Important Security Tips
How to protect against online crime and tricksters
Essential Security Tips
Online fraud attempts frequently start with "phishing”. Phishing is a practice that involves cybercriminals attempting to trick their victims into giving them their personal or confidential data. Such data may include access credentials you use for internet banking, credit card numbers and codes, email addresses, date of birth or telephone numbers.
Once a fraudster has obtained this information, they often call their victims on the phone and pretend to be an employee of your bank. During the phone call, they may try to talk you into telling them your login credentials, to approve money transfers or they may ask you to authorise additional devices for George ID by telling you various "reasons" why you should give them your data. So please always remain vigilant, especially if you are contacted by someone unexpectedly who claims to be a bank employee and wants to talk about your finances: it could well be a fraudster who is calling you!
Fortunately, without your prior authorisation in George a fraudster will not able to log in to your internet banking or to make a transfer. So always double-check the information displayed on your signing screen and do not authorise any transaction that you have not started yourself.
Basic precautions
- Never enter your user number, alias or other confidential financial information on websites that you don’t know or that you feel are suspicious in any way.
- Carefully check each transaction in detail before giving your authorisation and never authorise transactions that were not started by yourself.
- The decisive factor is not what someone claims on the phone or in a chat, but what your app (George) displays on the signing screen!
- We will never ask you to authorise a login or a money transfer via phone or e-mail!
- Be especially vigilant if you are contacted unexpectedly or if a caller puts you under pressure to act quickly. This is one of the typical tricks used by fraudsters.
- If you have any doubts, simply leave the conversation and give us a call - our team at George Helpdesk is happy to assist you..
Our Top 10 Security Tips
Never disclose your confidential financial data, such as your user number or security codes, to anyone. Also, do not enter such sensitive information on websites that you don’t know. If someone is asking you to disclose this kind of information "out of the blue", you may be dealing with a phishing attempt, which is often the first step in an attempted fraud.
Do not enter sensitive data in apps or on websites that do not belong to Erste Bank or Sparkassen. You can identify legitimate websites of Erste Bank and Sparkassen by confirming that the URL used is *.sparkasse.at and that the SSL certificate matches this URL. Our original apps are issued by "Erste Bank der oesterreichischen Sparkassen AG" and are only available from the official stores of Apple and Google, and Huawei.
Only use trustworthy devices for your internet banking to ensure that no one else can access or manipulate your data. Computers in public areas (such as in internet cafés) that can be used by everyone are especially vulnerable to infections with malware (such as "Trojans") and cannot be considered secure. Such malware is used by scammers to manipulate your inputs on such a computer or to obtain your secret passwords or access codes.
Also exercise special precaution when you are using open/unencrypted Wi-Fi networks in spaces such as airports and other public places. If in doubt, take care of your banking transactions in a secure place or access your internet banking via a cellular network instead of a public Wi-Fi.
Would you let strangers "help" you when you withdraw money from an ATM? Probably not. Likewise, you should never let strangers "help" you with your internet banking if they contact you out of the blue, even if they claim they work for Erste Bank und Sparkassen or another well-known company. In reality, it is usually fraudsters who try to make transfers from your account via this access to your devices.
Therefore, never allow strangers to access any of your devices via remote desktop software (such as AnyDesk or TeamViewer ). On the phone, criminals often pretend to be part of a "support team" of a notable company and offer you “assistance”. This is a typical fraud scheme used to gain access to your devices and subsequently, to your internet banking.
You no longer need a password for George since via browser you log in using your alias/user number and authorise this login via your app. Nevertheless, please do not use easy-to-guess codes, such as your birth date or that of your children, for George.
Also, using strong passwords in applications other than George is essential for protecting your data online. Remember: if you use the same password on more than one website and hackers attack only one of them, they could gain access to all your online accounts at once. Once they have obtained your confidential/personal data, it is easy for them to launch convincing scam attempts via phone calls, e-mails or text messages, frequently causing financial damage for their victims.
Fraudsters regularly call or text their victims and pretend to be employees of Erste Bank und Sparkassen or employees of authorities such as the police or tax office. In many cases, the phone number shown on your display is “spoofed” to mimic a number of a known entity. The scammers often put pressure on you to trick you into transferring money without questioning their legitimacy. If you are in doubt, simply end such calls and contact our Service Center directly. This way you can be sure that you are really speaking to an authentic employee of Erste Bank und Sparkassen.
Fraudsters can justify their contact with various invented "stories":
- "Your internet banking access is about to expire and needs to be renewed."
- You sell something online and are asked (off the platform) to "verify" your account or your identity
- “You need to perform an update for which we need your approval, or we must make a test transfer together.”
- "Suspicious transactions were detected, your savings need to be moved to a safe place or your authorisation is needed to undo fraudulent transactions."
- Someone claiming they are your “child” contacts you from an unknown phone number and claims that their phone is broken or lost and then asks you to urgently transfer money to them.
