Guidelines for safe online banking
There are a few simple but important rules to remember when using online banking safely. Here’s what you should do to keep your data safe and avoid falling victim to fraudsters.
Security principles
Ensure the protection of your personal computer and devices
Personal computer protection
The fundamentals:
• Install the manufacturer’s updates, which will protect you from known vulnerabilities
• Make backup copies of your data. This will protect you from losing the data you are storing and allow you to restore it
• Use screensavers when you’re not at your computer
• Install antivirus software on your computer
Ensuring that your computer has sufficient antivirus protection is very important. Although Windows 10, for example, already has built-in antivirus software (Windows Defender), it’s a good idea to supplement it with specialised tools from other companies.
There is a good selection of antivirus software available, both free and premium.
Here are a few free options to choose from:
Mobile device protection
Mobile devices are also prone to attack and must be protected:
• Do not use the Internet Bank or Mobile Digipass on devices:
- that have been jailbroken (a term for hacking your device in order to install unsupported or pirated software);
- that have been used to run any hacked games or apps.
• We recommend antivirus protection for mobile devices. There are plenty of products available, including free solutions such as Avira, Bitdefender, G Data, Kaspersky, McAfee, NortonLifeLock, Sophos, Trend Micro etc. These can be downloaded from the AppStore for iPhones and from Google Play for Android phones.
• Protect your devices with a PIN, password or biometric data (such as a fingerprint).
• Install the device manufacturer’s updates to protect against known vulnerabilities.
• Make backup copies of your data. This will protect you from losing the data you held on the device and allow you to restore it to any of your devices.
Guidelines for safe online banking
Enter your Internet Bank account credentials only on the official BluOr Internet Bank website. The browser address line must start with https://ib.bluorbank.lv.
When you make purchases online or log in to portals such as latvija.lv, you will also be redirected to https://ib.bluorbank.lv.
You can also access the Internet Bank from the bank’s website at https://www.bluorbank.lv/lv. In the top right corner, click “Log in”, then select “Log in to Internet Banking”.
Do not follow links sent to you via email or SMS – fraudsters can spoof bank email addresses or phone numbers and send links to scam websites that look genuine (except for the address line – https://ib.bluorbank.lv). Instead, use a search engine (Google, Yandex, etc.) to access the Internet Bank:
Wherever possible, avoid using public computers (in hotels, cafés, etc.). After finishing your work in the Internet Bank, always press the Exit button in the top right corner instead of simply closing the browser window.
Secure Customer Authentication (SCA) is used for access to the Internet Bank and for making any payments. To ensure this, BluOr Bank offers its customers secure and modern authentication tools: physical and mobile (logical) Digipass.
We recommend the Mobile Digipass as it is a more user-friendly and secure solution.
Mobile Digipass
The Mobile Digipass can be downloaded to your mobile device from the App Store / Google Play, as well as from the Internet Bank gateway (https://ib.bluorbank.lv).
A description can be found at https://www.bluorbank.lv/en/mobile-bank.
Physical Digipass
The Physical Digipass can be purchased at the Bank’s branch (Riga, Jēkaba iela 2). A description and instructions can be downloaded at https://ib.bluorbank.lv.
When creating a Digipass PIN, avoid easy-to-remember number combinations such as 0000 or 1111.
Set payment limits
To reduce the risk of fraud and potential losses, maximum payment limits have been set for each type of connection.
To control the volume of outgoing payments, you can change them yourself using the Daily Payment Limits. You can find more details in the Internet Bank manual (available for download at the bottom of the Internet Bank login page).
Review user activities
We recommend that you regularly review your account statements, especially outgoing payment operations.
You can see the date and time of the previous login on each page of Internet Bank (bottom). In case of suspicion, you can check the details of all Internet Bank activities from your account under Information – Activity Log.
If you ever have any suspicions about the above, please contact the bank by calling +371 67 031 333
For extra security, use SMS notifications about transactions
To keep track of all money movements on your accounts and cards, you can subscribe to SMS notifications on all card payments, as well as transactions made on any of your Payment Card Accounts or Current Accounts.
Suspicious payment confirmation prompt
As part of our commitment to your financial security, BluOr Bank has implemented a specialized payment and Internet banking analysis tool that allows you to detect suspicious payments and Internet Bank activities.
In suspicious cases, a bank employee will:
contact you by calling the registered contact number and check for verbal consent to the suspicious payment, or ask you to file a request via the Internet Bank after the call is over;
send you an email with the payment made and stopped and a request to send additional documents via Internet Bank. The Bank will never ask you to send your access or card details.
