Precautions to take when using digital channels

The use of digital channels to offer retail banking products and services changes the way bank customers access information. Before concluding a contract or purchasing a banking product or service, customers must:

  • Carefully read all the information provided by the institution;

  • Clarify any doubts with the institution;

  • Evaluate in advance the conditions presented by the institution, carefully analysing the respective costs, remuneration and risks involved;

  • Ensure that all pre-contractual and contractual information is provided on a durable medium for consultation at a later date.

Bank customers should pay attention to and adopt the security procedures that are provided by their institution.

Bank customers should pay attention to the institution’s security procedures. In case of doubt, they should not conduct the transaction without first asking their institution for any clarifications deemed necessary.

Precautions to take when conducting banking transactions through digital channels

In addition to the usual care associated with the product or banking service, you must:

  • Protect the equipment with a password that prevents it from being used by third parties;

  • Do not give permission for websites or apps with confidential information to start sessions automatically;

  • Protect your equipment with anti-virus and anti-spyware software and keep these up-to-date;

  • Protect electronic communications, always keeping the firewall active;

  • Avoid public equipment (shared computers and tablets) to conduct banking transactions or payments;

  • Avoid leaving your equipment unattended;

  • Beware of fake tech support calls;

  • Avoid reusing access codes – e.g. you should not use the same code for internet banking apps and to unlock your equipment.


  • Always keep your browser up-to-date;

  • Protect wireless communications (wi-fi) by adopting secure protocols and avoid using public hotspots;

  • Always type in the URL you want instead of using a link or accessing the web history;

  • Check whether the address of the entity you want to access is its official address;

  • Always check that the address of the entity where you are entering your personal and confidential information is ‘https’. The ‘s’ stands for ‘security’, which ensures a secure connection to the entity’s online service. This system is part of the ‘digital certificate’ of the institution’s website, which can be consulted by clicking on the symbols of the closed padlock or the key that should appear in the lower right-hand corner (or upper right-hand corner, depending on the program used) of the internet browser;

  • Check whether the bar with the entity’s address where you are entering your personal and confidential information is green (secure) rather than red (not secure).

  • You can test if the website is safe by using the ‘wrong password trick’. Instead of the usual login, put the wrong password in. If it is accepted, this means that the entity in question is not checking your login (in other words, it may simply be collecting the password for illicit use);

  • If you open an email whose content is suspicious, in particular because you do not know its origin, you should not click on the indicated links, you should not execute the requested actions (do not run suggested programs) and you should not open the attachments;

  • Do not download email attachments from someone you do not recognise or that look suspicious;

  • Do not open suspect emails and delete them immediately. Check the sender’s address (not just their name), the wording used (less careful, dubious expressions), the language and graphic presentation of the emails received, as false messages often adopt less formal and less correct language.

  • Only install trustworthy apps through official app stores. Not all apps are safe and may contain malicious software;

  • Carefully analyse the apps’ reviews. Many reviews are fake and deliberately created to lure users into installing the app;

  • Check the data access permissions required by the apps. Do not download apps that require apparently excessive permission requirements;

  • Check the security and the permissions required by the apps that came with your mobile phone.

  • Do not give out passwords to third parties. Passwords are personal and non-transferable;

  • Do not choose passwords that are too obvious (e.g. 123456, ABCDEF, QWERTY) or associated with easily obtainable personal information (birthdays, children’s or spouses’ names, mobile phone numbers);

  • Use different passwords for different accounts;

  • Do not write passwords or other confidential information on paper, or keep them in emails or on your phone;

  • Do not send your IBAN, personal data (identification number, tax number, date of birth, full name, etc.), confidential codes and other sensitive elements by email or mobile phone messages;

  • Do not put confidential data and other information, such as your mobile phone number, into websites whose authenticity is not ensured;

  • Do not share personal or confidential information on social networks.

  • Observe the security procedures that are transmitted to you by the institution, including whenever you conduct banking transactions through digital channels;

  • Contact your institution immediately if you detect unauthorised or unrecognised movements, keeping frequent and careful control of your accounts;

  • Notify the financial institution of any suspected fraud before proceeding with the banking transaction;

  • Remember that the institution should never ask for your data to access the internet banking service through any means other than over the counter.


