Security
44 articles in this topic.
Advance-fee and fake loan offer scams
Advance-fee fraud targets businesses looking for finance. A criminal offers an attractive loan, then claims you must pay a fee first to release the funds, cover insurance, or unlock a better rate. Once you pay, the loan never arrives and the fraudster disappears.
How to recognise it
- You are asked to pay something before any money is advanced to your company.
- The offer arrives out of the blue, often by email, text or social media.
- The terms sound unusually generous or the approval is suspiciously quick with no checks.
- You are pushed to pay by an unusual method or to a personal account.
How we actually work
We lend to UK limited companies and LLPs for business purposes, and we assess each application properly. The cost of borrowing is set out clearly in the offer we make to you, based on the rate and term shown there. Anyone demanding a separate up-front payment to release a Credicorp loan is not us.
If you have been targeted
- Do not make any payment.
- Keep the message and any account details you were given.
- Report it to Action Fraud and let us know through a verified channel so we can warn others.
See also: Can my company make a partial payment if it cannot pay in full?, Can my company pay ahead to build a buffer? and Protecting your business from social media and messaging scams.
Choosing a strong password for your business account
Your password protects access to your company's loan information, statements and account details. A weak or reused password is one of the easiest ways for a fraudster to get in, so it is worth getting right.
What makes a strong password
- Length matters more than complexity. A long passphrase made of several unrelated words is both strong and easier to remember.
- Avoid anything guessable, such as your company name, a director's name, or the year your business was incorporated.
- Do not reuse a password you already use for email, banking or other services.
Use a password manager
A reputable password manager generates and stores a unique password for every account, so you only need to remember one master password. This removes the temptation to reuse passwords across services and makes it far harder for an attacker to move from one breached account to another.
When to change it
- Immediately, if you suspect anyone else has seen or guessed it.
- If you learn that any service you use has had a data breach.
- When someone who had access to the account leaves your business.
If you think your password has been compromised, change it straight away in the portal and let us know through a verified contact channel so we can review recent activity on your account.
See also: How to apply for a Credicorp loan, step by step, How we protect your account behind the scenes and Will Credicorp ever ask for my password or 2FA code?.
Does Credicorp use two-factor authentication?
Yes. Credicorp supports two-factor authentication (2FA) on business accounts, and we strongly recommend enabling it. 2FA requires a second piece of evidence — typically a one-time code — in addition to your password each time you sign in, so a stolen password alone is not enough to gain access.
How 2FA works on your account
Once enabled, after you enter your password you will be prompted for a time-limited code. This code is generated by an authenticator app on your registered device or delivered by SMS. The code expires within seconds, so an attacker who intercepts it cannot reuse it later.
Which 2FA method should I use?
Authenticator apps (such as those that follow the TOTP standard) are more secure than SMS codes, because they are tied to your physical device rather than your phone number. SMS 2FA is still significantly better than no 2FA, so enable whichever method is available to you and upgrade when you can.
What to do if you lose your 2FA device
If you lose access to your registered device, contact our support team through the official contact details on our website. You will need to verify your identity through alternative means before access is restored. Store your backup recovery codes in a secure location — ideally a password manager or encrypted document — when you first set up 2FA, so that losing a device does not lock you out permanently.
We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.
See also: How do I keep my Credicorp business account secure?, What will Credicorp never ask me for?.
How can directors protect their details from fraud linked to a business loan?
Because Credicorp lends to the company with no director personal guarantee, we do not hold extensive personal financial data on individual directors. Even so, directors should understand that their information is publicly visible at Companies House, and fraudsters exploit that data to impersonate directors or target their businesses.
What is publicly visible and why it matters
Companies House publishes your full name, month and year of birth, nationality, and country of residence. Fraudsters use this information to construct convincing impersonation attacks — for example, calling your finance team and pretending to be you to authorise a payment or request a drawdown.
Steps directors can take
- Apply for a registered address service if you use your home address as a director's service address — this keeps your personal address out of the public register.
- Suppress your home address through Companies House's address suppression process if it was submitted historically.
- Establish internal controls so that no payment or account change can be authorised by a single voice instruction alone; require a written confirmation via a second channel.
