Security for your online banking
In the event of suspected fraud or theft or loss of cards, Blocking online banking access, accounts and cards
Blocking access to the corporate client portal (digital banking)
In the digital banking environment
Log in, click on the “My data” tab and then on “Block access”.
Via the phone
Call the blocking hotline for our corporate client portal at +49 69 5050 2786. We offer support 24/7, all around the world. A Commerzbank employee will carry out the blocking.
Blocking your corporate credit card (only in German)
Blocking your girocard (only in German)
Blocking your photoTAN
You can block your photoTAN yourself in our digital banking environment. The block is effective immediately. For security reasons, we recommend that you block your photoTAN procedure in the following cases: if you have lost or sold your smartphone, or you suspect misuse.
In the digital banking environment
- Log in to access your TAN settings.
- Click on “Manage” in the “photoTAN” line.
- Then click twice on the “Block photoTAN” button to confirm blocking of the photoTAN procedure.
Please note: if you are using several user numbers, carry out the process separately for each user number as described above.
Via the phone
- Get in touch with us. We offer support 24/7, all around the world.
- A Commerzbank employee will block your photoTAN procedure.
What we do for you, Security standards & cyber crime
Authentication of online applications
Whenever you connect to a Commerzbank online application, the Commerzbank system automatically identifies itself via a certificate issued by an independent authority. Your device will not send data to the Commerzbank system until the authenticity of this certificate has been verified. The certificate guarantees that you are connected to the legitimate Commerzbank online system.
Access authorisation
You have to log in to use the online applications. This means that you must enter your user ID or username together with your PIN code or password. This serves to verify your user identity; no one else can gain access to your data. If incorrect access data is entered three times in a row, access to the online account is automatically blocked.
Confidentiality of data transfer – data integrity
Data exchange between your device and the Commerzbank online applications is fully encrypted. The encryption keys used for this are known only to your device and the Commerzbank system. For data spies, an encrypted message is merely a meaningless string of characters.
Encryption prevents third parties from changing the transmitted messages. And thanks to the Transport Layer Security (TLS) protocol used in the online banking system, the risk of manipulation by means of arbitrary tampering with characters is effectively eliminated.
All transactions must be authorised
Every single transaction must be authorised, i.e. approved, by you. In terms of Commerzbank’s online applications, you authorise transactions using the photoTAN app on your smartphone and/or the photoTAN reader.
Only one session
Our security concept ensures that only one session at a time can be opened with your user ID. If there is no activity for an extended period during your session, it will be automatically terminated. The same applies if an error occurs for any reason whilst your device is connected to the application, in which case the session is ended automatically.
Data traffic with 128-bit encryption
Data exchange between your device and the Commerzbank server is based on the Transport Layer Security (TLS) protocol. The level of encryption largely depends on the length of the keys. To ensure maximum security, Commerzbank encrypts the entire data exchange with at least 128 bits.
Securing e-mail communication: Commerzbank Secure Mail
E-mails are the most commonly used form of business communication today. However, they also pose a high security risk and must therefore be effectively encrypted.
Securing e-mail communication with powerful encryption procedures has therefore become a must. The following methods have become standard procedures:
E-mail encryption at a glance
Security standardVery high | ProcedureSecure/Multipurpose Internet Mail Extensions (S/MIME) |
Security standardHigh | ProcedurePretty Good Privacy (PGP) |
Security standardNormal | ProcedureTransport Layer Security (TLS) |
TLS: minimum standard in Germany
TLS is the minimum standard in Germany, as defined by the German Federal Office for Information Security (BSI). TLS-encrypted communication requires both the sender’s and recipient’s servers to be TLS-compliant. Commerzbank has been using this procedure for several years.
PGP and S/MIME: Certificates and keys ensure your security
If none of these procedures are available to the recipient of a Commerzbank e-mail, Secure Mail offers another safe alternative for individual cases: the e-mail is sent as an encrypted PDF file that can be opened with a one-time password. The recipient receives this password by text message on their mobile phone.
Latest warnings
Currently, we are issuing warnings about:
Fake management e-mail (CEO fraud)
How the fraud works:
A fake, seemingly internal e-mail instructs an employee to carry out a transaction. In most cases the instruction comes from management, e.g. indicating that the employee will receive a phone call from an entrusted lawyer. One of many familiar scenarios, intended to trick an employee, is an upcoming merger, which is strictly confidential due to the company’s stock market listing. The caller usually contacts the employee several times, giving them multiple orders. We are also aware of simulated telephone and video conferences. The payment recipients are often based in other European countries, in Russia, Southeast Asia or China.
What you can do to protect yourself:
- If you receive a suspicious e-mail, get in touch with your management by telephone immediately.
- Be aware of the information you and your employees publish about your company.
