The recent years have made the Internet one of the major sources of threats. This is partially due to its general availability and the transfer of many everyday activities and economic transactions to the Internet, e.g. financial transactions made via online banking. The infection of ICT infrastructure with malware and attempted frauds may significantly affect the way in which a company operates. In order to make the use of the Internet and online banking safe, it is necessary to become aware of potential threats and take every measure to protect against them.
The systems offered by BGK meet the highest safety requirements. At the same time, one must not forget that the weak link might be the human factor and each ICT environment beyond the control of the Bank. Each Internet User takes care individually for the safety of their own ICT equipment and has an impact on the security of their account in the BGK system. No technical security measure can help if ICT system Users do not observe basic safety rules. A consistent observance of those rules allows to avoid potential threats originating from the Internet.
BGK offers online banking services to institutional clients – including public administration institutions and bodies, local governments, enterprises and banks. You are a group of clients who should follow – with the support of your own internal or external IT departments – restrictive safety rules, at the level required by professional entities.
General ICT safety rules observed by an institutional client should include, among others:
- Regular cybersecurity training, awareness campaigns and activities to inform employees about current threats related to ICT devices, including threats related to using the Internet and operating mobile devices, etc.
- Regular activities to familiarise all BGK System Users, their supervisors and your management staff with current communications regarding safety, published at the bank’s website.
- Using the same level of security for company mobile devices (e.g. smartphones, tablets, laptops) as is applied to desktop computers, including security software to detect and remove malware and spyware as well as secure the confidentiality of data and protect against their theft.
- Entrusting ICT equipment configuration, including networks and network devices, only to IT specialists.
- Ensuring compliance with industry standards, norms and best practices concerning ICT and information security.
- Conducting regular ICT infrastructure security audits.
- Having a procedure in place for ICT security incidents, e.g. an ICT system breach, suspected malware infection, suspected theft of authentication data to the BGK system, etc.
Basic rules for the safe use of BGK systems applicable to You and BGK systems users authorized by You:
- Sign in to the BGK system only from work/company computers.
- Do not leave an account logged on to the BGK system unsupervised.
- After finishing your work, remember to always log out pursuant to the procedure in force at the bank.
- If the BGK system uses an ID card - remove it from the reader immediately after completing the approval of finance orders.
- Secure authentication tools (certificate, token) against unauthorised access.
- Never make login details for the BGK system available to anyone.
- Always use legal software from a trusted source. This applies to the operating system, web browser and any other software used in the ICT system, including mobile devices.
- Use and regularly update an anti-virus software from a reputable developer and security solutions providing protection against malware (e.g. spyware, adware) as well as a firewall. Regularly scan each ICT device using anti-virus software.
- Regularly update all your software, including the operating system and web browser, by installing latest patches published at the websites of relevant software developers.
- Consciously choose your web browser and configure its security parameters on an on-going basis. Use the latest available web browser version. Remember to regularly delete temporary files saved in your web browser’s cache memory to ensure its proper operation. Disable all unnecessary plug-ins in your web browser.
- Before installing any additional software related directly to the BGK system, call the BGK Helpdesk for advice.
- If you suspect that your computer has been infected, immediately notify your IT department. The symptoms indicating that your computer has been infected are usually: significantly slower system operation, changes to the web browser, problems with running some programmes.
- Do not open the website to log in to BGK system from links (e.g. received by e-mail, SMS). Enter the website address manually or sign in via www.bgk.pl.
- Do not copy-and-paste bank account numbers - enter them manually and verify them carefully.
- Do not trust senders of unusual e-mail messages (stating the need to take urgent action, settle a financial obligation, open a password-secured attachment, etc.). Fraudsters are able to draft the message in such a way as to make it seem that it was sent by a trusted person or institution. If you have any suspicions, verify whether it was sent by the actual sender via an independent channel other than the phone number provided in that message.
- Do not open messages (and attachments) received by electronic mail from unknown senders.
- Do not open links/hyperlinks directly from the received e-mail, instant messenger, SMS, etc. Never run computer programmes in this way. Pay attention to the authenticity of communications received by e-mail, as they may contain links to a fake BGK system website; logging in to such a website provides the fraudster access to your login and password.
- Never write down your access login and passwords on paper and never save them in text files – you are putting them at risk of being intercepted.
- Do not use the same password in different systems/services. Passwords used at work must be unique in every system/application, and different from any other password - including those used privately.
- Do not connect to the BGK system via networks other than work/company network, including wireless networks (e.g. accessible at hotels, airports, networks of other counterparties, etc.).
- It is essential that you define IP addresses, so as to restrict the possibility of logging in to the BGK system from other addresses (applicable to bgk24).