- Monitor your credit profile through a commercial credit reference service so you receive alerts if new credit applications are made in your company's name.
Internal verification protocols
Brief your finance and operations staff on impersonation fraud. A simple rule — call back any payment instruction on a known number before executing it — catches most attempts.
We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.
See also: What will Credicorp never ask me for?, What are the safe ways to make repayments to Credicorp?.
How can I tell a genuine Credicorp email from a fake one?
Email is one of the easiest things for a fraudster to fake, so it pays to know what a genuine message from us looks like and what we would never do. No single sign is foolproof, so use these checks together.
Check the sender carefully
- Look at the full email address, not just the display name. Fraudsters often use a name that reads correctly but an address that is subtly wrong.
- Be wary of addresses that add extra words, use a different domain, or swap letters and numbers.
What we would never do by email
- Ask you for your portal password or your two-factor code.
- Demand an urgent payment to a new account.
- Pressure you to act within minutes or threaten immediate consequences.
Treat links and attachments with care
Rather than clicking a link in an email, go to your portal directly by typing the address yourself or using a saved bookmark. Be especially cautious with unexpected attachments, as these can carry malware.
When in doubt
If anything feels off, do not reply or click. Contact us through the verified details on our official website or in your portal, and we will confirm whether the message was really from us.
See also: How do I spot a scam pretending to be from Credicorp?, How to spot a fake firm using the Credicorp name and Changing your communication preferences.
How Credicorp will — and won't — contact you
One of the simplest ways to stay safe is to know how a genuine message from us looks — and what we will never ask for. If a message crosses any of the lines below, it is not from us.
What we will never do
- Ask for your full card number, PIN or CVV by phone, text or email.
- Ask for your online-banking password or a one-time security code.
- Tell you to move money to a "safe account" — there is no such thing; this is a hallmark of a scam.
- Pressure you to act immediately or keep a payment secret.
- Send you to a website that is not on our list of genuine group domains.
What we will do
- Show a genuine request to pay inside your portal, after you have signed in yourself.
- Contact you about your account by the channels you have agreed, without ever needing your password or a code.
- Be happy for you to hang up and call us back through the official site if you want to check a call is real — a genuine caller never minds.
If anything feels off, do not act on the message. Go to credicorp.co.uk yourself (type it in), sign in, and check your account — or contact us through the official site. A real request will still be there; a scam falls apart the moment you check.
For the tell-tale signs of a fake message, see recognising phishing and smishing, and if something has already happened, see what to do if you think you have been scammed.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How do I spot a scam pretending to be from Credicorp?.
How do I keep my Credicorp business account secure?
The most effective account security combines strong credentials, access controls, and alert habits. Credicorp accounts hold sensitive financial data about your company, so a few deliberate steps go a long way.
Use a strong, unique password
Choose a password that is at least 14 characters and is not reused on any other service. A password manager makes this straightforward. Avoid anything derived from your company name, director names, or easy keyboard sequences. Change your password immediately if you suspect it has been exposed.
Control who has access
Only grant portal access to individuals who genuinely need it. Review your authorised users periodically and remove accounts for staff who have left the business. If your account supports named users or role permissions, use them rather than sharing a single set of credentials across the team.
Stay alert to session and device security
Always log out after each session, particularly on shared or public devices. Avoid accessing your account over public Wi-Fi without a VPN. Keep the operating system and browser on any device you use for finance up to date; many breaches exploit known vulnerabilities in outdated software.
Monitor account activity
Review your account dashboard and any email notifications regularly. If you see a transaction, login, or change you do not recognise, contact us immediately through the details on our official website.
We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.
See also: Does Credicorp use two-factor authentication?, What will Credicorp never ask me for?.
How do I report a suspicious message claiming to be Credicorp?
If you receive a message — by email, SMS, phone call, or any other channel — that claims to be from Credicorp but feels wrong, report it promptly. Early reporting helps protect other businesses and can prevent fraud from progressing.
Report to Credicorp directly
Forward suspicious emails to our security inbox at security@credicorp.co.uk. Include the original email as an attachment where possible, as this preserves header data that helps our team investigate. For suspicious calls or texts, note the number and contact us through the official number or live chat on our website — do not use any contact details provided in the suspicious message itself.