- Introduce clear absence regulations and unambiguous rules, e.g. for substitutes.
- Inform your employees about fraud scenarios.
What to do if you are affected:
Recall the transfer immediately via the account-keeping bank, including notification to the recipient bank. Amounts that have already been credited are usually very difficult to recover. Report the case to the police.
Changed bank account after invoicing
How the fraud works:
Potential victims receive an e-mail with the message “We have changed our bank account details,” along with a request to transfer the invoice amount to the fraudsters’ account. The payment recipient’s servers have been compromised beforehand and data, e.g. about e-mail correspondence, has been obtained. The fraudsters can use this information to send e-mails in the name of the payment recipient to provide false bank details.
What you can do to protect yourself:
- If you receive a suspicious e-mail, get in touch with your known contacts by telephone immediately. Under no circumstances should you use any telephone numbers provided in the e-mail. Use only the contact details you already have.
- Verify the bank account details once more by phone with your contact. Make sure to document this conversation for your records.
What to do if you are affected:
in the event of an incorrect transfer, recall the transfer immediately via your account-holding bank, including notification to the recipient bank. Amounts that have already been credited are usually very difficult to recover. Report the case to the police.
Fraud with remote maintenance software
How the fraud works:
Fraud using remote maintenance software (remote access tools) is effective and very dangerous. For instance, internet fraudsters may claim to be IT technicians from Microsoft and alarm the victim by claiming that their computer has been infected with a virus. The victim is then pressured to install a remote access tool – against payment – supposedly to remove the virus.
Alternatively, a person claiming to be a Commerzbank employee calls under the pretext that they need to provide a vital update. The software package they mention is actually a remote access tool. As a means of distraction, the affected individual could be sent to various computers during the setup.
What you can do to protect yourself:
- Do not grant any unknown person access to your PC and do not install any remote maintenance software.
- Exercise caution when dealing with fee-based services offered over the telephone!
- Do not reveal any confidential financial information to strangers.
- Regularly update your antivirus software, preferably in conjunction with the firewall. Always install every security update for your virus scanner.
Social engineering: targeting employees via social media
How the fraud works:
The term “social engineering” refers to a tactic where fraudsters use specific psychological tricks to manipulate social media users. The aim is to extract confidential information from the employees.
Employees use social networks not only for personal purposes but also professionally, with profiles for trusted business partners, colleagues, as well as consultants and headhunters. Fraudsters send contact requests to link the profiles and access the victim’s data as well as that of the people networked with them. That allows supposed headhunters to easily spy on names, the professional positions of third parties and their business relationships. Mobile phone numbers and e-mail accounts (both personal and business) can be misused to make contact. For example, you might be contacted under a false identity that you may recognise from your professional network. It may not be apparent to you that criminals could be hiding behind many of these profiles.
What you can do to protect yourself:
- If you receive a contact request, carefully check whether you know the person or the person who recommended them.
- Configure your social media account to ensure that professional contacts are not visible to everyone.
- Check the profiles from which you have received a contact request in advance for qualified contents and discrepancies.
- If you are contacted by headhunters, check whether their company exists.
What to do if you are affected:
Open the social media profile (e.g. on Xing or LinkedIn) that looks suspicious to you. Then click on “More” on the top right and then on “Report profile”.
Phishing
How the fraud works:
Internet users receive an e-mail or letter that appears to be from their bank. Under a pretext, the users are asked to click on a link in the e-mail or by scanning a QR code in the letter to log in to the online banking site.
However, this link leads to a fake website that closely resembles the real one. Users are prompted to enter their login and authorisation data, which is then misused for illegal purposes by the fraudsters.
What you can do to protect yourself:
- Firstly, you can be certain that Commerzbank will never ask you to update your personal details by e-mail or letter or ask you to log in online for any other purposes.
- That alone means that you can safely ignore such messages. Never click on the links in such e-mails. In case of doubt, contact our Customer Service.
Furthermore, we recommend the following procedure for logging in:
- Type the address manually into the relevant line of your browser, or use a bookmark previously saved in the “Favourites” menu.
- Do not use any links sent in e-mails or QR-Codes in letters, even if the message seems to come from a trusted sender.
- Do not complete any electronic forms in e-mails that include a request to disclose login data.
- Always use an up-to-date browser. Get regular security updates from the developer of your computer’s operating system – e.g. for Windows on https://windowsupdate.microsoft.com.
Features of a phishing mail or phishing letter:
- E-mail or postal address does not match the company mentioned.
- Threat of blocking the account or threat of fees if a deadline is not met.
- Alleged security review in the form of prompts to follow a link or scan a QR code and enter credentials or personal information.
- Invoices with attachments without an order being placed, prompting you to open an attachment.
- Reminders / threats with criminal complaint or similar.
