Security at ING Business

Encrypted internet connection

The communication between your computer and the bank's server is encrypted with the TLS protocol. We use Extender Validation (EV) certificates with a key length of 2048. These certificates:

• are compatible with the latest browsers, e.g. Internet Explorer 11, Mozilla Firefox (last 3 versions), Google Chrome (last 3 versions)
• guarantee safe data encryption, keeping it safe from the external changes and authenticating the computers which communicate with each other.
• are issued only to trusted institutions. Obtaining them is associated with a very thorough verification of the applying company.

ING Business offers 2 alternative methods of logging in and authorizing orders:

Method based on login, password and SMS codes

• When logging in, you must enter your login and password.
• Our system assesses whether logging in (or another activity in the system) requires confirmation with a one-time authorization code.
• If so, an SMS will be sent before performing the operation – pay attention to the dates and details of the operation presented in it. If the data is correct, enter the authorization code into the browser.
• SMS codes are sent to the mobile phone number provided in the system for your user.
• The transmitted information is encrypted with the RSA algorithm.

Certificate based method

• To log in you use a password and a token with an uploaded certificate.
• When logging in and using the system, the token must be placed in the USB port.
• The transmitted information is encrypted with the RSA algorithm.

Facilities for mobile app users

Mobile app users (and log in to the system using the login, password and SMS), can log in to the system via ING Business mobile app. You initiate logging in as usual, entering the login in the browser, but instead of entering the masked password characters, you can complete the process in the app: by entering the PIN, applying a fingerprint or using Face ID.

Advanced permission system

Create the security policy tailored to the needs of your company:

• You add and remove users.
• You adjust the rights in the system to the role of employees in the company.
• If you want users to use the system only at their workplace, you can specify the IP addresses from which they will be able to log in.
• If you would like users to use the system only during business hours, you can specify specific days and hours when the system can be used.
• In case of the absence of one of the users, you can grant his rights to another person.
• You decide who can sign and accept online applications and orders – use the multi-signature function.
• Selected applications and instructions may also be signed by other authorized users – this is a great help in case of the absence of the company’s representatives.

Most applications for changes of access and authorization rights take place fully online, in real time.

If you use a token to log in, remember to follow the basic security rules:

• connect it to the computer only when you use ING Business. After logging out, disconnect the token and store it in a safe place
• use anti-virus software and a firewall
• always use the latest version of your browser and update your operating system regularly

Login data

• Never disclose your login, password, application PIN or authorization codes to third parties.
• Do not provide this data on websites other than the bank's.

DO you log in with biometrics?

Remember that if you add a fingerprint or facial recognition of third party to your device, you will allow them to access your bank account. This will happen if you log into the application and the phone with biometrics.

SMSes

Do not click on links in SMS. Beware of payment requests – even for small amounts. Links from these SMSes may lead to fake pages.

Suspicious emails and text messages

Do not open emails from unknown senders, especially files and links attached to suspicious emails. Attachments may contain malware.

SMS from the bank

• Our system assesses whether the activity you want to perform requires confirmation with a one-time authorization code. If so, we will send you an SMS before performing the operation – pay attention to the dates and details of the operation presented in it. If the data is correct, enter the authorization code into the browser.
• We send SMS codes to the mobile phone number provided in the ING Business system for your user.

Remember about the safety rules

• We do not send SMSes, e-mails asking to log in or provide private data.
• Our employees never ask for a banking password. The only place you enter it is the ING Business login page. This also applies to the SMS code. The exception is when you call the bank - then we may ask you for the authentication code.
• Read carefully the text of the SMS you receive from the bank. Pay attention to the unusual forms of the address of our website.
• We never ask you to change, nor send you new login details without informing you about it in ING Business in advance.

How fraudsters work

Fraudsters call our customers and pretend to be a bank employee. They claim that after the last bank failure, access to the system must be secured. They send an SMS with a link that leads to a fake website, very similar to the ING website. 

Installing the software

Do not install software from untrusted sources on your computer or phone.

Such applications may, a.o., steal your login details and authorization texts. How is this done? When you log into the bank, the malicious application displays a fake login screen. The criminals thus acquire your login and password.

Login page

Stay vigilant – you may fall victim to login phishing and risk losing money. Before entering your login and password, make sure you are on the ING Business login page.

How can you recognize that you are on the secure ING Business login page?

Check that the address shown in the bar in the browser window is:

• https://start.ingbusiness.pl for the login and password method
• https://login.ingbusiness.pl for the eToken / card method

It is best to log in via our website ing.pl and use the Log in option in the upper right corner of the screen.

How can you find a fake website?

Fraudsters can direct you to a fake bank website from various places, e.g. from a link in an SMS. When you provide login details on a fake website, the fraudsters log into banking with this data. They change the phone number to authorize the transaction or set a trusted recipient. You authorize such an order – by entering the SMS code on the fake website. Moments later, the thieves steal the money from your account.

We never do the following:

• We do not ask you to change your password or PIN to the application, nor do we send you new login details without informing you about it in ING Business in advance.
• We do not send e-mails asking you to log in or provide private data, such as a phone number for transaction authorization.

Antiviruses

• Use up-to-date anti-virus software on your computer and phone.
• Choose programs that are versatile, e.g. those that protect your identity, Internet transactions, detect malware hidden in files and websites, and much more.

Security on the phone

Remember about the safety rules:

• Protect application PIN Moreover, set a fingerprint – the access to the phone will be difficult.
• Beware of false security certificates.
• Remember that we do not require installing any additional software or applications.
• If you lose your phone, remove it from the list of trusted devices in ING Business.
• You can download the ING Business application from authorized Google Play and AppStore stores.