Tips on safe use of the Internet

We work diligently to ensure that all your transactions are safe. However, to make sure that everything works smoothly, it is advisable to take care of your own safety during shopping, making payments and engaging in other online activities.

What is phishing?

Phishing (spoofing) is a fraud method in which a criminal impersonates another person or institution in order to obtain confidential information (e.g. logon information, credit card details).

 

 

What the consultant never asks for?

  1. Password – none of the PayU employees would ever ask for your password – it remains known to you only.
  2. Full number of credit card, CVV2/CVC2 security code (three digits printed on the reverse of your credit card), additional password required for some cards under the authentication process, the so-called 3D Secure.

 

How to recognize the true logon page?

  1. The page always opens under secure connection – HTTPS.
  2. Communication between your computer and PayU is secured with a certificate allocated for the secure.payu.com website, issued to MIH PAYU B.V.
  3. Before logging in, check the website address to which you are connected (check whether the domain and certificate are correct). Any differences can suggest that you are using a planted/fake website.
  4. Criminals frequently clone websites in such a manner that the average user who enters a website they have prepared is unable to recognize any changes and logs in, making his/her data available. Remember to always check the website address shown in the browser window before you log in, check the tabs on the website and make sure whether the website is consistent and cohesive.

 

 

How to recognize whether an e-mail or SMS are an attempt at fraud?

  1. PayU does not send e-mail or SMS messages to its users, asking them to state any confidential information.
  2. PayU does not send any SMS messages with links to payments or notifications regarding an additional payment requirement.
  3. If you received an e-mail that meets at least one of the criteria stated below, you probably are the target of a phishing attempt:
    • the e-mail contains a request to send an SMS message to a provided number,
    • the e-mail contains a request to state your login or other sensitive data (date of birth, PESEL number, mother’s maiden name, credit card details),
    • the e-mail contains grammar or spelling errors.
  4. Messages sent by PayU never contain attachments with software. (e.g. .exe files) If you receive an e-mail which contains an instruction on how to proceed with your PayU account, the best way to proceed is to open your Internet browser, manually enter the www.payu.pl address, move to the login window and to enter your details only at that point. Next, verify the activities described in that e-mail message. Never click on any link in the message that requires you to state your personal data, or that appears dubious to you.

 

How to report a phishing attempt?

When you receive a false e-mail message:

  1. Forward the whole message (with headers, address of sender etc.) to the following address:

 

phishing@payu.com

 

  1. After verifying its contents and the address from which it was sent, we will reply to you whether it is true or not. This will help us to protect other users.

 

 

 

What is identity theft?

An identity theft occurs when someone unlawfully takes possession of your personal data. The most frequently stolen details include first name and surname, address of permanent residence, PESEL identification number or the credit card number. Using someone’s data, the Internet criminals can for example embezzle loans, or shop online.

 

 

 

How can you protect your online identity?

  • Care for the privacy of your data – both on the Internet and in the real world.
  • Pay safely – use the PayU online payment system.
  • Never respond to e-mail messages asking you to state your private data (e.g. login details for your account).
  • Be cautious – regularly check transaction history in your account to spot any suspect operations.
  • Never close the browser window without properly logging out of transaction sites or your online account.

 

 

 

How to make sure your PayU Account password is safe?

  • Your password should comprise at least 8 characters.
  • Use a combination of uppercase and lowercase letters, numbers and special characters.
  • Do not use your first name, surname or e-mail address.
  • Do not use sequences that are easy to guess (such as 1234 or qwerty).

 

 

 

What should you pay attention to when making a payment?

  1. SSL Certificate – your browser will display an information that you are using a safe connection, encrypted with a certificate. Another sign is also the website address starting with https://.
  2. Quality of the online store – do not buy at stores you do not know, with unclear history, at stores which do not inspire trust. Check if the store provides the following information at its website:
  • the seller’s contact details,
  • store rules (including rules for returns and complaints),
  • contact phone number (call and have a short conversation on what you intend to buy – the seller should know well the goods he is offering),
  • information on whether the store and its clearing agent meet the PCI DSS standard (safety standard for card payments) and the handling of 3DS authentication – the symbols PCI DSS, Verified by Visa and MasterCard SecureCode should be placed on the website.