- Someone pretending to be a “police officer” contacts you and claims that you or a relative have been involved in a crime and that the matter could be settled by paying a considerable amount of money.
- An investment opportunity presents itself, e.g. a cryptocurrency or an interesting fund. To take advantage of the opportunity, you should transfer money to a specific IBAN.
These are just a few of the most common fraud schemes, however, criminals are constantly changing their methods. So, always remain vigilant when being contacted and especially, when asked to transfer money. In the next tip, we have summarised how you can distinguish fake e-mails from genuine e-mails and which features should set off your ”alarm bells”. In our Security Center you can always find warnings about current internet fraud schemes.
Fraudsters often send “phishing” e-mails using our company name with the intention of tricking you into entering your confidential data on fraudulent sites under their control. Please ignore such e-mails and do not follow their instructions when asked to perform "urgent" actions or to enter data on some unknown website. The real purpose of such phishing e-mails is to obtain your confidential data and to use it for fraudulent purposes.
Still, not every email is malicious: Erste Bank und Sparkassen send legitimate e-mails to customers and subscribers of our newsletters. However, we will never ask you this way for your login credentials or your personal data. Also, we will never send you any links to websites where you should enter such data. Confidential written communication between you and your bank advisor is generally not conducted via e-mail, but via s Kontakt, our secure communication channel that is integrated in George. Via e-mail you will only receive a notification informing you that a new s Konktakt message is waiting for you in George.
How can I identify fake websites, fraudulent e-mails, phone calls or texts?
When using websites
Never enter your personal banking data on any website other than https://login.sparkasse.at/ or https://george.sparkasse.at/. You can identify these webpages as being authentic because they:
- belong to the domain sparkasse.at
- include an SSL certificate issued for that domain (*.sparkasse.at)
- always use https-encryption to protect the communication sent between your device and our servers.
Note: instead of the placeholder from above (“*”), we use different subdomains in front of our main domain sparkasse.at: login for our login page, george or george-business for our internet banking or www for our website.
Please always check in your browser’s address bar that you are using our legitimate website before you enter any confidential personal data. You can recognize our authentic website by verifying that you are on our domain *.sparkasse.at.
When using your smartphone or tablet
Please make sure that you only use our official apps from the Apple App Store, Google Play Store, or Huawei App Gallery on your smartphone or tablet. Do not enter sensitive or personal data into dubious apps from unknown sources. This is how you can tell that your George-app is authentic:
- The developer is "Erste Bank und Sparkassen"
- Download numbers are very high
- There are many positive customer reviews.
Always be cautious when installing unknown apps, as they could be malware (see: Protect your devices from malware).
When taking phone calls or getting text messages
Unfortunately, scammers use different techniques and tricks when calling or texting. This may also involve imitating our phone number via “Caller ID spoofing”. Therefore, a call or a text message should not automatically be considered “legit” only because the other side’s phone number looks legit. Instead of only relying on the number you should focus more on the intended purpose of a call or text.
When receiving e-mails:
The easiest way to tell whether an e-mail is authentic is to carefully check the sender. Note: Please do not just pay attention to the displayed “sender name” (e.g. "Sparkasse"), but also to the actual e-mail address that is used. We send our e-mails from one of the following addresses. (the “*” is a placeholder for different parts before the “@” sign):
- *@aviso.sparkasse.at
- *@mail.sparkasse.at
- *@sparkasse.at
- *@ebspk.sparkasse.at
- *@avisomail.sparkasse.at
Be aware that fraudsters may still be able to spoof the sender’s e-mail address. So always remain vigilant and don’t just pay attention to individual features of an e-mail, such as the sender, but also to the content and intent:
- Phishing e-mails frequently try to create a sense of urgency and a threat of negative consequences.
- Phishing e-mails almost always contain a button or a link leading to a fake website that is fully under the attacker’s control.
- Such e-mails are often sent from unusual addresses. This is however often “disguised” with the display of a legitimate-looking sender name.
- So take a close look - because even when a sender's name displays "Erste Bank und Sparkassen" a fraudulent sender address could be used.
- An example of a fake e-mail could look like this: the sender is displayed as "Erste Bank und Sparkassen" while the address used is “service@sparkasse-private.com”. You can identify this as fraudulent because the domain is not “sparkasse.at”, but "sparkasse-private.com".
Please ignore such e-mails or messages with suspicious content and:
- don’t click on any links
- don’t open any attachments
- don’t reply
If you receive a suspicious e-mail, please send it to us at fraud@s-servicecenter.at. Ideally send us the e-mail as an attachment added to a new e-mail (instead of “forwarding” it). This way, all the metadata of the fraudulent e-mail is preserved, which allows us to perform a more accurate analysis.
Keep your operating system, your internet browser and your apps up to date by enabling automatic updates. Since updates usually also close security gaps in the software, this will not only keep your devices up to date, but also increase your overall security level.