Precautions to take in home banking

Regardless of the equipment used (computer, tablet or smartphone), when using the home banking service to conduct financial transactions, you should also observe the following guidelines:

  • You must never access the institution’s home banking service through an existing link in an email, addresses recorded in ‘Favourites’ or ‘History’, or search engine results. Bank customers must always write in full the URL they want in the browser so as to avoid access to software that allows the appropriation of confidential information or to be redirected to a web page that looks the same as the financial institution’s page, but which is fake (‘mirror website’);

  • You must never disclose in full your matrix card coordinates (your financial institution will never ask for them);

  • You should avoid accessing the home banking service through public equipment (shared computers, smartphones or tablets);

  • After using the home banking service, you must end the session and leave the institution’s web page by clicking on the respective icons;

  • You must never use the same password for accessing your institution’s home banking service that you use in connections that require less security (e.g. passwords used in social networks);

  • You must regularly check your bank accounts and check the date and time of the last access to the home banking service;

  • Set up alerts for transfers and debits or other security measures provided by your institution;

  • You must notify the institution, as soon as possible, of the loss, theft or misappropriation of the matrix card or other security item used to conduct financial transactions through the home banking service.


Precautions to take in internet payments

Regardless of the equipment used (computer, tablet or smartphone), when making payments online or through apps, bank customers should also take the following precautions:

  • Find out about the seller:

    • Search the internet for the company name;

    • Be suspicious if you do not find an address or phone number you can ring and the terms and conditions of the sale;

    • Read about the experiences of other customers for a given product or online store, for example in discussion forums;

  • Check the website or app’s security:

    • Check whether the address you wish to access starts with https:// and whether there is a padlock in the navigation bar or at the bottom of the window. This means that the link is secure;

    • Only install trustworthy apps from official app stores.

    • Run your mouse over the quality seals. If these do not have a link or do not redirect you to the official website, the web page may be fake.

  • Adopt habitual security procedures to protect your computer, tablet or phone:

    • Keep your anti-virus and anti-spyware software up-to-date and the firewall active;

    • Don’t connect to public or unknown wi-fi networks;

    • Don’t use public equipment to make payments.

  • Read the terms and conditions:

    • Check the payment methods;

    • Learn about any added costs, such as postage or customs costs, if the store is based outside the European Union;

    • Check the conditions and costs applying to returns or exchanges. Normally in the European Union you have 14 days to return any product bought over the internet.

  • Make sure you only provide the information needed to complete the purchase;

  • Aim to use one of the following payment methods:

    • Multibanco reference. In this case, the merchant sends you an SMS or email with the data you need to make your payment, within a given time period, at an ATM or through home banking;

    • Payment instruments with added security. You should preferably use cards with a low credit limit, a short validity period or additional authentication procedures (procedures that allow strong customer authentication);

    • Virtual cards. A virtual card is an electronically generated card to be used online. Data for the real card are not disclosed at the time of purchase, ensuring a safer transaction. The MB WAY app, for example, allows you to create virtual MB NET cards and carry out the same transactions without ever disclosing the actual data of your payment card.

  • Keep the records of the purchase made, including the information on the merchant and their URL;

  • Regularly check your bank account to see if the debits correspond to the purchases you made;

  • Notify the payment service provider that issued the card, as soon as possible, of the loss, theft or misappropriation of the card, using the contacts made available by the card issuer or disclosed for that purpose on this website.

Security procedures to be adopted by institutions

Institutions should have reliable, resilient and secure systems and adopt the best national and international safety practices.

Institutions should:

  • Implement, monitor and regularly review a security policy for products and services provided through digital channels;

  • Inform customers in advance of the technological requirements and security measures to be adopted;

  • Promote awareness and dissemination campaigns on the security procedures that should be adopted by customers when a specific security threat is identified;

  • Implement robust authentication procedures that allow a more secure verification of the bank customer’s identity, such as strong customer authentication mechanisms, in the case of payments;

  • Adopt appropriate technical or organisational measures to ensure the integrity and confidentiality of their customers’ personal data.

Strong customer authentication

Authentication procedure, at the request of the institution, in which customers use two or more of the following elements:

  • Something only the customer knows – e.g. password, code, PIN;

  • Something only the customer possesses – e.g. authentication device (token), smart card, mobile phone;

  • Something the customer is – e.g. biometric characteristic, such as a fingerprint.

These elements must be independent, i.e. the breach of one must not compromise the reliability of the other(s). In addition, at least one of the elements must be non-reusable and non-replicable (with the exception of the characteristic inherent to the customer) and not capable of being stolen via the internet.

The use of these elements results in an authentication code. In cases where strong customer authentication is legally required, customers must use the authentication code to validate the payment transaction they intend to conduct.

For example, under this more robust authentication mechanism, when making a card purchase via the internet, in addition to indicating the details of their payment card, bank customers are required to enter a unique code that is sent by SMS. In this case, bank customers must have previously associated their mobile phone number with the card.