Security

We take security seriously and we do everything we can to keep your money, investments and information safe.

We are constantly reviewing our physical, electronic and procedural security controls in view of new and emerging threats in an effort to keep us all better protected. You must also help to keep yourself protected by taking reasonable precautions and staying alert to understand what a potential or actual attack may look like.

This short security guide aims to explain the following topics:

  • Encryption
  • Fraud Prevention
  • Protecting Your Identity
  • Common Attack Types and Tips to Help Protect You
  • Fraud Protection Links and Resources
  • Keep Us Updated
  • Who to Contact for Help

Please Note: While we make every effort to present reliable and accurate security information neither we nor any third parties involved in the management or maintenance of our websites provide any warranty or guarantee as to the accuracy, completeness or suitability of the information on our websites for any particular purpose. You acknowledge that such information may contain inaccuracies or errors and we expressly exclude liability for any such inaccuracies or errors to the fullest extent permitted by law.

Your use of any security information on our websites is entirely at your own risk, for which we shall not be liable. It shall be your own responsibility to ensure that any information available through our websites meet your requirements and personal circumstances.

Encryption

We use the most widely deployed security protocol in use today called SSL (Secure Sockets Layer) Certificates to help protect data while visiting our websites. This security technology establishes an encrypted link between the website server and the browser to decrease the risk that data passed between the two can be intercepted or tampered. Almost all modern browsers support SSL Certificates.

The SSL Certificates we use are a minimum of 2048 bits which is the size of the key used to encrypt and decrypt files – and this size is considered by today’s computing standards to be sufficient to protect data in transit.

A Padlock or Green Bar at the top of your internet browser indicates that an SSL Certificate is protecting the link. Note: If the Padlock is Open or you receive a Warning, the connection is not secure.

Both our main website (https://www.pilling.co.uk/) and Client Web Access (CWA) (https://www.pillingcwa.co.uk/) are protected by SSL Certificates so you know you are on the genuine site with an encrypted link between the website server and the browser. We use an Extended Validation (EV) SSL Certificate on CWA to provide extra assurance you are visiting our authentic site. Examples of what this may look like in your browser are as follows:

Main Website SSL Certificate Examples

CWA Website EV SSL Certificate Examples

Note: Please see your browser documentation to learn how to view SSL Certificate details.

Our https://www.pilling.co.uk/ website uses a Let’s Encrypt Authority X3 Certificate.

Our https://www.pillingcwa.co.uk/ website uses a Symantec Corporation EV SSL Certificate Issued by “Symantec Class 3 EV SSL CA – G3”.

Symantec Security Seal Logo

Our webserver supplier regularly uses security scanning tools to proactively monitor for new attacks and block them automatically.

Fraud Prevention

Fraudsters may use the telephone (mobile or landline), text messages, emails, social media or the postal system to try and obtain your information in order to mount an attack on you or your finances. Sometimes fraudsters may even pretend to represent us, the police or other agencies. At the start of this section we give you some Tips to help you be more secure and give ideas on how you can help Protect Your Identity. We then outline the most Common Types of Attack and offer Tips you can use to Protect Yourself along with examples of Common Scams. In the final part of this section we outline how Security Updates and Security Products can help offer you some protection.

Tips – Passwords

  • Never reveal security details or passwords to anyone – no matter who they pretend to be, act or sound.
  • Always use a strong and long password (this should incorporate numbers, uppercase and lowercase letters, symbols and be at least 8 characters in length).
  • Always use a unique password for each service or website you use which is not easily guessed or follows an obvious pattern – this reduces the overall impact if one password is compromised.
  • Always change your password regularly – don’t use something that is easy to guess or associated to you.
  • Always make sure you are visiting an authentic site, shown by the SSL / SSL EV Certificate, before using security details or your password to access a service.

