Safety in network

Internet Security

Internet frauds are becoming a more and more frequent threat. Learn about methods used by cyber criminals and how to protect yourself from them and how to act, when you became the victim of cyber crime.

How not to be scammed/deceived

Be careful -Attacks usually start with a fake e-mail that persuades you to click a link or open an attachment. Therefore, always check the sender's address for typos and never log in to the XTB service after a link from an e-mail - enter the address in your browser manually. If you have any doubts, call the hotline to determine whether the e-mail comes from us
Be private - Never share your login information or devices with anyone; use password managers that automatically create strong passwords and enable two-factor authentication where possible. Don’t use the same passwords for more than one account.
Be independent - Don't log in via public or third-party devices (e.g., computers in Internet cafes or hotels) to applications or platforms. You never know if there isn't spyware on them that will give scammers access to your accounts.
Be on time - Always update your devices and software to the newest version. Remember to use antivirus software.
Be aware/conscious - To evade scam, gain more knowledge about the methods used by cybercriminals.

Most common fraud/scam methods

Vishing

Method based on impersonating employees of various investing, service and financial companies and even police or other services on the phone. Scammers are mimicking employees of known and popular companies and use their authority to call and during the phone call - try to extort login, password or debit/credit card data. Often, under the pretext of additional authorization, update of data or system malfunction they ask for personal data and try to persuade users to install apps like AnyDesk or TeamViewer, that give scammers access to phone or computer, letting them steal the data or money.

Remember! Never give anyone your password to investing, financial and any other accounts. Also, do not install any applications that the consultant persuades you to.

Phishing

Scammers using this method create fake internet websites or emails, that closely resemble those from banks or investing companies. They often use logos and copy the graphic layout of messages. Under the pretext of updating the data, authorization or confirming the transfer, scammers suggest to log in using such fake websites.

Remember! Never open suspicious links and attachments from unknown sources. Enter the address of our site yourself, manually.

Smishing

Smishing
Cyber criminals using this method send SMS in which they inform, for example, about the new transaction on your account and need to confirm it by going into the link, which leads to a fake website. After a user logs in to such a fake website, scammers steal their login and password, granting them access to real accounts. To extort such data, scammers can also give different reasons, like deactivation of service or IQ tests. Scammers even impersonate government and national institutions, create fake SMS informing about danger or related to vaccination program.

Remember! Remember that the sender of an SMS can be faked, so be suspicious of the content of any SMS. Never click on a link sent in this way.

Learn about methods of scammers impersonating XTB

Hall

The callers, who often do not introduce themselves, explain the possibility of executing profit from investment, citing their partnership with XTB.

Scammers often do not introduce themselves and don’t give the name of company, unless they are asked to. Criminals often impersonate XTB by sharing authentic and publicly accessible data. Scammer can also claim to work for a XTB “partner” company. Remember! XTB Consultants always introduce themselves at the beginning of the conversation. XTB never uses services of external companies to contact the clients and XTB workers do not provide investment advisory services. Remember - if you are having any doubts then hang up and contact us under {numer here} or {numer here} (those lines are available 24 hours a day, monday to friday) or write us an email on {email here}.

Hall

The caller impersonating an XTB employee claims that the automatic investing function was turned on on an inactive broker account, which resulted in accumulation of a certain amount of money (sometimes even cryptocurrencies) that can be withdrawn. To withdraw the money, the scammer asks for login data and other sensitive information.

Remember! XTB employees never make any transactions on clients accounts, and they do not trade on behalf of our clients. Such claims are aimed to grab the victims attention and make him trust the scammer. If somebody offers you gain from investment you never made, then it’s a fraud aiming to steal your data.

Hall

The caller impersonating an XTB consultant claims that in order to withdraw the money, you have to install additional software (AnyDesk, TeamViewer or Quicksupport) or asks for account access data.

Remember! XTB Employees never ask you to install any other software than our investing platform, and they never ask for your login data. Installing programs like AnyViewer or Anydesk gives the scammer access to see anything on your device and control it remotely. That way, scammers will snag your login data, which lets them i.e. steal money straight from your bank account.

Hall

I opened the link, which redirected me to a suspicious site closely resembling the XTB website.

One of the most original methods of scammers is creating clones (identical copies) of popular service providers like XTB. This kind of website often looks identical to the official website, but it’s only purpose is to deceive the victim, who thinking that he is visiting the real website, will put on their real login data, which will then be used by the scammers. Frauds can use different variations of the web address, hoping on victims lack of attention ie. XTB-GROUPS.COM, XTBE.COM etc. The websites can also use typos like XTTB.COM. Such a fake website can be recognized by inappropriate URL address or lack of safety certificate. Remember! XTB website address is https://xtb.com and other, but always based on main XTB domain ie. polish site can be found under the https://xtb.com/pl address. Before giving you access data to xStation or Investor’s Room, make sure you are on https://co.xtb.com/ or https://xstation5.xtb.com/ domains. All authentic XTB websites possess a safety certificate market by a padlock sign (in the website address bar) - but be aware that the same symbol may appear on a fake website. Therefore, instead of checking the presence of a padlock before the address, first analyze the address. Only this will allow you to check whether you are on the correct address.

Important questions and answers

How to check if the website I'm logging on has a proper safety certificate?

Remember to log in exclusively through https://xtb.com website. You can check the safety certificate by clicking the sign of closed padlock on the left side of browser address bar. After clicking on the padlock, you will receive description of the safety protocol - look for the fingerprint section in the certificate. The correct value for our certificate is: SHA256: 5D 71 60 2E 5A 8B 36 8F 79 2B C8 EB A3 22 E1 86 79 F6 29 0E 50 EB 6C 48 B1 F1 12 4F 30 68 4A 89

How to create a safe password?

Your password must include at least 8 characters, including one capital letter and one number. The most important thing is to make the password as long as possible. It's best to build it from a few words, but it shouldn't be a well-known quote. For example, "BlackDragonFliesOnWhiteCarpet" is a really strong, but easy to remember password.
The most secure way to generate and store passwords are so-called password managers.

Remember! Never share your login and password with third parties. A good practice is to change your password often, and not use the same password on more than one website

What will an XTB employee never ask you for?

Even though XTB consultant will verify your data at the beginning of the conversation, he will never ask for:

Password to your account
Installing the app for authorization or remote control (e.g. Anydesk)
Giving your credit card information
Transfer of money (in order to confirm the payment) on number other, than one shown in the investors room.

If you have been asked for any of the above information, absolutely do not provide it, as it may be an attempt at fraud.

Where can I download the XTB mobile app?

There are two verified sources, from which you can download xStation app:

Always download mobile version of the app from the official app stores. For Android smartphones it’s Play Store available on https://play.google.com/, and for Apple smartphones it’s AppStore available under https://www.apple.com/pl/app-store/ address. After visiting the store just type XTB in search bar and download the app.
The up to date desktop version of the platform you will always find on our site www.xtb.com

How can I verify that I’m speaking with an XTB employee?

Client can verify each call by contacting with us by phone (numbers here) or email us on (email here).

How do we care for your safety?

Access authorization

XTB app allows authorization by password, fingerprint or a code - thanks to this only you have access your account.

Encrypted connections

All connections between XTB servers and mobile app on your device are fully encrypted, raising the security level.

Protection of means/money

Your money can only be transferred to your personal account. Nobody will transfer the money to an account other than that of a client.

Multi-factor authentication

For your safety, we confirm key changes or information using different methods of contact (phone, email, sms).

Advanced network infrastructure

XTB constantly develops it’s infrastructure by investing in newest technologies to guarantee safety and security to you and your investments.