What to do if you are affected:
If you suspect that you have fallen victim to a “phishing” message and fraudsters have obtained your credentials, please take the following steps:
- If you have revealed your login data, immediately deactivate the access in the dropdown menu (Online banking > Administration) and contact us.
Extortion Trojans (ransomware)
How the fraud works:
Trojans (derived from the term “Trojan horse”) are disguised as a useful software but run damaging programmes, known as malware, in the background. For example, a renowned company sends alleged invoice e-mails to potential victims. This e-mail typically constructs a scenario designed to instil fear. The recipient is told they will find the reason for a high invoice amount via a link in the attachment, attempting to induce the recipient to click on the link or open the attachment. As soon as they do so, the malware is installed on their computer and spreads throughout the corporate network which ultimately leads to data theft or encryption, along with ransom demands for decryption.
What you can do to protect yourself:
- Do not let yourself be caught off guard; do not open attachments or links in e-mails if you are unsure of their origin.
- Be careful with add-ins/plug-ins from unknown developers.
- Regularly update your software and operating systems.
- Adjust your operating systems so your e-mails are always checked.
- Regularly scan all drives on your computer for malware.
- Use a firewall that monitors network traffic.
- Always use an up-to-date virus protection software and configure it to ensure that your e-mails are always scanned.
What you can do to protect yourself
Do not share your PIN or photoTAN QR code with anybody
Anyone who knows your user ID and PIN code can log in under your name. If such individuals also know your photoTAN QR code, they will be able to debit payments from your accounts and dispose of your portfolios. Therefore, please observe a few simple rules:
- Never share your PIN code for online applications with anyone. No Commerzbank employee will ever ask you for your PIN or request you to e-mail this number or other personal data such as your name, address or account number. Do not photograph your photoTAN QR code, nor share it with anyone.
- There has been a recent surge of fraudsters sending e-mails from legitimate company addresses, asking recipients to log onto a specific website by clicking on a link in the e-mail. These e-mails usually seem highly plausible and the websites in question closely resemble the genuine ones. Fraudsters use this scam (called “phishing“, or “password fishing”) to obtain your access data. To play safe, never click on links in e-mails that purportedly lead straight to Commerzbank login pages. Always log in through the Commerzbank homepage, or manually enter the website address.
- Be sure to change your PIN code periodically.
- Do not save your PIN code or your photoTAN QR code on your computer (not even in financial or accounting software) or on your smartphone.
- If you have reason to think that the confidentiality of your access data has been compromised, please disable your access immediately and notify your Commerzbank branch or our Customer Service.
- If you know you will not be using the Commerzbank applications for some time, you might prefer to disable your online access as an additional safeguard against unauthorised use.
Check the internet address
When you launch your online application, always check that you are connected to the right internet address.
The address must begin with the https protocol – not http – and the closed lock icon should appear in the status bar at the bottom of the browser. Never enter confidential data (especially your PIN code and password) without first verifying that the URL is correct (starting with https:) and encryption is activated (locked padlock icon).
Check the internet certificate
You can verify the server certificate by double-clicking on the padlock icon in the status bar of your browser to ensure that you are connected to a Commerzbank server.
Pay special attention to the following security criteria:
- The application’s internet address shown in the browser must match the one in the certificate.
- The server certificate must not have expired.
- The certificate must be issued for Commerzbank AG and be signed by an independent certification authority.
- If one or more of these criteria are not fulfilled, please close the application immediately and report the error to our Customer Service.
Always log off
Make it a habit to log off at the end of your session. By clicking on the appropriate button, the browser window will be closed.
Browser settings
Always use the latest version of your browser software. Using software that is continuously updated usually ensures enhanced security mechanisms. Always close your browser completely after logging off. For security reasons, you should completely clear the browser cache after using online applications when working outside your own environment. To do so, follow the instructions of your browser software.
Protection against viruses and Trojans
All data on your computer is at risk of encryption, destruction, theft, etc., due to viruses and Trojans (malware). In most instances, your device becomes infected with malware through e-mails containing attachments, during file downloads, or when clicking on malicious websites.
- Only install programmes from trusted sources. Do not install any programmes that are sent to you unsolicited.
- Keep yourself informed about the availability of security updates for your operating system and browser software.
- Only use the internet with a user account that has no administrator rights. For instructions on how to set up such an account, look at your operating system’s documentation.
- Install an antivirus software (virus scanner) and ensure it is always up to date.
- A personal firewall provides additional protection.
Access from third-party environments
When using Commerzbank’s online applications in environments where your privacy isn’t fully protected, it’s important to follow a few additional basic rules:
- Never leave the computer unattended during an active online session. If you do have to leave the PC, first close the application or activate a password-protected screen saver.
- When entering your login data, be sure that your keyboard inputs are not being recorded or observed by others in any way.