New versions of malware are appearing on the Internet, that – installed on the computer of the user logging into the internet service of PKO Bank Polski – can be used by criminals to execute unauthorised transactions from the accounts of customers of the bank.

Devices with which users connect to the Internet are usually infected as a result of opening attachments to fraudulent e-mails in which hackers impersonate companies providing telecommunications services and other and inform about the necessity of alleged payments, payment for an invoice for the phone or for awaiting courier delivery. Using the trust of the message recipient to the commonly known company and their concern with the necessity to make payment, criminals induce them to open an attachment to the message containing allegedly details of the overdue payment.

However, in reality opening of the attachment infects the computer on which the attachment is being opened with a dangerous virus, allowing the theft of confidential customer data (data to log into the www service), and above all displaying messages issued by criminals when logging into the electronic banking. As a result, the customer may yield to requests to enter codes from a one-time codes card, SMS code or code of the token, unknowingly authorising in this way criminal transfer from their own account.

In the same way attachments to fraudulent e-mails operate, informing about the alleged non-delivery of an e-mail to the recipient.

In the case of using the internet service of the bank from the virus-infected computer, immediately after logging in, i.e. after entering the customer number and access password, the user can be requested to provide a one-time code from the authorisation tool, although in a given moment they do not submit any instruction from their account.  The entered code can then be used by criminals (in a manner invisible to the customer) to execute a transfer or define a new payee template to a specified target account. On the basis of such created payment template criminals may order transfers without the necessity to provide subsequent authorisation codes.

A computer or phone can also be infected as a result of installing the software from unknown sources on the device.

Examples of fraudulent/criminal messages that may appear to the users logging into the internet service from infected workstations:
Be careful of fraudulent messages, inducing to install additional software on a mobile phone.
Be careful of a new threat on the Internet – smishing
Be careful of fraudulent e-mails and text messages!
Example e-mail messages sent by criminals to steal confidential data of the customers: enia poufnych danych klientów:
Example text messages sent by criminals to infect the mobile phone of the user and steal data
Be careful of the Firefox add-on - it contains malware
Be careful of a new threat – virus attacking mobile phones with Android
Be careful of new malware for smartphones with Android operation system
New ways of phishing data from mobile browsers – GMBot
Example e-mail message sent by criminals to steal confidential data
New harmful software – PACCA – changing SSL certificates


Never share your password and account number with third parties and do not enter them on unencrypted pages. If the incorrect password is entered three times, the service in which it is used is blocked. In such case contact a consultant by phone at one of the following numbers 800 302 302 (no fees for domestic numbers in Poland; in other cases – fee according to the operator’s price list), or +48 81 535 60 60 (for foreign calls and mobile phones calls; fee according to the operator’s price list). The access password may be changed to a new one at any time. If you use Token iPKO, logging into the website can be strengthened by the necessity to complete an additional field: “Password of the token”.

Customer number

First logging into the iPKO internet service is done through the use of an individual 8-digit Customer number, received in a branch or delivered by courier. At any time you may establish your own login which will facilitate your logging into the internet service. You do it on your own after logging into the service, selecting subsequently: “Settings” [“Ustawienia], “Access Channels” ["Kanały dostępu”] and “define login” ["zdefiniuj login”].

Your new login:

  • should contain from 8 to 50 characters, including at least one letter,
  • may contain letters, digits and special characters ” `!@#$%^&*()_+-={}[]:;',.<>?”; it cannot contain typically Polish letters, e.g. „ł”, „ś” etc.;
  • must be unique (the system will inform you if the login you propose has already been in the Bank’s data),
  • must be different from your logging password.

If you are the customer of the acquired bank, from 20 April 2015 your new electronic banking service is iPKO, for the first and subsequent logging in you will use data described in the manual of logging into new iPKO for the current users of iPKONET.

Additionally, please remember that:

  • the system does not differentiate between lower case letters and upper case letters, thus “login” means the same as “LOGIN”
  • with the set login you can log into the iPKO internet service and mobile service,
  • after setting the login, you can log into the account both with it and your 8-digit Customer number,
  • at any time you can change the defined login to another one or remove it and log into the service exclusively with 8-digit Customer number received at the Branch of PKO Bank Polski.

The change of login to your friendly login will require confirmation by a one-time code of the authorisation tool.

Security image - New logging into iPKO
Safe TLS connection
Security certificate
Change of the password
If you lose or forget the password...

Protection of the privacy of the users of PKO Bank Polski’s information website ( is of paramount importance to us. Below you will find explanations concerning what data we collect and what rules of processing and use of the data we follow. We limit the use and collection of information about the users of the website to the necessary minimum required to provide top quality services.