- Never send any personal data, passwords, logins, credit card numbers, etc. via e-mail or text message.
- Remember that the Bank does not verify the accuracy of your authentication data by e-mail or text messages on a mobile phone, therefore never respond to such e-mails and text messages.
- The Bank will never ask you to provide authentication data: a password, a PIN code or a single-use code.
- When using multiple websites at the same time, always check whether any of the websites (tabs in the web browser) has been replaced with a different website. Failure to notice that a website has been replaced with the fraudster’s website may contribute to the unintentional logon to the fake substituted BGK system website and provide the fraudster access to your login details.
- Before sending/authorising a transfer, make sure that the entered account number of the recipient was not substituted by malware. Check the account number against the source document.
- Monitor the account and operations history on an on-going basis.
- Regularly check to make sure that account numbers assigned to defined counterparties were not substituted.
- Immediately report any suspicious and unusual behaviour of the BGK system, suspected computer infection and unauthorised change of data in the BGK system (transfers, counterparties) to the Bank.
Check if your browser settings are compliant with the guideline below.
- Browser cache memory - In Tools menu select: Internet options / Advanced / in the Security section select: "Do not save encoded websites to the (hard) drive".
- Handling TLS protocol - In the Tools menu select: Internet options / Advanced / in the Security section select: "Use TLS 1.0 encoding", "Use TLS 1.1 encoding", "Use TLS 1.2 encoding".
- Temporary internet files (cache memory) - In Tools menu select: Internet options / General / in Browsing history section / Delete, select: "Delete files". In Tools menu select: Internet options / General / in Browsing history section / Settings select: "Check for newer versions of stored websites: every time I visit the website".
- Anti-phishing protection - In Tools menu select: Filter phishing pages, select: "Activate checking the Web automatically".
- Browser cache memory - In the menu select: Options / Advanced / Network, and in the "Cache memory content" select: "Clear now". You can also limit the use of cache memory or deactivate it altogether.
- Handling TLS protocol - In the menu select: Options / Advanced / Encoding, select "Activate TLS 1.0 support".
- Temporary internet files (cache memory) - In the menu select: "Clear browsing history" - select "Cookies" and "Cache memory" and click "Clear now". You can also define the period, from which the cache memory will be deleted.
- Anti-phishing protection - In the menu select: Options / Security select: "Block pages reported as posing threats" and "Block pages reported as attempts at internet fraud".
- Browser cache memory - In the menu select: Settings / Show advanced settings / in Privacy section choose "Content settings..." and select: "Allow for storing data locally".
- Handling TLS protocol - In the menu select: Settings / Show advanced settings / in HTTPS/SSL section choose "Verify server's certificate expiration date"
- Temporary internet files (cache memory) - In the menu select: Tools and command "Clear browsing data". In the opened popup window, you can choose the types of information and time scope, from which you want to delete data.
- Anti-phishing protection - In the menu select: Settings / Show advanced settings / in Privacy section choose "Activate protection against phishing and malware".
- Browser cache memory - In the menu select: Settings and in the Privacy and security tab, in the Cookies section, select the option "Enable establishing local data".
- Handling TLS protocol - In the menu select: Settings / Preferences / Advanced, and in the Security tab, select the option Security protocols, and select: "Activate TLS 1 support", "Activate TLS 1.1 support" and "Activate TLS 1.2 support".
- Temporary internet files (cache memory) - In the menu select: Settings and the option Clear browsing history, then open the drop-down list Details and select "Delete all cache memory".
- Anti-phishing protection - In the menu select: Settings / Preferences / Advanced and in the Security tab, select: "Activate protection against phishing and malware".
- Browser cache memory - In the menu select: Preferences / Security / in the Accept cookies section, you can choose if and when Safari is supposed to accept cookies from the opened pages.
- Handling TLS protocol - In the menu select: Preferences / Advanced / in the Proxy section, select Change settings. A popup window will open - choose the tab Advanced and select: "Use TLS 1.0", "Use TLS 1.1", "Use TLS 1.2".
- Temporary Internet files (cache memory) - In the menu select: Preferences / Security and Show cookies. You can delete selected or all cookies.
- Anti-phishing protection - In the menu select: Preferences / Protection and select the box "Show warning when visiting a fake page".
Minimum browser versions required for correct support of BGK systems:
- MS Internet Explorer 7;
- Mozilla Firefox 3;
- Opera 11;
- Chrome 12;
- Safari 4.
If a browser is in a different version and the instructions above do not apply, we recommend using the instructions on websites of their respective developers.
