Security tips

Please be informed that the “Al Hilal” Islamic Bank” JSC provides banking services only through branches of the Bank without involving mediators (legal entities and individuals).
We draw your attention to the fact that the Bank does not finance individuals and individual entrepreneurs for commercial purposes.

We ask you to be vigilant and careful.

All the Bank's services are provided only through the Bank's branches located at the following addresses without mediators:
• Almaty, 77/7 Al-Farabi Avenue, "Esentai Tower" BC; 
• Astana, block B13, "Green Quarter" RC, building 17P, Syganak Street;
• Shymkent, 48B, Madeli Koja Street.

Double check before double clicking

Internet fraudsters create and distribute emails which appear to be legitimate bank requests to supply your personal banking details. Please be aware that Al Hilal Bank will NEVER send you an email asking you to share confidential information such as your account number, your internet banking username or passwords.

Do

• Be cautious with any email that requests urgent personal or financial information
• Access Personal Internet Banking by typing https://alhilalonline.kz in the address bar of your browser
• Use only secure websites with a secure browsing mechanism (HTTPS) and a closed padlock icon on the status bar to enter sensitive information, such as card numbers, and avoid using computers or Wi-Fi networks located in public places, such as internet cafes or airport lounges, to access internet or mobile banking
• Ensure that you keep your browser and all anti-virus software updated

Don’t

• Click on links within a suspicious email

• Reply to phishing emails that urge an immediate response and promise lucrative offers
• Assume that an email is authentic, even if it is personalized
• Send personal information to the Bank by email

Please report any suspected privacy abuses or other related security issues to 2330 (short mobile number) or +7 727 233 00 00 (landline number).

Avoid sharing sensitive information over the phone

Vishing is a type of phone fraud in which a criminal claims to be calling from a legitimate organization to verify your personal details for official records or to offer rewards. Criminals may also fake their caller-identification details, making it appear even more likely that the call is legitimate.

Do

• Ask the caller for authentication by verifying a recent transaction you have made
• Contact Al Hilal Bank’s Contact Centre on 2330 (short mobile number) or +7 727 233 00 00 (landline number)  if you have any suspicions

Don’t

• Give out your bank card number, password, CVC (the three-digit number on the back of your card), PIN or account information through unsolicited calls
• Respond to a voice mail or calls that ask you to go to a website or call a phone number to resolve an account problem

Make sure it is safe to type your password

Key logging is used by internet fraudsters to capture your password, PIN or other sensitive information you type into the computer. Software programs or small hardware devices can be programmed to record which keys you type. Once the fraudsters collect your security details, they might try to use them for their own financial gain.

Do

• Install anti-virus software with the latest security patches and anti-virus signatures on your home computers
• Monitor your transactions regularly
• Report any irregularities in your statements immediately to the Al Hilal Bank Contact Centre on 2330 (short mobile number) or +7 727 233 00 00 (landline number)

      Don’t

• Use computers or Wi-Fi network located in public places, such as internet cafes or airport lounges, to access internet or mobile banking
• Visit suspicious websites or follow any of suspicious instructions
• Postpone reviewing your credit card and other account statements
• Respond to suspicious or spam emails

Please report any suspected privacy abuses or other related security issues to 2330 (short mobile number) or +7 727 233 00 00 (landline number).

Do not accept suspicious transfers to your bank account

In advance fee frauds, criminals will seek your permission to transfer funds to your account from an apparent wealthy benefactor. You may be approached through a letter, fax, email or telephone call from someone claiming to be a senior bank official. Victims are repeatedly urged to part with sums of money in order to facilitate the transfer process and, as the fraud progresses, a considerable amount of money is lost. The promised transfer, of course, never happens.

Do

• Always be wary of unsolicited emails or other communications offering large sums of money
• Inform suspicious activities to our Contact Centre on 2330 (short mobile number) or +7 727 233 00 00 (landline number)

Don’t

• Give out your bank card number, PIN or account information through unsolicited emails or other communications
• Transfer money as instructed in these emails or other communications
• Respond to suspicious emails or other communications

What is identity theft?

In this type of criminal activity, fraudsters will attempt to obtain important personal information, such as your date of birth, passport number and ID details, to gain access to your bank account and then carry out fraudulent transactions.

Step 1 A scammer will try to trick you into sharing personal information, such as your mother’s maiden name, date of birth, ID details or One Time Passcode (OTP), either over the phone or in person, by impersonating a bank representative.

Step 2 Upon receiving this information, the scammer will misuse it to apply fraudulently to open new accounts or to carry out transactions through banking channels, such as the transfer of funds.