 

 

 

What is the Nigerian scam?

The Nigerian scam (or the 419 scam – based on number of article in the Penal Code of Nigeria, describing this offence) is a crime: a fraud initiated by a contact with a victim via e-mail. It involves dragging the victim (previously the victims were chosen at random, nowadays they are selected more carefully) into a psychological game, whose essence is based on a fictional transfer of a huge amount of money (frequently excessive, exorbitant – even several million British pounds or US dollars) from one of the African countries (most frequently from Nigeria, although now it can be basically any country – Great Britain and Spain are used more often). The purpose of this game is to embezzle money from the victim.

 

 

 

E-mails with links to invoices

E-mail messages containing links to “invoices” which turn out to be malware are one of the oldest phishing scams. They are sent from different e-mail addresses. The crooks impersonate well-known companies operating in Poland – stores, courier companies or telecommunication companies. In such messages, they ask the recipient to click on a link to download an invoice – this usually results in the download of a file infected with a computer virus or malware. Such file may steal your online banking data during logon process or during online transactions.

 

 

 

SMS messages requesting extra payment for a package

An increasingly frequent form of phishing scam are requests to pay a certain, small amount for a package. In one version, the users receive an SMS message informing them of the need to make a small additional payment to receive their package, for example PLN 1.00. In such case the link to the payment leads to a false website of e-payment agent. A person who enters his/her bank login details at such website will be robbed and could lose all his/her savings.

 

 

 

A real payment at a false store

In the case of this scam, the e-consumer shops at online store which has a good opinion among users and offers products at exceptionally attractive prices. At the time of finalizing the order and choosing payment via PayU, the user sees a message on the screen, which says, “You are being redirected to the website of payment operator, please be patient, as we have a large number of orders this can take a few minutes”. Next, the consumer either receives a new link to the payment site from the store’s consultant via the company chat, or after a few minutes is directed to the correct website of payment operator, which raises no doubts regarding payment safety. However, some information can be wrong, such as name of the store where the item is being bought, or the amount of payment. In that case of fraud, while the consumer waits for a new link to the payment site, the crook creates a new order in another, legally operating store, serviced by the same payment operator. The cheated user makes a payment to the benefit of the cyber-crook who attacked him/her, instead of paying for his/her own order.

 

 

 

BLIK frauds

This is a new type of fraud tied to payments made via mobile phone. The fraud involves swindling the code for mobile payment to rob the bank account of the victim. The crooks hack Facebook accounts, impersonate friends and using Messenger, they ask people from the friends’ list for a loan. They explain they have suddenly found themselves in a difficult situation, and the explanation seems viable. The victim gives them the BLIK code and next accepts the payment in his/her bank application. We remind you to never give anyone your bank account details.

 

 

 

How to secure your computer?

The basis for safe use of the Internet is to have legal software, with safety support. When executing payment transactions, it is worth remembering about using:

  • anti-virus software,
  • firewall (network security system),
  • up-to-date software.

 

The anti-virus software should provide protection against viruses, Trojans and other malware that can harm our computer. There are many sources of potential infection, such as e-mails with infected attachments, or downloading infected software from the Internet. Anti-virus software should by definition protect against such threats. For the best protection, we recommend the use of professional anti-virus software. Unlike the free versions, the commercial ones offer more effective protection and better support. Many manufacturers offer the option to test their software during a trial period, which usually lasts 30 days. If you do not have anti-virus software, or if you suspect that you are a victim of a cyber-attack, install the trial version today! You can buy the full license later on, e.g. at Allegro.