Information and security warnings published at www.bgk.pl/bezpieczenstwo must be monitored on an on-going basis.
Users of the individual BGK system should report security problems and suspicious events in the following forms:
- by telephone:
- by sending an e-mail to the following address:
- by reporting information about the incident via a contact form available at www.bgk.pl.
In each situation raising concern, especially when the anti-virus software has detected malware, there is a suspicion that login details, i.e. login and password, may have been leaked, you should immediately contact the bank. Where there is a need to block the access of Users whose login details have been leaked, it is necessary to file a request to once again grant access to indicated Users.
In the case of detecting malware, receiving information from the bank about suspicious transactions or any occurrences to the IT system or BGK system that raise doubts, it is necessary to immediately conduct an analysis aimed at:
- browsing the order history, verifying all transfers currently visible in the transfers online banking system – both those already executed and those awaiting acceptance – in terms of whether they have been modified by a virus or an unauthorised person, especially the correctness of the banking account of the transfer's beneficiary;
- verifying the details of defined counterparties – in particular whether their account numbers have been modified by a virus or an unauthorised person.
In the case of detecting an unauthorised entry, modification or deletion of a transfer order or modification of the counterparty, it is necessary to immediately notify the bank about such occurrence and not allow the suspicious order to be signed/authorised or not allow the use of modified details of the counterparty in new transfer orders. In the case of detecting the entry of an unauthorised transfer order or unauthorised modification of a transfer order and when the relevant transfer has already been accepted and sent, it is necessary to immediately inform the bank thereabout and report a suspected offence to law enforcement authorities.
If it is suspected that the ICT system has been attacked or there was an attempt to manipulate the BGK system, ICT devices that may have been targeted in the attack must be disconnected from the network (no data should be removed from the infected computer and it should not be scanned; these actions may make it difficult or impossible for law enforcement authorities to investigate the incident). In such case, it is recommended for specialised IT personnel to carry out an in-depth analysis of ICT system’s security.
Bank Gospodarstwa Krajowego is not liable for the actions of a User of a computer used to log in to the BGK system as well as for the consequences of interference in the computer system or the Internet connection by third parties.
The above rules should be treated as basic security guidelines, whereas the threats described below are only examples which the bank indicates for informational purposes – they do not exhaust this extensive area.
It is crucial to realise that each of us is currently exposed to cyber threats. It is also important to realise that criminals do not necessarily have to employ complicated schemes and that what makes most thefts possible is the human factor and failure to observe basic security rules.
Criminals operate in various ways and reports of their endeavours are regularly published in the media. Fraud attempts targeted at the clients of online banking are ultimately aimed to execute payments or withdrawals from the account to the benefit of criminals (e.g. to an account in another bank).
Criminals most commonly use social engineering, understood as a set of methods aimed to induce a specific action, e.g. to obtain information. This technique utilises interpersonal skills and the ability to manipulate people,
in combination with IT knowledge provides a wide spectrum to gain knowledge about Users, their ICT systems, operating methods and data held.
At present, the applied attack methods oftentimes are an interpretation of several known – including those described below – methods of phishing for confidential data (e.g. login, password, single-use authorisation code in the electronic banking system) or manipulation (e.g. fake invoices, impersonating superiors) that, in consequence, enable those who employ such methods to break into the system or divert funds. Below there are several of many forms of fraud that are used.
A form of fraud where a criminal impersonates another person or institution to obtain specific information (e.g. login details, credit card details) or persuade the victim to perform specific actions. It is a type of attack based on social engineering. It may be carried out by persuading the potential victim to enter a fake website or log in to electronic banking – the address or appearance of which may be confusingly similar to the actual login website. Phishing may also consist in an attempt to persuade someone to divulge confidential login details and authorise a transaction via e-mail or by phone.
It is important to always enter the address of the BGK system login website manually or log in via www.bgk.pl (“Login zone” tab). Login shortcuts saved in the web browser or clicking on links received in e-mails, instant messages, text messages, etc. are susceptible to manipulation and used by criminals.
When sending fake e-mails, criminals use various methods based on social engineering to elicit trust, interest or fear, for example:
- sender is a publicly known entity providing mass services (postal operator, energy provider, phone operator, etc.),
- message pertains to a particularly attractive but time-limited offer,
- message informs about an outstanding invoice,
- pertains to an allegedly sent message that was not delivered to the addressee,
- pertains to the need to provide login details to the electronic banking system due to a malfunction of this system, so as to “verify them for security reasons” or “reinforce security measures used in the logon process”, etc. However, it is necessary to remember that the bank never sends such messages!
