Cybermyth: With my IBAN, address and a copy of my ID card, my online banking account can be hacked

02.03.2023 - In many types of fraud, the attackers demand personal details such as name, address and telephone number. In some cases, they also ask for an IBAN or ask the victim to send a copy of a passport or ID card. A widespread myth is that it is possible to hack an online banking account with this information alone.

Nowadays, everyone should know that we should be very careful when giving out credit card details and passwords. In various fraud attempts, however, fraudsters also demand other information such as IBAN, address, name or even a copy of an ID card or passport. Most of the time, this data is not relevant for the actual fraud, and only serves to build trust with the victims and to reinforce the supposed seriousness of the offer. Even if the fraud is noticed in good time, a queasy feeling remains if such information has already been passed on to the fraudsters. For example, the NCSC receives reports every week from people who are afraid that their online banking account could be hacked or money could be stolen in some other way using such information, or even that the fraudsters are suddenly ringing their doorbell.

No danger for online banking accounts

The good news first: an IBAN and a copy of someone's ID card are not sufficient to withdraw money from an account. Such information has to be provided in many business processes and is not particularly sensitive. For example, you have no doubt handed over your passport many times when checking into a hotel, or given a copy of your ID card during other transactions.

The NCSC is also not aware of a single case where fraudsters have appeared in person at a victim's home. The fraudsters usually operate from abroad and fraud is a mass business: if a victim does not take the bait or notice the fraud, they simply move on to the next person.

Possible fraud using the identities of others

However, any data provided can be used for other scams. In order to make their offers look serious, the fraudsters use such stolen identities and include the name and ID as proof that the offer comes from Switzerland and is genuine.

Is it possible to misuse an IBAN?

Theoretically, it is possible for someone to use your IBAN to make a direct debit payment to an online shop. However, this payment option is not widespread among Swiss online shops, and you can easily make a complaint to your bank about such fraudulent payment orders for up to a year and have them reversed. This option is therefore not lucrative for fraudsters.

Always be sceptical

It is generally important to be sceptical if you receive emails that require action on your part and that carry a threat of consequences (loss of money, criminal charges or criminal proceedings, blocking of an account or card, missed chance, misfortune) if you do not do what is required. Always be cautious about providing personal details.

If you have provided your IBAN or identity details and you are feeling unsure, consider the following:

  • Regularly check your account statements so that you can spot in good time if a direct debit payment has been made that you did not initiate.

  • If you notice any inconsistencies, contact your bank immediately.

  • Do not pay invoices for orders you have not placed. Contact the company concerned as soon as possible if you suspect that someone has made purchases using your name and IBAN.

  • If you have provided your passport or ID card as part of a fraud attempt, we recommend that you report the incident to a police station or directly to an ID centre.

Last modification 02.03.2023

Top of page

https://www.ncsc.admin.ch/content/ncsc/en/home/aktuell/im-fokus/2023/mythos-iban.html