Report to Action Fraud
Action Fraud is the UK's national reporting centre for fraud and cybercrime. You can file a report online at actionfraud.police.uk or by calling 0300 123 2040. If your company has already suffered a financial loss, also contact your bank immediately, as they may be able to recall a payment under the Faster Payments recall process.
What information to keep
- The full email including headers (use 'Show original' or 'View source' in your email client)
- Any phone numbers, web addresses, or account numbers mentioned
- The date and time of the contact
- Screenshots of any web pages you were directed to (without entering any information)
We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.
See also: What will Credicorp never ask me for?, How do I spot a phishing email pretending to be Credicorp?.
How do I report suspected fraud or a suspicious message?
If you receive a message, call or request that you think is a scam, or you believe someone has tried to access your account, please tell us. Even if nothing has gone wrong, reporting it helps us spot patterns and protect other businesses.
What to do first
- Do not click any links, open attachments, or reply to the suspicious contact.
- If you can, keep the message so we can see the details, including the sender address or phone number.
- Do not share any passwords or codes with the person who contacted you.
How to reach us
Contact us through the verified details shown in your business portal or on our official website. Do not use a phone number or link given to you in the suspicious message itself, as that may simply put you back in touch with the fraudster.
If money or access is already involved
- If a payment has been made, contact your bank immediately.
- If you shared login details, change your password and let us know so we can review your account.
- Report the fraud to Action Fraud, the UK's national reporting centre, or to Police Scotland if you are in Scotland.
The sooner you report, the more we can do to help protect your company.
If you are deciding what happened, read how to spot a scam pretending to be from Credicorp, what to do if you clicked a suspicious link and recognising fake Credicorp phone calls.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How Credicorp will — and won't — contact you.
How do I set up two-factor authentication on my account?
Two-factor authentication (2FA) means that even if someone learns your password, they still cannot get into your account without a second code that only you can access. We strongly recommend every authorised user on your company's account turns it on.
Turning it on
Sign in to your business portal, open your profile or account settings, and look for the security section. Choose to enable two-factor authentication and follow the on-screen steps. You will usually link an authenticator app or confirm a mobile number that receives a one-time code.
What to expect when you sign in
- You enter your email and password as normal.
- You are then asked for a short code from your app or message.
- The code changes regularly, so an old one will not work.
Good practice
- Use an authenticator app where possible rather than text messages, as it is harder to intercept.
- Keep your recovery codes somewhere safe and offline.
- If more than one director or finance team member uses the account, each person should set up their own 2FA on their own login.
If you ever lose access to your second factor, contact us through the verified channels listed in your portal so we can help you regain access safely.
See also: Will Credicorp ever ask for my password or 2FA code?, What happens after you sign the Business Loan Agreement, How to read a Key Information Sheet.
How do I spot a phishing email pretending to be Credicorp?
Phishing emails impersonating financial services firms are common. Fraudsters mimic branding, tone, and urgency to trick recipients into clicking malicious links or surrendering credentials. Knowing the tell-tale signs protects your business.
Common warning signs
- The sender address does not end in our official domain — look at the full address, not just the display name.
- The email creates artificial urgency: threats to suspend your account, demands for immediate payment, or very short deadlines.
- Links in the email lead to a domain that resembles ours but is slightly different — for example, an extra hyphen, a misspelling, or a different top-level domain.
- Attachments you were not expecting, particularly compressed files or macros-enabled documents.
- Poor grammar or inconsistent formatting, though sophisticated attacks may look polished.
What to do if you receive a suspicious email
Do not click any links or download any attachments. Do not reply to the email or call any number given within it. If you want to check whether a message is genuine, navigate directly to our website by typing the address into your browser, or call us on the number listed there. You can report the suspicious email to us and to Action Fraud (actionfraud.police.uk).
Hovering over links before clicking
On desktop, hovering your cursor over a link shows the actual destination URL in your browser's status bar. On mobile, press and hold the link to preview the address. If the URL looks unfamiliar or does not match our official domain, do not proceed.
We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.