When using ICT devices, it is also important to develop a critical approach to any unexpected correspondence (e-mails, text messages, phone calls from unknown numbers, etc.) that raises suspicions or requires its recipient to take urgent action. Never open attachments and click on links included in such messages; never download and launch software from the Internet on your own (this task should be left to IT personnel); never provide login information or any other sensitive data by phone.
By clicking on unverified links, opening attachments to e-mails, launching software downloaded from the Internet, entering suspicious websites, you are putting yourself at significant risk of infecting your computer with malware (computer virus). In the case of some threats, even a reputable and correctly configured anti-virus software will not provide protection against the installation of a virus in the ICT system. Such infection is also possible due to failure to update either the operating system or any other computer programme in use; this is due to the existence of the so-called software exploits that were not eliminated by means of an update. That is why using the latest versions of software is so important.
There are many types of malware, but it is important to realise the consequences of its operation after it has successfully infected the system:
- it may send data saved or entered on the computer device, enabling the execution of payments in electronic banking, to criminals,
- it may substitute the beneficiary’s bank account when using the “copy – paste” method to enter that number in the transfer order,
- it may infect other files upon their launch or creation,
- it may replicate in the infected system,
- it may delete or damage data,
- it may encrypt the contents of a computer device (e.g. to demand ransom in exchange for providing a password to decrypt the device),
- it may slow down the operation of a computer device.
Recently, many infections result in the installation of ransomware/cryptolocker. A computer infected in this way becomes encrypted and to be decrypted, it requires entry of a password that is known only to the criminals responsible. In exchange for providing the password, criminals demand ransom – most often in a cryptocurrency (e.g. bitcoin). Examples of ransomware/cryptolocker type malware include: Cerber, Locky, CryptXXX, CrypMIC, PCrypt, Petya, Mischa, Crypt0L0cker. Such infection may result in the inability to use computers and, if there is no up-to-date backup copy of the system and data, may result in the loss of data.
Criminals are able to easily draft an e-mail message or text message in such way, so as to make it appear to come from the correct address or phone number of the addressee’s superior. Before executing unusual orders given to us in such messages sent by electronic means, always – either personally or via another independent channel – verify whether those orders are accurate. It may be useful to gain more in-depth knowledge on this subject by entering “fake CEO fraud” in the search engine.
Any and all new payments (e.g. the first invoice from the relevant counterparty) or changes to the counterparty’s bank account number must be confirmed via an independent channel. It is important to make sure that the communication does not consist in replying to the address of the sender of the message that contains information about a new bank account of the counterparty; neither should it be a contact made by telephone to the number indicated in such a message. If the message was sent by a fraudster, both the sender’s address and the counterparty’s phone number indicated in that message could be fake.
The Cookies Policy (hereinafter: "the Cookies Policy") has been prepared in accordance with the obligations under the Act of 16 July 2004 (Telecommunications Law) (hereinafter: “Telecommunications Law”).
These obligations are similarly carried out throughout Europe as a result of the implementation of Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users' rights related to electronic communications networks and services, the Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws.
In the Cookies Policy, we describe the types of cookies and other technologies used on www.bgk.pl (hereinafter: "Portal"), owned by Bank Gospodarstwa Krajowego (hereinafter: "BGK" or "Bank"). We also explain the purpose of these files.
You may renounce the use of such files at any time by configuring your browser settings.
This Cookies Policy consists of the following parts:
- What are cookies?
- What kind of cookies do we use?
- How long is the data stored in cookies?
- Can I control cookies?
- How to delete cookies?
What are cookies files ?
Cookies are small text files placed in a selected folder of your browser, saved and stored on your computer, tablet or smartphone when you visit various websites on the Internet. While browsing the website, this type of file on the device will send some information to the browser. Cookies are very common and used on almost all websites because they are very useful. They enable the website manager, among others, to determine whether the user has connected to the website from a given computer. A cookie file usually contains the name of the website it comes from, the "lifetime" of the cookie (i.e. its time of existence) and a randomly generated unique number used to identify the browser from which the website is connected. Cookies are used to improve operation of the website and to make it more attractive to the user, and may also be used for advertising purposes (as explained below).
Cookies can also be used to improve the performance of the Portal in your browser, enable correct operation and presentation of multimedia content (video, maps, some Flash animations). Cookies are also necessary for the proper integration of the website with social network services such as Facebook.com or Twitter.com.
What cookies are used by www.bgk.pl?
BGK uses several types of cookies:
Internal cookies - files placed and read from the user's device by the Portal's IT system.
External cookies - files placed and read from the user's device by the ICT systems of external portals.
BGK cooperates with external portals that may place cookies on user's devices. These are, for example, Google Analytics (statistical purposes), Facebook, YouTube (advertising purposes).