Under no circumstances will a Bank employee ask you to provide your Digipass PIN or login code, password or any other information that may be used to log in to your Internet Bank.
The password must meet all of the following requirements:
- contain at least one uppercase Latin letter;
- contain at least one lowercase Latin letter;
- contain at least one digit (0–9);
- be at least 8 characters long;The password must be different from other passwords you use for email, social networks, etc.
It is not recommended to use the following when creating passwords:
- meaningful numbers, such as a year, date of birth, or phone number;
- words related to you (commonly used), names of family members or pets, vehicle registration numbers;
- a single, logically understandable word in any language;
- three (3) or more adjacent keyboard characters in sequence (e.g. “qwe” or “123”);
- alphabetical sequences (e.g. “abcdefg”)
Examples of insecure passwords: Marts2021, 2021Pavasaris, Liene2000, Vesna2021, etc.
Password Creation Examples
Using a phrase:
First (second / last) letters of a phrase + digits:
- “Seši mazi bundzinieki, Jāj pa ceļu bungodam’. Visiem sešiem sirmi zirgi, Visiem caunu cepurīt's” → 6SmbJpcbVsszVcc
- “Teci, teci, līčupīte, Sijādama, rotādama: Sijādama zeltu nes, Rotādama sidrabiņu” → TtlSrSznRs04
- “Эх, дубинушка, ухнем, Эх, зеленая, сама пойдет, Подернем, подернем, да ухнем” → 11EduEzspPpduFull phrase:
- 2LjotidroshaIBparole
When entering your password, make sure that no one can see it. Do not allow browsers to remember your Internet Bank, email, or other passwords.
You can apply to open an account via the “Online Cabinet”. The easiest way to do this is by clicking “Log in” in the top right corner, then selecting “Client Cabinet”.
Website authenticity check
The browser’s address bar must start with: https://online.bluorbank.lv/login/user As an authentication method, we recommend using “eParaksts mobile” or “Smart-ID”. If this is not possible, you may use email, which is a less secure and less convenient means of communication.
Using “eParaksts mobile” or “Smart-ID”
The application will display a message indicating that your code will be used to log in to BluOr Bank.
Using email
Use a “Strong” or “Very strong” password (see the “Password strength” parameter). Tips for creating a password can be found in the subsection “Principles of creating secure passwords”. Do not use links from emails or SMS messages, as nowadays fraudsters can spoof bank email addresses or phone numbers and send links to fraudulent websites that look similar to bank websites (except for the address bar – https://online.bluorbank.lv/). Instead, use search engines (Google, Microsoft Bing, etc.).
Some online merchants use BluOr Bank’s payment initiation services. In such cases, you may be redirected to the Bank’s gateway at https://gateway.bluorbank.lv (see “1” in the image). The company that initiated the payment can be seen in position “2”.
At the bottom of the form, you can click the link “4” to receive more detailed information about the payment initiation service. After selecting a payment operator and clicking the “Continue to pay…” button (see “3”), you will be redirected to the authentication website of the payer’s institution (for example, Internet Banking). You can verify the authenticity of the payer’s institution’s authentication page in the same way as described in the subsection “Internet Banking website authenticity”.
Further verification (certificate)
For extra protection, you can always check the website’s security certificate to make sure it is genuine, i.e. no third party is intercepting your connection.
How to avoid scammers’ traps
Do not disclose your Internet Bank login credentials (Digipass PIN, display code, passwords, etc.).
If the Mobile Digipass app asks you to enter a payment confirmation code from your smartphone – always review the name and amount of the beneficiary (and the exact amount you want to transfer to them).
Never disclose your payment card details, i.e. Any combination of PIN (4 digits), full card number (PAN) and/or CVV2.
If somebody says they are calling you on behalf of the bank but asks you to disclose information that would allow them to log in to your Internet Bank (code displayed on your Digipass, etc.) – find out the name and job title of the caller, hang up the phone and call the bank’s hotline: +371 67 031 333.
Malicious actors routinely send fake emails on behalf of banks, partners or other organisations in order to gain access to online banking solutions, payment card data or other sensitive information, to extort money by falsifying business invoices, by promising big profits or by threatening trouble.
How to recognise fake emails:
Forged sender address – Malicious actors often spoof the sender of an email.
What to do:. The domain must match the organisation (e.g. emails from BluOr Bank should always end in @bluorbank.lv).Changing partners’ bank details – one of the “textbook” ways of defrauding companies. Fraudsters try to hack into partners’ mailboxes, intercept or forge emails from partners in order to spoof an invoice the payer expects to receive. As a result, a fake invoice may be delivered to your providing the fraudsters’ bank details (usually requesting a transfer to another bank in another country). This is usually explained away by mentioning problems with the partner’s bank, an ongoing audit, cash flow issues or some urgent need.