In this section, you will find information about: the P3P protocol, the tools we use to ensure the greatest possible convenience of using the site (cookies, system logs, the rules of collection of e-mail addresses) and about data collected by third-party advertising agencies.

We protect private data of our users and so before you enter the website of PKO Bank Polski, your internet browser will tell you via the P3P protocol what data is collected and on what pages.

By means of the cookie technology, we only collect anonymous statistical data about the users in order to enhance their experience of the use of the services: the information one at and the transactional one at, to enhance the security of the transactional service and to minimise the nuisance caused by advertisements. We do not collect or store any financial data nor personal data whereby the users of the services can be identified.

Comfort takes precedence

We do our utmost to make sure the website is comfortable to use. In order to boost performance, we have employed the anonymous cookie technology and we collect statistics of the phrases most often searched in a search engine and thanks to this we update the site navigation on an ongoing basis so that the search for content is comfortable and intuitive.

System logs

These contain such data as the IP address from which a given sub-page was entered and the time of connection. System logs are only used for statistical purposes and they are not meant to identify the service users. The analysis of such logs enables us to align the contents of the page with the interests of the users. This information is by no means associated with the personal details of the customers of PKO Bank Polski.

Links to other web pages

We disclaim any responsibility for the privacy protection rules applied by the owners of the pages the links to which are published on PKO Bank Polski’s website. We encourage the users to read the privacy statements published on the partner sites, especially where they collect personal details.


Some pages on our site use the Floodlight technology, which serves the purpose of compilation of aggregate statistics concerning the use of the site. Floodlight is an electronic one-pixel (1x1) or transparent picture.

Floodlight tags may recognise certain information on your computer, such as cookie number, the date and time of visit on the website and the description of the site on which Floodlight is placed.

Third-party advertising agencies

When you are visiting an internet site on which an advertisement for PKO Bank Polski is displayed, our internet advertising agency may send cookie or floodlight files to your computer. This will enable it to recognise your computer on another visit or to measure the user’s reaction to the advertisement. Naturally, these are only anonymous statistic unrelated to your personal data or databases of customers of PKO Bank Polski.

Changes in the privacy policy of PKO Bank Polski’s website

What may influence changes in the privacy policy of PKO Bank Polski’s website is the development of internet technology, potential changes in the legislation concerning personal data protection and the development of our website. You will be advised of all such changes via our website.

What is the P3P protocol?

The Platform for Privacy Preferences (P3P protocol) is a new privacy protection technology created by the World Wide Web Consortium (W3C). The technology enables you to make conscious decisions regarding which of your personal details may be collected by a website. PKO Bank Polski cares about the personal details of ts customers and so it has implemented the P3P protocol on its website (

Browsers with the P3P technology implemented are able to automatically decide which cookies do not infringe on the user’s privacy preferences.

Cookies - what are those?

They are small text files sent by websites and saved by your internet browser. Cookies can be divided into temporary ones - “remembered” until the browser is shut down and cookies with a specified expiry date, which are saved by the browser for a longer time.

The act of sending of cookies to the browser can by no means violate your privacy. Information included in the cookies can only be used by the website which sent them. If you disable cookies in the browser you use, it may cause difficulties in the operation of certain functionalities of the website or they may not operate at all.

What cookies do we use?

On our website, we use cookies which are saved to the hard drive of your device in order to facilitate navigation and align the site to your preferences.

It is possible to block the saving of cookies to the end device or delete them after the proper configuration of the web browser. If you disable cookies in the browser you use, it may cause difficulties in the operation of certain functionalities of the website or they may not operate at all.

If your mobile device runs the iOS operating system, in order to enjoy the full version of the website, you need to enable cookies. If you agree to the saving of cookies, change the settings of your browser.

We have employed two anonymous cookies on website. Both are solely meant for operation with our site.

A browser with the P3P protocol implemented distinguishes the following cookies:

  • sessiontemporary cookies - which are not saved to the hard drive but which are necessary to maintain the context of your session. They are very often used by various sites owing to the nature of the HTTP protocol by means of which web pages are transmitted.
  • permanent cookies - which are not deleted when the browser is closed and which may be used by the website in future. These include:
    - cookies within a given domain (first party cookies) - the site configures the cookies only to satisfy its own needs,
    - cookies within an external domain (third party cookies) - the site places the cookie so that it can be used by other sites.

Enabling/deleting/blocking cookies

We use cookies in compliance with the settings of your browser installed on the device you use. See if you have allowed us to use cookies or not.

Many browsers have cookies enabled by default. You can change the settings or disable cookies in your browser at any time. Yet disabling cookies may cause the site to operate incorrectly. Using the internet service with cookies enabled in the browser means that cookies will be stored in the memory of your device.

To find out more about cookies, see “Help” in your browser’s menu.