Tips to protect yourself

• Never respond to emails that ask for your personal and confidential information, such as date of birth, last name, mother’s maiden name, user ID, OTP, ATM PIN, CVC, card details or ID. Al Hilal Bank already has the aforementioned information in its database and will never request it from you.
• Should someone approach you in the capacity of an Al Hilal Bank representative, please ask to see relevant proof of his or her identity. Similarly, be aware of anyone claiming to be a bank representative over a phone call.
• Should you accidentally have divulged any information that has led to your phone number being deactivated without your consent, get in touch with us immediately.
• Avoid storing unused copies of your private documents. Shred them once their purpose has been served.
• Never share your official documents containing details such as your passport or ID number with unknown people over any digital channels like WhatsApp, email or SMS.

What is SIM swap fraud?

This type of account takeover fraud, also known as a ‘port-out scam’ or SIM splitting, generally targets a weakness in the two-factor authentication (2FA) process wherein the second factor is an SMS or call placed to the fraudster’s mobile number.

How do scammers do it?

• Step 1 A scammer gathers a customer’s personal information through practices such as phishing, vishing or smishing (via SMS) and then uses these details to get a new SIM card issued in the customer’s name.
• Step 2 Using this SIM card, the scammer will get all the sensitive information they need, including OTPs, to conduct fraudulent transactions from the customer’s bank accounts.

Tips to protect yourself

• Do not share your personal and confidential details with unknown people calling from unverified numbers or respond to emails or text messages from suspicious addresses.
• If your phone number remains inactive for a long time, get in touch with your mobile operator immediately.
• Never share the digit number at the back of your SIM card.
• Avoid sharing your phone number on social media or websites.
• Check your bank account alert messages and statements regularly and report any inconsistent transaction or activity immediately.

What is a money mule scam?

In money mule scams, victims (the money mules) are tricked by fraudsters into laundering stolen/illegally gained money through their bank account/s. Fraudsters contact customers through emails, chat rooms, job websites or blogs and convince them to accept fund transfers into their bank accounts in exchange for attractive commissions. If successful, the criminal will then transfer the illegal money into the account of the money mule, who will be directed to transfer the funds into the account of another money mule. This creates a chain in which the money is ultimately transferred into the fraudster’s account.

How do scammers do it?

• Step 1 The scammers contact customers via messages, emails and chat rooms, and attempt to lure them with attractive commissions. They coerce these customers into sharing their bank details and other confidential information.
• Step 2 After receiving the requisite information, the scammers then use it to transfer illegally gained money into the account of a customer (money mule) or that of an innocent person who has no awareness of the scheme.
• Step 3 The money mule is then directed to transfer the money into the account of another money mule, starting a chain of fraud.

If the money mule fraud is reported, it is always the money mules who are arrested and not the criminal masterminds, who usually cannot be traced.

Tips to protect yourself

• Do not respond to messages that promise lucrative opportunities in the form of jobs, commissions or lottery prize winnings. More often than not, these are all scams, so think logically and don’t respond in your excitement.
• Be cautious of any message claiming that you have won a lottery or offering you commission for helping to repatriate funds from an international account. More often than not, these are scammers who are trying to lure you to commit fraud.

What is juice jacking?

Juice jacking is a type of cyberattack involving a public charging port. While these public chargers are indeed a big help when the battery of your mobile device is drained, such ports may also be designed to steal your data or to automatically install malware in your device.

How it happens

• Step 1 Scammers install malware into a specially modified charging port.
• Step 2 When you plug your mobile phone or other device into this modified charging port, the malware is installed on your device. The malware allows the hackers to access sensitive data via your phone — including contact details, emails, messages, photos, private videos and sensitive financial credentials.

How to prevent juice jacking

• Carry a power bank, as this is the safest and most convenient solution.
• Avoid USB charging in public places. Rather search for an electrical outlet, as data such as malware cannot be transferred in this way.
• Should you have no choice but to charge your device with a public charging USB port, first power off the device and then plug it in. Powering off the smartphone will prevent the transfer of data.
• Try to use a cable that can only be used for charging and not for data transfer.

What is social media fraud?

In this type of fraud, scammers gather personal information from social media feeds and networking websites to impersonate their victims through identity theft.

How it happens

• Step 1 Fraudsters use fake identities on social media websites and lure victims into sharing personal and financial information.
• Step 2 Using this stolen information, they look for opportunities to defraud when the user is not socially active.