Tips – Storage of Security Information

  • Always try to memorise security details and passwords – making sure you destroy any paper or electronic copies. If you can’t remember all your security details or passwords store those which you can’t in physically secure places only known and accessible by yourself – but only store them in a coded form that you understand so if they are uncovered by someone else they are not understood.
  • Always protect your security information and passwords as you would a valuable item.
  • Always keep valuable documents (including all copies of them) electronic, paper or otherwise physically locked away where only you can access them.
  • You should only carry documents or information you really need to in order to prevent unnecessary loss or theft.
  • Never keep account details / security details and passwords together in the same place in case they are all accessed by an unauthorised person / system.

Tips – Connections

  • Always use secure or trusted connections to access the internet or email with your internet access device – it is recommended that you only use connections that you have direct control over – be extra vigilant using wireless hotspots as there is an increased risk of your details being intercepted. Change your password immediately and inform relevant parties if you suspect your information may have been intercepted.
  • Always log out when you have finished on CWA and close your browser window – we may automatically log you out of your CWA account after a period of inactivity to prevent someone else from using your account.

Tips – Internet Access Devices

  • Always protect all your devices from unauthorised access at all times – it is recommended that you only use devices that you have direct control over.
  • Always protect your email account and phone from unauthorised access at all times.
  • Always utilise all security features available on your device to help protect you – such as locks, passcodes, PINs, passwords, encryption etc.
  • Never allow your device to store your account details / security details or password in case the device itself is compromised – especially if someone else may have access to your device.
  • Never leave your device unattended while logged on CWA or allow anyone, or anything e.g. CCTV cameras, to monitor you while using the service.
  • Never use shared computers such as those in internet cafes – they may contain devices to record all of your activity and keystrokes which may include your account / security details and password.

Tips – Disposal

  • Always destroy documents with your name, address or other personal or financial information on it using a cross-cut shredder machine – to ensure they cannot fall into the wrong hands and be used against you.
  • Always permanently erase all your data from any device you are destroying, selling or giving away – you must follow the manufacturer instructions to permanently remove all your data from a device to prevent it being recovered.

Tips – Social Media

  • Never display any personal data on social media which could aid an attacker to compromise your account or identity – also be cautious of what friends and family display about you such as your birthday or address and always remove anything you believe inappropriate.

Tips – Security Tools

  • Always utilise all security features available on your device to help protect you – such as locks, passcodes, PINs, passwords, encryption etc.
  • Where possible install and use antimalware, antivirus and firewall tools etc. to enhance your device protection.

Tips – Email

  • Always treat all emails with caution no matter how convincing the content of an email may appear.
  • Always let us know if your email has been compromised in case your CWA account has been compromised too – telephone us immediately so we can protect your accounts.
  • Never open attachments or click on links you are not expecting. – If you receive something unexpected or unusual from someone you know, such as an attachment or link, as a minimum contact them by telephone to verify the authenticity and content of the email first.
  • Never send sensitive information, especially personal information, account details / security details or passwords by email in case they are intercepted or your email account is accessed by an unauthorised entity.

Tips – If you are Contacted

  • Always be wary of unsolicited or unexpected contact, especially requesting information.
  • Always call and ask us if you are unsure about anything you receive where you suspect a scam or fraud involving your account.
  • Always be suspicious of anyone who contacts you unexpectedly even if they claim to be from us, the police or other agencies – as a minimum always call the organisation back using their official contact number to verify the original call was genuine.
  • Never respond to scams or suspected scams no matter how tempting or convincing, and if you do so by mistake change your passwords and let us know immediately.

Security Updates

Updates, or ‘patches’ as they are sometimes called, are pieces of software designed to update a computer program or its supporting data  once installed to fix or improve it.  These updates very often include security vulnerability fixes too.  Since these updates are designed to improve, usability, performance and improve security it is recommended you always perform all vendor updates. Devices that are not regularly updated are especially vulnerable to malicious attack.

Device / Operating System / Browser Security

  • Always keep your device / operating system / browser updated with all vendor updates, especially those that relate to security.
  • If possible you should set your device / operating system / browser to automatically perform updates so you don’t have to remember – although you should still regularly review the status of updates to ensure the automatic system is working correctly.
  • If your device / operating system / browser cannot automatically perform updates then you should regularly find out if the vendor recommends any security updates.