Microsoft terminates support for Windows XP - take care of secure use of your account online

According to the announcements published by Microsoft on its website, after termination of technical support as of 8 March 2014, Windows XP will continue to operate but the machines running it might be exposed to a greater extent to malware an cybercrime attacks - find out more.

In spite of having the latest antivirus software and firewall installed, the computers running Windows XP OS might be seriously vulnerable to such attack. Such attacks may result in the theft of access credentials (logins and passwords) for online banking services or, for example, the taking of control over the device.

Remember: only regularly updated software and manufacturer’s support for the operating system provides enhanced security. That is why PKO Bank Polski recommends that the users of electronic banking run operating systems covered by full technical support by the manufacturer and that they upgrade their operating system to newer Windows version or replace it with another system which is regularly updated. To find out more, visit Microsoft’s - the Windows producer’s - website.

How to check the browser version?

You can find information about the version of your browser and encryption protocol by selecting from the menu the “Help” option, and then depending on the browser -> “Internet Explorer - information”, “About Firefox”, “About Opera” or “Google Chrome Settings” -> “Google Chrome – information.”

Check whether the settings of your browser are consistent with the below recommendations.

Remember: do not allow the search engine to remember data, because it allows each subsequent user of the computer to log into your account in the internet service.

Delete temporary files from cache

Systematically delete temporary files that are stored in the web browser cache to ensure its proper functioning.

  • Firefox
    “Tools” menu » “Clear browsing history” – select the “Cookies” option and “Cache” and press “Clear now”.  You can also specify the period the cache of which will be deleted.
  • Opera
    “Settings” menu » “Clear browsing history” and select “Delete all cookies”, “Delete pages and password-protected access data”, “Delete entire cache” and then press “Delete”.
  • Internet Explorer
    “Tools” menu » “Internet Options "» “General” tab, part of the “Browsing history”, press “Delete” – select “Delete cookies ...” and “Temporary internet files”
    “Tools” menu »Internet Options” » “General” tab, part of the “Browsing history”, “Settings” button » in the part “Check for newer versions of stored pages” select the “Every time I visit this page” option
  • Google Chrome
    “Google Chrome Settings” menu » “Tools” “Clear browsing data ...” – select “Empty the cache” and “Delete cookies and other site data” and press “Clear browsing data”. You can also specify the period of which cache will be deleted.
  • Safari
    Preferences Menu » Privacy » “Cookie files and other site data” field » Delete all site data

Remembering passwords and forms

For safety reasons, it is recommended to disable the function to remember passwords and forms in a web browser. When the function to remember passwords and forms is enabled, when you log into the iPKO service, the Customer number and password are automatically entered. Disabling this option prevents logging into the service for other persons.

  • Firefox
    “Tools” menu » “Options” » “Safety” » “Passwords” » uncheck the “Remember passwords for sites” field
  • Opera
    “Settings” menu, “Preferences…” tab » “Forms” tab, uncheck the “Turn on password manager” field
  • Internet Explorer
    “Tools” menu » “Internet options” » “Content” tab » “Autocomplete” part » “Settings” - uncheck the “User names and passwords on forms” fields
  • Google Chrome
    “Google Chrome Settings” menu » “Settings” » “Privacy” » “Passwords and forms” – uncheck the “Offer to save your web passwords” field
  • Safari
    Preferences Menu » Forms » “Automatically fill out forms” field, uncheck the field with “user names and passwords”

Remember! Always after finished work, log out of the service (option in the upper right corner), and then close the browser window.

How to enable/delete/block cookies from the web browser?

Internet Explorer 9

New versions of malware are appearing on the Internet, that – installed on the computer or phone of the user logging into the internet service of PKO Bank Polski or the IKO mobile application e.g. as a result of opening a suspicious attachment to a fraudulent e-mail sent by hackers – can be used by criminals to steal confidential data and even to execute unauthorised transactions from the bank account.  That’s why – to protect your data and funds – take care of the safety of your phone when making operations through electronic banking.

  1. Before confirming the execution of transfer by an authorisation code, always carefully check whether the transfer details are consistent with those which have been introduced when submitting an instruction – if virus has been installed on your computer, it can change the transaction details – including the account number and the amount – for another ones.
  2. If you use SMS codes to authorise instructions ordered from the bank account, before the entering of an authorisation code, read carefully the content of the text message with the code and make sure that it relates to the relevant operation (check especially the correctness of the account number of the recipient and the amount of the transaction).
  3. If you receive a text message with the authorisation code in the case that no instruction have been ordered by you or details in the text message are different from the details that have been entered during the submission of instruction – do not enter the one-time code, and immediately contact the Bank.
  4. Check regularly the history of operations made from your account– if you notice any inconsistencies, immediately report them to the Bank.
  5. Read the safety messages of the Bank presented on the websites.