Session cookies - temporary cookies that remain on your device until you leave the Portal. These are files uploaded and read from the user's device by the Portal or external services during one session of a given device.
Persistent cookies - files that remain on your device for much longer, e.g. until they are manually deleted. These files are not deleted automatically after the end of the device session, unless the configuration of the user's device is set to the "deleting cookies after the end of the device session" mode. How long a cookie will remain on your device depends on the cookie's "lifetime" and your browser settings. Persistent files allow us, for example, to determine a new and returning user, thus enabling us to analyze the statistics of our Portal.
Some websites that you visit may also collect information using pixel tags (also known as clear gifs), which may also be made available to third parties who directly support our promotional campaigns and the development of the Portal. For example, information on the use of the website by visitors to the Portal may be made available to third parties, i.e. advertising agencies, in order to better position web advertising banners on our Portal.
How long is the data stored in cookies?
Session files remain on the user's device until logging out of the website or leaving the Bank's website. Persistent cookies are installed for a different period of time. They can be active for several days, months or years so that information, about e.g. how users have used the website, is not lost.
Can cookies be controlled?
Most web browsers are initially set to automatically enable cookies. You can change the settings so that cookies are blocked or that you are informed that they are being sent to your devices. There are many ways to manage cookies. Detailed information on how to adjust or change browser settings related to cookies can be found in the instructions of each web browser (or by displaying "help" in the browser).
If you block the cookies we use, it may degrade the quality of our Portal, for example, you may not be able to visit certain areas of the Portal or not receive personalized information while browsing. If you use different devices to browse the Portal (e.g. computer, tablet or smartphone), you must make sure that each browser on each device is properly adjusted to your preferences.
You can also delete any cookies saved so far at any time using the browser tools through which you use the Portal.
How to delete cookies?
- In the upper-right corner of the Firefox window, click Open menu (three horizontal lines) and select Options.
- Then select the Privacy tab.
- From the drop-down menu in the History section, select: Firefox: use user settings.
- Check Accept cookies to enable, uncheck to disable cookies.
- Select the storage period of cookies:
Store: until they expire - cookies will be deleted upon reaching the expiry date, which is determined by the website sending the cookie.
Store: until Firefox is closed - cookies stored on your computer will be deleted when Firefox is closed.
Store: ask me every time - each time a site tries to send a cookie, the browser will prompt you to decide whether to store the cookie.
- Close the options window to save the settings.
- Google Chrome:
- In the upper right corner of the Google Chrome address bar, select Customize and control Google Chrome (three horizontal lines).
- Select Settings.
- Scroll to the bottom of the window and click Show Advanced Settings.
- In the Privacy section, click the Content Settings button.
- In the Cookies section you can change the following cookie settings:
Block attempts to put data from websites on your computer.
Block cookies and data from third-party sites: select the Ignore exceptions check box and block the creation of third-party cookies. Remember that this setting prevents most sites that require logging in from working.
- Internet Explorer 9:
- In the browser window, click the Tools button, and then select Internet Options.
- Click the Privacy tab, then under Settings, move the slider to the highest position to block all cookies, or to the lowest position to allow all cookies, and then click OK.
Choose Safari> Preferences, click Privacy, then do any of the following:
Change how you accept cookies and site data: Select one of the options next to Cookies and site data:
Always block: Safari doesn't allow websites, third parties, and advertisers to store cookies and other data on your Mac. This may prevent some websites from working properly.
From the current website only: Safari accepts cookies and website data only from the website you are currently viewing. Websites often contain embedded elements from other sources. Safari does not allow these third parties to store and access cookies and other data.
From websites you visit: Safari accepts cookies and website data only from websites you visit. Safari uses existing cookies to determine if the website has been visited before. Selecting this check box helps prevent your Mac from storing cookies and other data for sites that have embedded material from other sites.
Always allow: Safari allows all websites, third parties, and advertisers to store cookies and other data on your Mac.
Blocking cookies in the Safari browser on iPhone, iPad or iPod touch.
Cookie settings Settings> Preferences> Advanced> Cookies.
The cookie settings allow you to control the way cookies are handled. By default, all cookies are accepted.
The following options are available in Opera:
Accept cookies - all cookies are accepted (option set by default).
Accept cookies only from the website I visit - all cookies from domains other than the domain visited are rejected.
Never accept cookies - All cookies are rejected.
Please be advised that:
The Administrator reserves the right to change this Cookies Policy at any time without informing the users about it.
The changes made to the Cookies Policy will always be published on this subpage of the Portal.
The introduced changes enter into force on the date of publication of the Cookies Policy.