Security Products

Fraudsters and hackers can attack your computer through various means whether you are connected to the internet / network or not.  Malware can spread not only through infected internet downloads but also through removable media (e.g. CD, DVD, Memory Stick, USB Drive etc.). You should always utilise the basic device / operating system / browser security features offered by vendors but you can also install additional security products that can enhance security. Some of these types of products are:

  • Antivirus / Antimalware
  • Personal Firewall
  • Anti-Spyware
  • Identity Theft Protection
  • Encryption
  • Backup

In summary the following tips should ensure you get the most out of any additional security products you use:

  • Always choose reputable products.
  • Always ensure products are regularly updated and where necessary they update their definition or signature files as often as possible e.g. Antivirus updates.
  • Always perform full scans of your device / operating system regularly.
  • Always review the product selections, settings and understand the product features – don’t rely on just installing the product for a level of protection.
  • Always store backups of important information separately from your device and this should be offline i.e. not connected to the internet / network.

Keeping Updated

  • Always stay updated on threats, scams and vulnerabilities so you know what to look out for to help protect yourself.

Contact Us

  • Always contact us immediately if you have a chequebook stolen or suspect someone has copied or fraudulently used a cheque.
  • Always contact us if something you were expecting hasn’t arrived such as a statement or summary.
  • Always contact us immediately if you suspect any security details or passwords have been compromised.
  • Always contact us if you think any email appearing from us is not genuine.
  • Always keep your details with us up to date if you move address, change phone number or email address.

Please Note:

  • Never send security related information or account details using our website Enquiry or Feedback Forms – please use the secure message facility in CWA or contact us by phone.
  • We will never discuss account details unless we can verify we are speaking to the account holder or authorised and nominated account representative.
  • We will never ask for your security details or passwords, or direct you to a webpage or phone number which requests this information.
  • We may lock your CWA account if you enter your password too many times incorrectly – this is to prevent an attacker trying to gain access to your account trying lots of different combinations. We can unlock your account after verifying your identity if you do accidentally lock your account.
  • If we send you an email that bounces back, we will where possible try to resend it but we cannot be held responsible for missing or incomplete emails as we have no control over them once they are sent.
  • You will be held responsible if you act fraudulently or allow unauthorised access to CWA or your account(s) using your details.

Protecting Your Identity

Your identity and personal information are valuable. Fraudsters and criminals can use your identity to open bank accounts, acquire credit cards and loans etc.  The following topics in addition to the Tips in the previous section will help explain what Identity Theft is and what you can do to protect your identity and prevent it from being stolen.

What is Identity Theft

Identity Theft is typically where a fraudster takes your personal information and uses it without your knowledge.

Why is Identity Theft Important

Identity Theft is a huge issue and can affect you in many ways including your credit rating. Fraudsters can open bank accounts and acquire credit cards and loans for example – all pretending to be you.

Top Tips to Prevent Identity Theft

  • Passwords – see Tips
  • Storage of Security Information – see Tips
  • Connections – see Tips
  • Internet Access Devices – see Tips
  • Disposal – see Tips
  • Social Media – see Tips
  • Security Tools – see Tips
  • Email – see Tips
  • If you are Contacted – see Tips
  • Always immediately report a loss, misplacement or theft of important identity documents to the relevant authority e.g. driving license / passport.
  • Always check your statements as soon as they are available to make sure all entries are correct, and report anything you don’t understand or that may be incorrect – no matter how small.
  • Always regularly check your credit score and question any changes you are unsure about.
  • Always inform all organisations which have your postal address if you move house and get all your mail redirected to your new address for at least a year.
  • Always be extra cautious on holiday or when abroad as to where you store personal information to prevent unauthorised access – make use of a seal signed envelope in a hotel safe / deposit box if necessary.
  • It is recommend that you use an antispyware product on your internet access devices to help protect your identity.
  • Never reveal security details or password information to anyone that contacts you – always telephone the organisation using their official contact number to let them know you have been contacted.
  • Never reveal any information to anyone that contacts you if you regard it as suspicious – always telephone the organisation using their official contact number to let them know you have been contacted and they can discuss with you if the contact was genuine.
  • Never follow instructions from a supposed ISP, IT or software company purporting to be updating or fixing your computer – they are typically after your personal information.

