Online Fraud Prevention
Phishing and Smishing
Cards and e-commerce
PSD2 for you
The golden rules of online shopping
The pandemic accelerated the growth of e-commerce worldwide, and Portugal was no exception. This evolution has resulted in a greater need to address topics such as Online Fraud Prevention.
The following information, prepared under Europol's eComm 2020 information campaign, aims to raise awareness among Internet users about malicious attacks, as well as to enable e-commerce users to be able to identify and implement mitigation measures against these attacks.
Take an in-depth look at the golden rules of online shopping.
Tips for online businesses
BBVA offers you all the means at its disposal to guarantee secure operations through a secure password system.
The PIN of your BBVA card and the PIN for accessing BBVA.pt are private keys that must be stored securely. They are stored in an irreversible encrypted format in our internal systems so that no one at BBVA can learn them.
BBVA will never ask for your BBVA.pt credentials or any other personal or banking information by email or SMS. If you receive a message of this type, please do not provide this information through these channels.
Browsers allow you to store user codes and passwords for the websites you access. BBVA recommends never storing your login passwords for our Distance Banking service on a computer or tablet. These devices can be subject to computer attacks and your passwords could be exposed.
- Use complex passwords that are difficult to guess, containing upper and lower case letters interspersed with numbers and symbols.
- Passwords are secret, so do not share them with anyone and change them regularly.
- Do not write down passwords on post-its or notepads. Memorize them or use specialized password managers.
- When using computers that are shared or connected to public Wi-Fi networks, do not enter your access credentials or provide personal data, such as your postal address, telephone, etc.
- Whenever possible, we recommend that you enable two-step authentication for services that allow it. These are systems in which, in addition to the login password, another type of identification is required (e.g. a code sent to the cell phone). This system adds another layer of security to your accounts.
- If you receive a confirmation via SMS for an operation you did not perform, immediately contact your Adviser or the BBVA Net and Card Helpline on 800 208 208 (+351 21 391 14 11 from abroad).
What is Phishing and Smishing?
Phishing is an email attack in which someone sends you an email impersonating an entity in an attempt to trick you into providing your passwords.
Smishing is similar but through SMS or WhatsApp: all you have to do is reply in order for them to access your data.
How do I avoid these attacks?
BBVA will never ask you for your bank details through any channel other than the BBVA Mobile website or app.
- Check if the subject or body has spelling mistakes and always look to see if the sender's email address contains bbva.com or bbva.pt.
- Keep in mind that a secure website always begins with https:// and be wary if the URL is misspelled or has strange symbols, e.g. www.bb-va.informac%o.com.
- Remember that if you have any doubts, before clicking on any link or downloading any file, it is best to contact your Adviser or the BBVA Net e Cartões Helpline on 800 208 208 (+351 21 391 14 11 from abroad).
BBVA offers you all the means at its disposal to guarantee security in your operations with your BBVA Cards.
BBVA cards can be activated on BBVA.pt or through the BBVA Helpline on 707 256 256 (+351 21 391 14 16 from abroad), available Monday to Friday from 7 am to 9 pm and Saturdays from 9 am to 9 pm.
BBVA cards can be cancelled through the Digital Channels, BBVA.pt and the BBVA Mobile app, or through the BBVA Net and Card Helpline on 800 208 208 (+351 213 911 411 from abroad), 24 hours a day, 7 days a week.
- Do not use any personal details for your card's PIN, such as your date of birth or your car's license plate number, and do not share it with anyone.
- Immediately report if your card gets lost or misplaced by calling the BBVA Net e Cartões Helpline on 800 208 208 (+351 213 911 411 from abroad). The speed at which you call is fundamental.
- When making a
In addition to the security measures established by BBVA, you should take precautions when browsing the internet to increase the security of your daily activity and avoid becoming a victim of cyberattacks.
Currently, some of the
- The operating system and applications must always be
What is the PSD2?
The second European Directive on Digital Payment Services (Payment Service Directive 2) was implemented in November 2015 by the European Commission in benefit of the consumer. How? Improving security in electronic payments, promoting innovation and competition between countries and suppliers, and contributing to the development of a more integrated and efficient payment market across Europe.
In addition, PSD2 establishes certain Regulatory Technical Standards (RTS) to improve customer authentication. These began to be implemented on September 14, 2019.
What is SCA?
Among the most important items introduced by PSD2 is enhanced customer authentication, known as SCA (Strong Customer Authentication). This is a compulsory procedure used to authenticate customers using two factors belonging to any of the following categories:
- Something that only the customers knows, like a PIN or password.
- Something that only the customer possesses, like his or her cell phone.
- Something that only the customer is, like a fingerprint.
This two-factor authentication procedure is mandatory each time the customer:
- Logs in to his her online accounts (on the website and app).
- Initiates electronic payment transactions (transfers, e-commerce payments, etc.).
- And/or takes some action through remote third-party channels that were not used until now.
It is important to highlight that there are cases in which it will not be necessary to apply SCA, e.g. for payments with a gift card or purchases of low value. Nevertheless, cardholders must be aware that this additional security validation needs to be carried out more often than before.
What does this regulation imply?
All parties involved in an e-commerce process in Europe, including banks, payment service providers with Visa or Mastercard, businesses, etc., must implement additional measures to ensure that they comply with the regulatory requirements of PSD2.
Customers may encounter different ways of accessing their accounts through remote channels (app or website) or different ways of making electronic payments such as bank transfers, online purchases, or physical payments with contactless cards in Europe.
What does this mean for me as a BBVA customer?
At BBVA we have been working for a long time to adapt our high security standards to the new requirements of this directive, always with the goal of maintaining a great user experience for our customers.
Therefore, whenever the regulations allow and our security measures, which are “invisible” to customers, guarantee that the transaction is carried out by the customer, we will avoid using the two-factor authentication process. This will make transactions more convenient. When required by law, we will request two-factor authentication.
Here are some simple examples to help you understand how these developments that work to ensure the safety of your money will affect you.
1. A customer paying on an online store with a card:
- They access the payment page of the online store as usual.
- They are asked to enter their card details.
- To complete the transaction, they will be asked for additional security information (what is called “credentials” and which may be a one-time key). This information may be requested on the same page or via an application on the mobile phone.
- When the credentials are authenticated, the usual transaction confirmation page will then be displayed.
2. A customer paying in a physical store with a Contactless card:
- They pay by placing the contactless card near the payment terminal.
- It is possible that they will be asked to enter their PIN more often than usual: when making more than 5 Contactless payments of less than €20 or when the sum of the Contactless payments exceeds €100.
3. A customer wants to access their accounts via the website or the app:
- Beginning in September, when the customer first enters the app or online banking website, two-factor authentication is requested.
- Every 90 days or when accessing information older than 90 days, they will be asked again for enhanced authentication, as required by the regulations.
- Once authenticated, they can access their accounts as usual.
Do I have to do anything?
Yes, it is important that BBVA has your updated and certified cell phone number, as we will use it as an authentication factor with a One Time Password (OTP) which you will receive on your cell phone to authenticate access to accounts and conduct electronic transactions.
If your cell phone is not certified, meaning, we are not sure that the person receiving the unique access code is you, you will not be able to access your accounts via the website or the app or make payments online.
To certify your cell phone, speak with your Adviser as soon as possible.
For more information call the BBVA Helpline on 707 256 256 (+351 21 391 14 16 from abroad) available Monday through Friday from 7 am to 9 pm and on Saturdays from 9 am to 9 pm or talk to your account manager.
- The operating system and applications must always be