What to do: if your business partner asks you to change your bank details for payments, call the phone number you know and make sure the details are correct.Referral to an untrustworthy website – when the recipient of an email or SMS clicks on link or attachment icon, they are redirected to a fake website that may attempt to upload malware to their device or spoof a “real” website in order to steal login credentials.
What to do: before clicking on the link in an email, hover over it to see exactly where you will be redirected. For more information, please refer to “Make sure your online banking website is authentic”.A link to a fraudulent website disguised as an attached file icon – bad actors may ask you download a file containing “important” information. The file may run malicious code on your device, or the attachment icon itself may be a link taking you to a fake website.
What to do: install antivirus software on your device. Before you click on an attached file, hover the mouse pointer over it to check that it does not point to a malicious website.Request for confidential information – – fraudsters may ask you to send them payment card details, which will be used in subsequent scams. They may also ask you to send personal details and other information.
What to do: Ignore.scammers often announce fake winnings, askingyou to provide payment card details, internet banking login details or deposit money “for fees” etc. before they can promise to remit your reward. They may say that “your mailbox/account/IP/etc. just won a lottery” and ask for card data – this happens to be one of the most popular techniques used by fraudsters.
What to do: If you didn’t enter their lottery, you most probably haven’t won anything either. Check the sender of the email by hovering your mouse pointer over the - does the domain match the sender’s organisation? (For example, Google should have an email address ending in @google.com) Check online whether the organisation has held the lottery mentioned in the email, and whether it is possible that fraudsters are sending fake emails about prizes on behalf of that organisation.
Other types and examples of fraudulent emails can be found here “Examples of fake emails”.
Fraudsters often call and impersonate bank representatives or government officials. Often, they create tension that a suspicious transfer is being made from your account and your money is at risk. During the conversation, the customer is pressured to give Internet Bank access and confirmation details or to confirm (e.g. on Mobile Digipass) entry to Internet Bank and payment, which is called a “test”, etc.
Fraudsters spoof phone numbers, so the fraudster’s number may appear on your phone as a bank or other trusted number.
How to recognise fake calls:
Requests Internet Bank access data, including a Digipass-generated code, your Internet Bank password and/or SMS confirmation code received from the Bank’s number. If you provide them with such data, the fraudster can log into your account and use it as they please.
What you should know: : a bank employee will never ask you for your Internet Bank access details. If a bank employee needs to contact you, they will ask you for your voice password for authentication – the voice password is used for communication over the phone only, and cannot be used to connect to the Internet Bank.Requires you to verify a “fraudulent cancellation”, “test” payments, or access to the Internet Bank on your smartphone.
What you should know: There are no “test” payments, customers can cancel payments by writing a letter to the bank in Internet Bank. Pending payments are cancelled by the customer, no separate authentication is required (apart from logging in to Internet Bank).Speaks in an intimidating, urgent manner, uses psychological techniques to exploit people’s weaknesses.
What to do: Fraudsters usually insist that you deal with them “here and now”, in which case you should at least insist on calling them back directly on their “personal” phone, justifying it with “remote” work. If you have even the slightest suspicion, ask the caller’s name and title, hang up and call the bank’s information line yourself: +371 67 031 333 (do not use the callback function). The bank’s staff will be happy to answer your call to the number indicated on the bank’s home page.
Fraudsters may also pose as investment brokers or bank employees and offer you extremely lucrative investments in shares, bonds, cryptocurrencies or other assets. They may even simply urge you to transfer funds sham accounts. Fraudsters often create scam websites where their victims can follow the “rising profits” to encourage more and more investment as the victim sees how successfully their “investments” have performed so far. Withdrawing funds will usually be impossible or extremely difficult, fraudsters will try to discourage divestment by promising even better returns down the line.
How to spot an investment fraudster:
Requests your access details to banking, Internet Bank or e-signature tools.
Urges or encourages you to install particular software in order to invest or to “communicate securely”. Such software usually grants the fraudster control of the victim’s computer, e.g. TeamViewer or AnyDesk, and is not something any decent investment provider would ever do or even suggest.
Promises inadequate opportunities, even zero risk and huge profits at the same time.
Aggressively rushes to action using psychological techniques, seeking out weaknesses.
Operates illegally. The state only protects clients who invest in the services of licensed operators. To check a potential partner’s license and contact information, visit the website of the Financial and Capital Market Commission: https://uzraudziba.bank.lv/tirgus-dalibnieki/ieguldijumu-pakalpojumu-sniedzeji/