See also: How do I report a suspicious message claiming to be Credicorp?, What will Credicorp never ask me for?.
How do I spot a scam pretending to be from Credicorp?
Scams that copy real lender brands are unfortunately common. We take this seriously and want every customer to feel confident about telling our messages apart from a fake. Here is what to look for.
Things a genuine Credicorp Limited message will do
- It will be signed from Credicorp Limited and use an email address ending
@credicorp.co.uk. - It will reference your real account or reference number, not a generic "Dear Customer".
- It will direct you to credicorp.co.uk or to your own bank — never to an unfamiliar third-party domain.
- It will give you time to act. If a payment is due, we will tell you when, but we will not pressure you to act in the next five minutes.
Things a scam often does
- Uses a slightly-wrong domain —
credi-corp.co.uk,credicorp-pay.com, anything that is not the realcredicorp.co.uk. - Creates urgency: "your account will be suspended in one hour", "final notice", "act now".
- Asks you to pay to a new bank account that you have not seen on any previous statement.
- Asks for your full card number, your online-banking password, or a one-time security code (your bank will never ask for these either, and neither will we).
- Sends a link asking you to "log in to verify" — we do not operate a customer log-in like this and we will not ask you to.
If something looks wrong
Do not click links and do not call any phone number in the suspicious message itself. Instead:
- Open this site directly. Type credicorp.co.uk into your browser — do not click any link in the suspicious message
- Contact us to verify. Use the phone number or email address on the Contact Us page to ask us about the message you received
- Act fast if money has moved. Contact your bank straight away and ask them to attempt a recall
- Report the message. You can also report to Action Fraud (the UK's national reporting centre for fraud and cybercrime) at actionfraud.police.uk, or forward suspicious texts to 7726
How we will handle a reported scam
If you tell us about a message that is impersonating Credicorp, we will look into it, take it seriously, and treat any disclosure carefully. We will not blame you — scams are designed to be convincing, and reporting one helps us protect other customers. Our Audio Recording and Privacy notices explain how the information you share with us is handled.
For more checks, see how to tell a genuine Credicorp email, advance-fee and fake loan offer scams and what information we will and will not ask you to confirm.
See also: Choosing a strong password for your business account, How Credicorp will — and won't — contact you, How do you keep my information secure?.
How do you keep my information secure?
Looking after your information is one of our most important responsibilities. Below are the practical measures behind that, with the formal detail set out in our Privacy Policy.
The basics
- Encryption in transit. The connection to this website, our online forms and our payment page is encrypted using TLS. You should see
https://in the address bar — if you do not, please contact us before sending personal information. - Access controls. Access to customer records is limited to colleagues who need it for their role, logged centrally, and reviewed regularly.
- UK-based processing. Customer information is held on systems located in the United Kingdom. Where we use third-party processors, they are listed in our Privacy Policy and contracted under UK data-protection terms.
- Retention with purpose. We keep your information only for as long as we need it for the original purpose — for example, to administer your account, meet our regulatory record-keeping obligations, or defend against a future complaint or claim.
Calls and recordings
Calls to and from Credicorp Limited are recorded — see our Audio Recording page for the full detail. Recordings are stored on the same secure systems as the rest of the customer record and are subject to the same access controls and retention rules.
Sharing your information
We share information only where there is a clear lawful basis to do so. The most common cases are:
- credit reference agencies — see our article on credit-file impact;
- our regulators and government bodies, where the law requires us to;
- service providers operating on our behalf under contract;
- related group companies (for example CM Beyer Limited in the UK and Credicorp Pty Limited in Australia) only where a specific shared service applies and a lawful basis exists.
You have rights over the information we hold — to see it, to correct it and, in some cases, to ask for it to be deleted. Those rights are set out in the Privacy Policy, and the quickest way to exercise them is the General Support Enquiry form (mark it as a data request) or by emailing our privacy team. To strengthen your account security with a passkey, see setting up a passkey for your Credicorp account.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How Credicorp will — and won't — contact you.
How do you verify it is really me on the phone?
If you call us or we call you about your account, we need to confirm we are actually speaking to you before discussing any account-specific information. This protects you from impersonation and protects us from disclosing your details to anyone else.