How to prevent social media fraud:

• Use a separate email address for your social networking websites. Many such websites use your email address to identify you.
• Do not use the same username and password for your social networking websites as those you use to access your Al Hilal Bank accounts.
• Never share personal information such as user IDs, PINs and account numbers on social media websites.
• Create a screen name that doesn't reveal too much about you.
• Be careful when clicking links. Even if the message appears to come from a friend, contact the sender directly to make sure it's authentic if you are at all suspicious.
• Post only information that you are comfortable for others, including strangers, to see. Regard all information posted on social media websites as public and permanent.
• Use privacy settings to limit access to your information.
• Never post any information that could help thieves steal your identity, such as your address, phone number or even employment information.
• Use a unique password for each of your social networking profiles. Ensure that these do not match the passwords used for banking and other sensitive activities.

Passwords should be your best-kept secrets

Passwords are used to authenticate your identity. A lost or leaked password can result in the misuse of your personal information, bank account information, and social contacts and correspondence.

Do

• Change your passwords regularly.
• If you suspect that your internet or mobile banking password has been compromised, change it immediately and report the incident to Al Hilal Bank.
• Disable Auto Complete or Remember Password options in your internet browser while accessing internet banking systems.
• Always close the internet browser window once you have logged out of the internet banking website.

Don’t

• Disclose your PIN or password to anyone else, including Al Hilal Bank staff. (Note: We will NEVER ask for these details.)
• Use your birth date or name as your PIN or password. Internet passwords should be alpha numeric (including letters and numbers, for example, pencil37).
• Store passwords on your computer.

Please report any suspected privacy abuses or other related security issues to 2330 (short mobile number) or +7 727 233 00 00 (landline number). Please remember that Al Hilal Bank will never ask for personal information such as passwords and PINs.

Mobile banking has eased the way in which we transact in our daily lives, putting convenient banking at our fingertips. While most people are tech savvy, some are still getting accustomed to online banking. There are certain things that must be kept in mind to ensure safety and security while transacting online.

Below are some tips to help you be more vigilant while using mobile banking.

• Never share the MPIN (Mobile banking PIN) of your mobile banking app or OTP with anyone. 
• Do not download mobile applications from unknown sources. Use official application stores such as the Apple Store or Google Play.
• Avoid using public or shared networks for online transactions.
• Do not save confidential information, such as your debit/credit card numbers, CVC numbers or PINs on your mobile phone.
• Do not save pictures of your debit/credit cards (front or back) on your mobile phone.
• Install an effective mobile anti-malware/anti-virus software on your smartphone and keep it updated.
• If you have to share your mobile with anyone else, or need to send it for repair or maintenance, first clear your browsing history, caches and temporary files stored in the memory, as these may contain sensitive information.
• Do not click on any URLs in text messages from non-reliable sources.
• Password-protect your mobile device to protect against unauthorised access.
• Keep your mobile's operating system and applications, including the browser, updated with the latest security patches and upgrades.
• Refrain from downloading any remote accessing apps, like AnyDesk or Team Viewer, on your phone if suggested by a caller. These would allow the caller to view the information displayed on your screen device at his end through screen mirroring.
• Never respond to calls or messages that ask for your personal and confidential information, such as ID number, date of birth, last name, mother’s maiden name, user ID, OTP, ATM PIN, CVC or card details.

Internet banking is fast, convenient and easy to use. However, many people are still hesitant to use this service due to security concerns. Here are some valuable internet banking security tips to avoid the risk of fraudulent attacks.

• Never share your OTP, Password or CVC with anyone, including any person claiming to be an Al Hilal Bank official.
• Before entering personal information, such as your name or email ID, onto a website, read the website’s privacy policy. Also, make sure you understand how your information may be used by the website owner. 
• When logging into Al Hilal for internet banking, always enter the Bank's website address https://alhilalonline.kz in the URL address bar. Never access the bank website from a link provided in emails from non-reliable sources. Be disciplined while clicking anywhere online. This will prevent you from clicking accidentally on malicious websites.
• Look for the padlock symbol on the address bar of your browser before you enter your login ID and password. If you click on this symbol, you can view the digital certificate and other security details related to the website. Proceed only if such verification is available.
• Regularly log into your internet banking accounts and check your bank statements to ensure that all transactions are legitimate.
• Avoid accessing Al Hilal Bank from a public or shared computer. 
• Log out from internet banking after you complete your transaction, every time. Don’t just close your browser.
• Protect your accounts on the computer with strong passwords.
• Never use the browser option to remember passwords (disable the Auto Complete function).
• Go to the Settings option of the browser to clear your browser cache and history after each session, so that your account information is removed. This is especially important if you have used a shared computer.
• Beware of pop-up windows that ask for your account number and password.
• Use licensed software. There is a higher chance that pirated or unauthorised software may infect your device.
• Regularly update your computer with the latest security patches for your operating system, browser and email account.
• Use anti-virus, anti-spyware and personal firewalls to safeguard your computer system at all times.