Possible Signs of Identity Theft

  • Items on statements you don’t recognise.
  • Invoices / Bills for things you haven’t ordered.
  • Items or paperwork you have ordered / requested which you don’t receive.
  • Paperwork you have been sent which doesn’t make sense.
  • Receipt of demand letters for payment of debts you don’t recognise.
  • You are the victim of a burglary or theft.
  • If you have been refused credit.

If you Suspect Identity Theft

  • Always report a suspected identity theft to the police immediately and get a Crime Reference Number (CRN).
  • Always contact us and all relevant financial institutions to inform them you may have been a victim of identity theft.
  • Always check all your statements immediately and identify any fraudulent or potentially fraudulent activity.
  • Always change security details and passwords for any account which may have been affected.
  • Always get a credit report from a credit reference agency and ask them for help.
  • Always check to make sure a fraudulent postal mail and / or email redirects have not been set up.

Common Attack Types and Tips to Help Protect You

In this section we outline the most Common Types of Attack and offer Tips you can use to Protect Yourself.

Email Security and ‘Phishing’

What is ‘Phishing’

‘Phishing’ is the term used to describe bogus emails used by fraudsters to trick you into giving away your personal information or other details which help them to launch an attack on you or your accounts.

Tips to spot ‘Phishing’

  • The sender may appear to come from a friend, banking or financial institution, social media, or someone you regularly do business with.
  • The sender may appear to be from a contact in your address book or someone that you know, perhaps even looking like it came from us.
  • The email may request you to do something, often with a sense of urgency or panic. E.g. click on a link, make a phone call or send details – any of which are likely to request you to reveal some personal information (e.g. name, address, date of birth, account details, username, password etc.)
  • The To and From email addresses may not look legitimate.
  • The email may contain graphics, logos and links that look genuine.
  • The email may contain some personal information such as your name to make it appear legitimate.
  • The email may contain attachments or links you are not expecting.
  • The email may contain spelling, punctuation or grammar mistakes.

Preventing Phishing

  • Always ensure that the sender’s real email address and any links in the email are of the company’s domain name (matching the exact spelling, symbols and domain type) – be aware of spoofed domains which look similar e.g. p1lling.com is not the same as pilling.com and never trust the sender’s ‘name’ which can easily be spoofed.
  • Never open attachments or click / visit links you are not expecting.
  • Never reveal personal information (or anything you are unsure about) to anyone or anything you are unsure about – no matter who or what they pretend to be.
  • If you receive something unexpected or unusual from someone you know, such as an attachment or link, contact them by telephone to verify the authenticity and content of the email first.
  • There are methods that fraudsters can use to hide the real links from that shown in the email so always properly verify the links using whatever method is supported by your email client – often you can hover over a link (without clicking) to reveal the real destination.

General Guidance

We can help you identify fraudulent emails by explaining how we may contact you and the content of our emails:

  • We will never ask you to reveal security details, passwords or personal information by email.
  • We will never ask you to send money to anyone other than ourselves.
  • We will never give you a link to any login page other than for our own websites (https://www.pilling.co.uk/ and https://www.pillingcwa.co.uk/).
  • We will never send you an attachment which contains executable content – we will where possible link to documents on our websites  or CWA where you can view / download the information.
  • We will only ever send email to you from our main domain (@pilling.co.uk) – no third party email addresses or domains will be used.

Phone Security and ‘Vishing’

What is ‘Vishing’

Voice Phishing or ‘Vishing’ is the fraudulent practice where a fraudster makes phone calls or leaves voicemail messages purporting to be from a reputable company / individual in an effort to gain personal, security or financial information from a victim when they respond – sometimes sophisticated fraudsters spoof the Caller Line Identity too.

Tips to spot ‘Vishing’

  • Always be suspicious of all unknown callers or voicemails requesting information of any kind.