 

The firewall protects your computer against unauthorized access attempts. Imagine that you are in a popular fast food restaurant and surf the Internet, using the free Wi-Fi provided by the restaurant. Without proper firewall setting, a third person can attempt to connect to your computer. Firewall should protect your computer against such unauthorized access. We recommend to purchase the firewall together with the anti-virus software. Such combination offers high effectiveness of protection, and products of that type are frequently marketed under the name “Internet Security”.

 

Up-to-date software is the basis for security. Many persons think that up-to-date operating system is sufficient for their protection. Unfortunately this is not the case – to have full protection, you should also regularly update all installed software.

 

 

How to secure your mobile phone?

Android

 

The basic steps:

  1. Remember to regularly update the operating system.
  2. Do not escalate user’s right to the level of device root (the so-called Android rooting).
  3. Do not install any applications from third party app stores at your device.
  4. Turn on device encryption.
  5. Turn off “Programmers’ options”.
  6. Use applications/services (embedded or additional ones) to ensure the functionality of remote deletion of data from the device.
  7. Turn on the Device Manager in Android (https://www.google.com/android/devicemanager).
  8. Before taking the device for repair or recycling, clear all data from it.

 

Authentication security:

  1. Set up the PIN code and automatic blocking of the device when it’s idle for a certain time.
  2. Set up an alphanumeric password.
  3. Set up a time limit for the automatic blockade.
  4. Turn off the “make password visible” function.
  5. Set up automatic data deletion after the wrong access code (password or PIN) is entered several times.

 

Network safety

  1. Turn of the Bluetooth if not using it.
  2. Turn off Network Notification.
  3. Select “forget Wi-Fi networks” to prevent automatic network connection.

 

 

For Apple iOS

 

The described configuration covers iPhone 3GS and later versions, all iPads and iPods Touch of the 3rd generation and later models – with iOS 4 and higher. Some settings and security options can be unavailable on older devices. Some settings require iOS 8.

 

Configuration profiles

Configuration profiles can be viewed and edited ( https://support.apple.com/apple-configurator).
Apple provides also a configurator (available from App Store https://apps.apple.com/pl/app/apple-configurator-2/id1037126344?mt=12), which may be used for mass configuration and management of a larger number of iOS based devices.

 

The basic steps:

  1. Update your operating system to the latest version.
  2. Do not escalate higher entitlements in the device’s operating system via unknown applications (Jailbreak).
  3. Turn on automatic download of application updates.
  4. Turn on the function of remote data destruction.
  5. Turn on the “Find my iPhone” function.
  6. Encrypt backups of your device using iTunes.
  7. Before taking the device for repair or recycling, clear all data from it.

 

Authentication security:

  1. Require PIN or password.
  2. Turn on TouchID with a complex password.
  3. Set up a time limit for the automatic blockade.
  4. Disable the delay of screen block.
  5. Set up data deletion after the wrong access code is entered several times.
  6. Turn on Data Protection.

 

Browser safety

  1. Turn on Safari Fraud Warning.
  2. Disable self-completion of confidential information.
  3. Turn on the blocking of third-party cookies.
  4. Turn on Do Not Track.

 

Network safety:

  1. Turn on “Ask to Join Networks”.
  2. Turn off AirDrop when you do not use it.
  3. Turn off Bluetooth you do not use it.
  4. Turn off Personal Hotspot when you do not use it.
  5. Select “forget Wi-Fi networks” to prevent automatic network connection.

 

Origin of your software

For your computers and mobile devices, avoid downloading software from a non-trusted source. This generates the risk of infecting your hardware.

 

Illegal software is the perfect environment for malware. Usually, to activate pirated software, you need to download the so-called crack. This is the perfect opportunity to infect your device – what other benefit is there for the author of the crack? We recommend to use only software obtained from legal sources.

 

In the case of mobile devices, install applications only from official sources, such as Google Play or iStore. Please report other cases of fraud or security incidents tied to the operation of PayU to help@payu.pl.