What we will normally ask
- Your full name as it appears on the account.
- Your date of birth.
- The address we hold for you (or the previous address, if you have moved recently).
- A small set of digits from your Credicorp account or reference number — never the whole thing back to us, just enough to confirm.
- One or two security questions if these have been agreed with you previously.
What we will never ask
To be completely clear: we will never ask for any of the following, on any call, in any email, or via any text message:
- your online-banking password or PIN;
- the full long number on the front of your debit card;
- a one-time security code that has been sent to you (these codes are for you to use, never to be read out to anyone else);
- remote access to your computer.
If anyone calling claims to be from Credicorp and asks for any of the above, end the call. The genuine Credicorp Limited will not be upset that you hung up — quite the opposite — and you are welcome to call us back on the number listed on our Contact Us page to confirm whether the original call was real.
Outbound calls from us
When we call you we will tell you who we are and why we are calling. If you would like to verify it is really us before discussing anything sensitive, please feel free to ask for our name and call us back on the published contact number. We would much rather you took an extra minute to verify than push on with a call that did not feel right.
Special arrangements
If a regular phone conversation is difficult — because of a hearing impairment, a language need, a health condition, or because someone else needs to be on the call with you — please use the Additional Support Needs form. We will note the requirements on your account so they are respected on every call.
Our wider approach to security is covered in How do you keep my information secure? and How do I spot a scam pretending to be from Credicorp?.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How Credicorp will — and won't — contact you.
How passkeys work on Credicorp sign-in
A passkey is a secure sign-in method stored by your phone, computer, password manager or security key. Instead of typing a password, you approve the sign-in with the same method you use to unlock that device, such as a fingerprint, face check, PIN or hardware security key.
Where passkeys are used
Passkeys are part of Credicorp SSO. When passkeys are available for your account, the sign-in screen may show a Sign in with a passkey option. Customer journeys start from clients.credicorp.co.uk/login; staff journeys may start from an internal app or sso.credicorp.co.uk.
Why passkeys are safer than passwords
- They are tied to the genuine site. A passkey created for Credicorp will not work on a fake look-alike domain.
- There is no password to type or reuse. That removes a common route for phishing and credential stuffing.
- Your device proves possession. The sign-in needs the device, password manager or security key that holds the passkey.
- Credicorp does not receive your fingerprint, face data or device PIN. Those stay with your device or passkey provider.
Setting up a passkey
- Sign in through the normal Credicorp sign-in route. Use the customer portal or staff SSO link you normally use.
- Open the security or passkeys area if it is available to you. Follow the on-screen prompt to add a passkey.
- Approve the device prompt. Your browser, password manager or security key will ask you to confirm with your device unlock method.
- Name the passkey clearly if asked. Use a label that will make sense later, such as "Work laptop" or "YubiKey".
- Keep a recovery route. Do not remove your last usable sign-in or recovery method unless you have set up a replacement.
For a detailed walk-through including registering multiple passkeys and what to do if you lose a device, see setting up a passkey for your Credicorp account.
If your passkey is lost or not working
Use the recovery option shown on the sign-in screen. If you still have access with a password, another passkey, or a recovery route, sign in and remove the lost passkey from your security settings. If you cannot get in, customers should use the General Support Enquiry form or Contact Us; staff should use the internal support route.
If your phone, browser or security key asks you to approve a passkey sign-in that you did not begin, reject it. Then change your password if one is still set and contact support through an official route.
For broader account security, see keeping your portal login secure and setting up two-factor authentication.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How Credicorp will — and won't — contact you.
How we protect your account behind the scenes
Keeping your account secure is a shared effort. While much of our other guidance focuses on what you can do, it is fair to ask what we do too. Here is a plain-English overview of the kinds of protections we have in place, without giving away detail that could help an attacker.
Protecting access
- We offer two-factor authentication so that a password alone is not enough to get in.
- We monitor for unusual sign-in activity and can prompt extra checks where something looks off.
- We send notifications about key changes so you can spot anything you did not authorise.
Protecting your information
- Connections to your portal are encrypted in transit.
- Access to your information internally is limited to those who need it to support you.
- We design our communications so that we never need to ask you for your password or codes.