Preventing Vishing

  • Always ask questions if you do find yourself speaking to someone who is trying to sell you something or asking for personal, financial or security related information – ask them to identify their name and who they work for then, preferably using a different phone line, telephone the organisation using their official contact number to let them know you have been contacted and they can discuss with you if the contact was genuine.
  • Register with the Telephone Preference Service to reduce the number of cold calls you receive – however be mindful that criminals and fraudsters will ignore this service so being registered will not offer complete vishing protection.
  • Never reveal personal information (or any other information you are unsure about) to anyone you are unsure about – no matter who they pretend to be or how they contact you.
  • Never completely trust calling line identity in case it has been spoofed.
  • Never trust numbers / information left in voicemails.

General Guidance

We can help you identify fraudulent phone calls by explaining how we may contact you by phone:

  • We will never ask you to reveal security details, passwords or personal information.
  • We will never ask you to send money to anyone other than ourselves.
  • We will never tell you to visit any login page other than for our own websites (https://www.pilling.co.uk/ and https://www.pillingcwa.co.uk/).
  • If you have received a vishing scam purporting to be from us, or if you suspect you have been the victim of a vishing scam, report it to us and the relevant authorities immediately – if possible make a copy of any voicemail messages you have received and make a note of the date, time, calling line identity, details of the caller’s voice and details of what was discussed.

Phone Text Security and ‘Smishing’

What is ‘Smishing’

Smishing is a type of attack using mobile phone text messages which involve a fraudster tricking a victim into performing an undesirable action from the content of the text message such as downloading a virus from a link or incurring a large phone bill responding to the text.

Tips to spot ‘Smishing’

  • You may receive a text message from someone you don’t know.
  • You may receive a text message with numbers or links within it.

Preventing Smishing

  • Never respond to text messages where you cannot verify the sender.
  • Never respond to text messages that request security details, passwords or personal information.
  • Never click on links or phone numbers within text messages especially where you cannot verify the sender – be aware that attack messages can be spoofed as coming from someone you do know or who is in your contacts.

General Guidance

  • We will not send you text messages as part of our products or services offered to you.

Postal Fraud

What is Postal Fraud

Postal Fraud is the generic name given to a scheme or scam whereby the postal service is utilized to facilitate an attack on a victim.

Preventing Postal Fraud

  • Be extra careful if you live in flats or a property with a shared entrance / mail facility – this is where your mail could be stolen or tampered.
  • Be aware of mail redirection fraud – where an attacker, often as part of an identity fraud, will redirect your mail to another location so it can be accessed or tampered – contact the Royal Mail customer enquiry line to determine if you have a fraudulent redirection in place.

General Guidance

  • Always let us and other organisations that hold your address know when you are moving address – it is also always good practice to set up a mail redirection facility for at least a year when you leave an address.
  • Always inform us immediately if you suspect any postal mail has gone missing that we may have sent you.

Malware including Viruses, Worms, Trojans, Rootkits, Ransomware and Spyware

What is Malware

Malware, which short for Malicious Software, is the collective term for any software which is designed to affect normal operation of a computing device.  The software may disrupt, damage, gain unauthorised access, gather sensitive data or display unwanted messages.  Malware can include Viruses, Worms, Trojans, Rootkits, Ransomware, Spyware and other types of malicious code. Malware is often used to assist fraudsters to commit crime or identity theft.

Preventing Malware

  • Always utilise all security features available on your device to help protect you.
  • Always use software such as antimalware, antivirus and firewalls to help protect you against malicious activity.
  • Always keep your device operating system and programs updated.
  • Always be careful what you click or visit when using the internet – don’t install anything you are not certain about.
  • Never download or open any documents or attachments unless checked and from a trusted and verified source.

General Guidance

  • Always backup your device and store an offline secure copy of the data should malware damage data on your device.

Downloads / Removable Media

What are Downloads / Removable Media

Many frauds and scams rely on a user downloading a malicious file onto their device from a website, email or given to them on some form of removable media (e.g. memory stick, USB stick, CD, DVD etc.) – it is this malicious file that can then assist fraudsters to commit crime or identity theft.