Download and install apps or programs only from the official stores for your operating system such Google Play, App Store, Windows Store, Mac App Store. Don’t install any programs or apps from unofficial sources or dubious origin, as such programs might have been manipulated by a malicious actor. Such malware can potentially encrypt your data (ransomware), display unwanted advertising (adware) or allow unauthorised access to your system or spy on you by eavesdropping on your microphone or keyboard.
Be cautious when apps or browser extensions are requesting extensive access permissions on your device, such as access to your screen, keyboard, contacts, photos, or saved files. Make sure you never give apps more access than needed for their required function.
Only use the unmodified, original operating system and refrain from "rooting" or "jailbreaking" your devices to obtain full system access. Such interventions may also allow malware to gain root access and steal your sensitive data. Therefore, such a device cannot be considered “safe to use” anymore.
Keep the operating system (e.g. Windows, macOS, Linux, iOS, Android), your browser (e.g. Edge, Chrome, Safari, Firefox) and your other apps (e.g. George) up to date on all your devices with automatic updates.
Updates do not only provide new features, they also close known security gaps and protect your system against the latest threats. Regular updates are a prerequisite for the security of your devices and help to minimise the risk of malware. After enabling automatic updates (both for your operating system and your apps), regular updates are carried out without any effort in the background. Please note: some updates require your device to be restarted to take effect.
With just a few measures, you can add a lot of additional security to your Internet Banking:
- Pay heed to the scam warnings in George and our security recommendations offered here.
- You can check your recent George-logins by navigating to your profile in George via browser (click on the gear icon in George on the web).
- In your George settings you can also see which signing devices are currently allowed to authorize transactions. For security reasons, remove devices that you no longer need.
- As a simple security measure, you can set a daily transaction limit - this is a maximum amount for your daily authorisations. Should you one day need to transfer an amount higher than this limit, you can easily adjust the limit anytime in George.
- Activate our Watchdogs: A “watchdog” is a push notification that we send to your mobile phone, for instance when incoming or outgoing transactions exceed a certain threshold or when your credit card is charged.
- In your George settings you can also see whether you have given access to your data in George to any third-party provider (e.g. a payment service provider or another bank). You can review and remove these permissions under "Third-party permissions" in the settings when accessing George via browser.
- Once you are finished using George via the browser, click on the "Logout" button in the top right corner. This way, you are logging out correctly and no one can enter your George without you approving the login.
As recommended in tip no. 1, you should never disclose your confidential financial data to anyone and never enter such data on unknown websites. Even though George's security is not based on the secrecy of your user number, but on the factors "possession" (your device with activated authorisation app) and "knowledge" (PIN code for George ID) or "biometry" (Face ID or Touch ID), you should still protect your user number.
Neither a George-login nor a money transfer can be performed without your authorisation via George ID. For this purpose, on the signing screen we always show you a verification code and full details about what you are about to authorise. Make sure that the verification codes always match up and only authorise actions that you yourself have started.
Our employees will never ask you for an authorisation:
- for a George login, because we do not log into your internet banking to check your data or transactions.
- for the "reception of a payment”, because for receiving a payment only your IBAN and nothing else is required.
- for undoing a "fraudulent transfer” on your account.
- for "updating your app”, for a “test transfer", the “prolongation of your internet banking” or other "technical reasons".
These are just a few examples of common scams which you should not fall for. Make sure to always keep up to date on current fraud schemes in our Security Center
It is a good practice to generally remain vigilant when making financial transactions. This also applies when shopping on the internet. Especially on second-hand platforms, such as eBay or Willhaben, fraudsters may attempt to scam you by selling allegedly inexpensive brand-name products.
Make sure that you are shopping in reputable online stores. If in doubt, check the imprint, contact details or terms and conditions on the merchant’s website. Check a stores’ ratings on online rating portals such as "Trustpilot", to learn about other users' experiences with certain retailers
Stay up-to-date
As technology evolves, also scammers evolve their techniques – so please expect that scammers will come up with new methods and pretexts in the future. To stay ahead make sure to stay up-to-date with our scam warnings and check our updates on samples of phishing emails. If you see a warning message after you log in to George, please read these warnings carefully as this usually means that we are seeing increased fraud attempts using the methods described. Keep in mind that you could be contacted by scammers yourself any time!
Contact us if you suspect fraud
Please contact our help desk at 05 0100 – 50200 if:
- You have been exploited by internet scammers
- You have mistakenly disclosed confidential data or feel that something is wrong
- You want to report suspicious e-mails, newsletters, websites or phone calls to us
Please contact us at 05 0100 – 50333 or block your card immediately online via George or using your George app if:
- You have lost your debit card or credit card, or your card has been stolen
- Unauthorised persons have withdrawn funds or made payments using your card
Learn more about getting help in the event of an emergency.
Help in the Event of an Emergency
Quick help in the event of fraud, loss of card, or theft of data.