Debit cards for your accounts are integral to everyday banking. At Al Hilal Bank, we take the safety and security of our customers’ accounts very seriously. Here are a few ‘DOs and DON’Ts’ to help you avoid debit and credit card fraud. We want you to enjoy a safe and secure banking experience.

Do

• Delivery of cards or card applications from the Bank is carried out in a special corporate envelop with the Bank’s logo and tear tape. If you receive an application or a card not in a corporate envelope or in an envelope with signs of opening, please contact the Bank immediately at 2330 (short mobile number) or +7 727 233 00 00 (landline number).
• Ideally, you should change your PIN every 6 months for complete protection. It is also advisable to change your PIN after an overseas trip.
• Keep your cards somewhere safe. In the case of loss or theft, immediately inform the Bank.
• After receiving a new or upgraded card, discard the old one by destroying the chip and cutting it into small pieces.
• Try and memorise your PIN instead of writing it anywhere.
• Be careful when entering your PIN at an ATM or POS terminal. Cover the PIN pad with your hand before typing the PIN.
• Update your phone number for constant alerts on any card activity. Keep an eye on your transactions and purchases, and report any unusual transactions to the Bank immediately.
• Always check the URL of a website to make sure that it has sufficient security in place before making a payment. You can do a quick check by making sure there is a padlock icon (https://show lock symbol) on your browser. This symbol indicates that the website is using an encryption technology while transmitting sensitive data. If you click on the lock, you can view the digital certificate and other security details related to the website. Proceed only if such verification is available.
• Check to see if the URL of a website displays the IP address or numerical address instead of a domain name. Be wary of such websites as they are more likely to not be genuine.

Don't

• Share details such as a copy of the front and back of your card. Remember that Al Hilal Bank will never ask you for such details.
• Never hand your card to anyone claiming to be a bank representative.
• Never share your card details, like card number, expiry date, CVC, PIN or OTP with anyone, even those claiming to be bank officials.
• Do not save your card details on online merchant websites.
• Never enter your details on emails with input fields asking for your card details, ATM PIN, CVC, etc.
• Avoid using your cards on unauthorised payment gateways, such as those of gaming websites, lottery or gambling websites.
• Never sign a blank application form with the promise that it will be completed later by the bank representative.

Here are a few handy tips to remember when using an ATM.

• Don’t write your PIN anywhere, especially on an obvious place like the card itself. Memorise it if you can.
• Do not share your PIN with anyone. It is best to change your ATM PIN the first time you use it and then try to change the PIN regularly thereafter. It may not be convenient, but it is a good precaution.
• Beware of ‘shoulder surfing’. Use your hands and body to shield your PIN typing.
• Don’t engage in conversations with strangers inside the ATM hub. Do not let your guard down, even for a moment.
• Do not conduct a transaction if you find any unusual device attached to the ATM.
• Before moving away from the ATM, press the ‘Cancel’ key and wait for the Welcome screen to appear.
• Remember to shred your transaction slip immediately after use.
• If your ATM card is lost or stolen, report it to Al Hilal Bank immediately.
• After you deposit a card in the ATM, check the credit entry in your account after a couple of days. Should you find any discrepancy, report it to the Bank immediately.
• Register your mobile number with Al Hilal Bank to receive alerts of your transactions.
• Call the Bank immediately should cash not dispense normally from the ATM or become stuck in the machine.

At “Al Hilal” Islamic Bank” JSC, your financial security is most important to us. We do our best to protect your business against fraud and to ensure the safety of your finance and financial transactions.

Therefore, we want to draw your attention to a method of email fraud known as Business Email Compromise which is gaining popularity and causing substantial losses to commercial enterprises.

• Business Email Compromise (hereinafter – BEC) is when the fraudster infiltrates company communications and manipulate employees into making payments to a bank account under their control.
• The impostors carefully study their targets to gain information about the company’s employees either by way of phishing or by directly hacking the company computer network or email infrastructure.
• The impostor may gain direct access to company email accounts or create an email address that looks very similar to those belonging a company executive such as the CEO or CFO e.g., chiefexecutive@mycompany.com vs chiefexecutive@mycompnay.com. The difference in the fake email address will be very subtle and easy to overlook.
• The fraudster then sends an email either originating or appearing to originate from the company executive to the finance department, instructing them to make payment to a specific beneficiary. Employees may be reluctant to approach senior executives to verify these payments and fall prey to the scam.