Preventing Malicious files from Downloads / Removable Media

  • Always utilise all security features available on your device to help protect you.
  • Always use software such as antimalware, antivirus and firewalls to help protect you against malicious activity.
  • Always keep your device operating system and programs / applications updated.
  • Never download or open any documents or attachments unless virus checked and from a trusted verified source.
  • Never trust any removable media you find or connect it to your device.
  • Never trust any removable media even from a friend or colleague until you have scanned the device using up-to-date anti-virus / anti-malware software.

Social Engineering

What is Social Engineering

Social Engineering, often used within any of the previously described scams / frauds, is where an attacker manipulates a victim into divulging information or acting in a way that they would not have otherwise done. This is often part of a wider scam or fraud and often involves tricking the victim by exploiting aspects of their human nature or manipulating their trust.

Preventing Social Engineering

  • Always ask questions if you do find yourself speaking to someone who is trying to sell you something or asking for personal, financial, security related information, or if they ask you to do anything – ask them to identify their name and who they work for then, preferably using a different phone line, telephone the organisation using their official contact number to let them know you have been contacted and they can discuss with you if the contact was genuine.
  • Never reveal personal information to anyone you are unsure about – no matter who they pretend to be or how they contact you.

Common Scams

There are many different types of scams but by learning about the most common ones you are less likely to become a victim. The following is a summary of the most popular types.

Pension / Pension Liberation

A Pension Scam / Pension Liberation Scheme often involves pension savings being transferred to an arrangement that allows access to the funds, often before the age of 55.  These type of arrangements can often be illegal and can be misleading about the consequences of entering into one of these arrangements.

Boiler Room

A Boiler Room scam, often run from so-called ‘boiler rooms’, is where fraudsters typically cold-call potential victims offering them worthless, overpriced or non-existent shares.  With promises of high returns, unfortunately those who do invest usually end up losing all of their investment.

Advance Fee

Advance Fee scams are typically where fraudsters will target victims to make advance or upfront payments for goods, services or financial gains that never materialise. Similar named scams include Career Opportunity Scams, Clairvoyant / Psychic Scams and Cheque Overpayment Frauds. Another type of Advance Fee Scam is the ‘419’ scam.  Typically with this type of scam a victim is told a convincing story to advance money to a stranger.  The victim is led to expect a much larger sum of money will be returned but none is ever received.

Money Mules

Typical Money Mule scams involves a victim transferring stolen money between countries.  Often Money Mule victims are recruited unknowingly by criminals to transfer illegally obtained money between different bank accounts.

Courier Scams

Courier Scams involve a fraudster contacting and tricking a victim to hand over documents, cards and/or PINs etc. to a courier who will come to visit the victim.  There are many variations of this scam but typically a fraudster will telephone the victim pretending to be from the bank or police to give a sense of urgency to the call and make the victim panic into an action.

Other and Too-Good-To-Be-True Scams

Any of the following circumstances may indicate a potential scam: unsolicited approaches, unrealistic gains or risks, lack of credible evidence, pressure tactics, instructions to keep things quiet, phrases such as free / legal loophole / cash bonus, use of couriers to exchange documents or information, contact by mobile phones with no fixed line contact. Usually if something sounds too good to be true then it probably is.

Fraud Protection Links and Resources

A selection of Fraud Protection Links and Resources to help you better protect yourself is as follows:

Please note: we accept no responsibility or liability for the content, accuracy or availability of any external site.

Keep Us Updated

  • Always formally keep us updated if you change any of your details such as postal address, phone number or email address so we can update your account details.
  • Always contact us immediately if you suspect a security breach of your security details / passwords or you are a victim of fraud or identity theft.
  • Always let us know if you notice anything unexpected or unusual on the CWA login page or during your session.
  • Always forward any suspected phishing emails to info@pilling.co.uk and if you have already responded to a phishing email let us know immediately by telephone so we can take precautions to protect you and your accounts.

Who to Contact for Help

Always telephone us on our main line – never recall using calling line identification or use a number given to you by someone. Be aware fraudsters sometimes don’t hang up the phone their end and trick you into speaking to them on your ‘next call’ – so use another line to call us back if possible or be sure the line is definitely clear before re-dialling.