victim by claiming that their computer has been infected with a virus. The victim is then pressured to install a remote access tool – against payment – supposedly to remove the virus.

Alternatively, a person claiming to be a Commerzbank employee calls under the pretext that they need to provide a vital update. The software package they mention is actually a remote access tool. As a means of distraction, the affected individual could be sent to various computers during the setup.

What you can do to protect yourself:

• Do not grant any unknown person access to your PC and do not install any remote maintenance software.
• Exercise caution when dealing with fee-based services offered over the telephone!
• Do not reveal any confidential financial information to strangers.
• Regularly update your antivirus software, preferably in conjunction with the firewall. Always install every security update for your virus scanner.

How the fraud works:

The term “social engineering” refers to a tactic where fraudsters use specific psychological tricks to manipulate social media users. The aim is to extract confidential information from the employees.

Employees use social networks not only for personal purposes but also professionally, with profiles for trusted business partners, colleagues, as well as consultants and headhunters. Fraudsters send contact requests to link the profiles and access the victim’s data as well as that of the people networked with them. That allows supposed headhunters to easily spy on names, the professional positions of third parties and their business relationships. Mobile phone numbers and e-mail accounts (both personal and business) can be misused to make contact. For example, you might be contacted under a false identity that you may recognise from your professional network. It may not be apparent to you that criminals could be hiding behind many of these profiles.

What you can do to protect yourself:

• If you receive a contact request, carefully check whether you know the person or the person who recommended them.
• Configure your social media account to ensure that professional contacts are not visible to everyone.
• Check the profiles from which you have received a contact request in advance for qualified contents and discrepancies.
• If you are contacted by headhunters, check whether their company exists.

What to do if you are affected:

Open the social media profile (e.g. on Xing or LinkedIn) that looks suspicious to you. Then click on “More” on the top right and then on “Report profile”.

How the fraud works:

Internet users receive an e-mail or letter that appears to be from their bank. Under a pretext, the users are asked to click on a link in the e-mail or by scanning a QR code in the letter to log in to the online banking site.

However, this link leads to a fake website that closely resembles the real one. Users are prompted to enter their login and authorisation data, which is then misused for illegal purposes by the fraudsters.

What you can do to protect yourself:

• Firstly, you can be certain that Commerzbank will never ask you to update your personal details by e-mail or letter or ask you to log in online for any other purposes.
• That alone means that you can safely ignore such messages. Never click on the links in such e-mails. In case of doubt, contact our Customer Service.

Furthermore, we recommend the following procedure for logging in:

• Type the address manually into the relevant line of your browser, or use a bookmark previously saved in the “Favourites” menu.
• Do not use any links sent in e-mails or QR-Codes in letters, even if the message seems to come from a trusted sender.
• Do not complete any electronic forms in e-mails that include a request to disclose login data.
• Always use an up-to-date browser. Get regular security updates from the developer of your computer’s operating system – e.g. for Windows on https://windowsupdate.microsoft.com.

Features of a phishing mail or phishing letter:

• E-mail or postal address does not match the company mentioned.
• Threat of blocking the account or threat of fees if a deadline is not met.
• Alleged security review in the form of prompts to follow a link or scan a QR code and enter credentials or personal information.
• Invoices with attachments without an order being placed, prompting you to open an attachment.
• Reminders / threats with criminal complaint or similar.

What to do if you are affected:

If you suspect that you have fallen victim to a “phishing” message and fraudsters have obtained your credentials, please take the following steps:

• If you have revealed your login data, immediately deactivate the access in the dropdown menu (Online banking > Administration) and contact us.

How the fraud works:

Trojans (derived from the term “Trojan horse”) are disguised as a useful software but run damaging programmes, known as malware, in the background. For example, a renowned company sends alleged invoice e-mails to potential victims. This e-mail typically constructs a scenario designed to instil fear. The recipient is told they will find the reason for a high invoice amount via a link in the attachment, attempting to induce the recipient to click on the link or open the attachment. As soon as they do so, the malware is installed on their computer and spreads throughout the corporate network which ultimately leads to data theft or encryption, along with ransom demands for decryption.

What you can do to protect yourself:

• Do not let yourself be caught off guard; do not open attachments or links in e-mails if you are unsure of their origin.
• Be careful with add-ins/plug-ins from unknown developers.
• Regularly update your software and operating systems.
• Adjust your operating systems so your e-mails are always checked.
• Regularly scan all drives on your computer for malware.
• Use a firewall that monitors network traffic.
• Always use an up-to-date virus protection software and configure it to ensure that your e-mails are always scanned.