Where you come in
No system can protect an account if login details are shared or a device is left open. The strongest results come from combining our safeguards with good habits on your side, such as strong passwords, switched-on two-factor authentication, and a healthy caution towards unexpected contact.
If you ever spot something that does not look right, contact us through a verified channel and we will look into it with you. For the full picture of how we handle your data, see our privacy policy.
See also: How do you keep my data secure?, What to do if you can't make a payment and Choosing a strong password for your business account.
Keeping your devices secure for business finance
However strong your passwords are, an unprotected device can undo them. The laptop, tablet or phone you use to sign in to your portal and read our emails is part of your security, so it is worth keeping it in good shape.
Keep everything up to date
- Install operating system and browser updates promptly, as they often fix security flaws.
- Keep reputable anti-virus or security software running on company computers.
- Only install apps and software from trusted sources.
Lock and protect each device
- Use a PIN, password or biometric lock so a lost device cannot be opened easily.
- Turn on encryption where your device offers it.
- Set screens to lock automatically after a short period of inactivity.
Be careful where you sign in
Avoid logging in to your account on shared or public computers. If you must use public Wi-Fi, treat it as untrusted and consider a reputable VPN. Always sign out fully when you finish, rather than just closing the window.
If a device is lost or stolen
Change your portal password from another device, remove the lost device's access where you can, and contact us through a verified channel so we can watch for unusual activity on your account.
See also: Keeping your portal login secure, How we protect your account behind the scenes, How do you keep my data secure?.
Keeping your portal login secure
Your online account is where you manage everything, so keeping the login to it secure matters. None of this is complicated — it is a handful of habits that make a real difference.
The basics that matter most
- Use a strong, unique password. Not one you use anywhere else. A few random words together are easy to remember and hard to guess.
- Turn on extra login security if it is offered. Where the portal offers a second step at sign-in, switch it on — it means a password alone is not enough to get in.
- Keep your email secure too. Whoever controls your email can often reset other logins, so protect it just as carefully.
- Sign out on shared devices and avoid saving the password in a browser someone else uses.
A one-time security code is for you to enter, never to read out. We will never phone or message you to ask for a code, your password or your PIN. Anyone who does is trying to take over your account — see how we will and won't contact you.
If you think your login has been compromised
Change your password straight away, and if you can no longer get in, contact us through the official site so we can help secure the account. Tell us if you have shared a code or clicked a suspicious link. For wider safety, see what to do if you think you have been scammed.
We also harden the site itself — secure connections, sensible security headers and identity signals — but the login is a shared responsibility, and these habits are your part of it. For how we protect your information, see how we keep your information secure. For a guide on checking your recent sign-in history for anything out of the ordinary, see reviewing suspicious login activity on your account.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How do I spot a scam pretending to be from Credicorp?.
Managing who can access your company account
Because your loan is with your company, more than one person may need to view statements or manage the account, such as a director and a member of your finance team. Keeping that list of people accurate and minimal is an important part of account security.
Give access only where it is needed
- Add only people who genuinely need to use the account for their role.
- Each person should have their own login rather than sharing one set of credentials.
- Avoid using a generic shared mailbox or password that several people know.
Review access regularly
People change roles and leave businesses. Set a regular reminder to check who can still get into your account and remove anyone who no longer needs it. This is especially important after a staff change in your finance function.
When someone leaves
- Remove their access promptly.
- If they knew a shared password, change it.
- Check that no forwarding or notifications are still going to a personal address they control.
If you are not sure how to add or remove a user, or you think someone has access who should not, contact us through a verified channel and we will help you put it right.
See also: Can I give my accountant access to my account?, Keeping your devices secure for business finance, Who can authorise payment changes on my company's account?.
Protecting your business email from takeover
Email is a common target because so much else depends on it. If a criminal gets into your business inbox, they can reset passwords, read your financial correspondence, and impersonate your company to suppliers and lenders. Protecting your email is one of the highest-value things you can do.
Lock the inbox down
- Turn on two-factor authentication for every business email account.
- Use a unique, strong password that you do not use anywhere else.
- Review which apps and devices currently have access and remove any you do not recognise.
Watch for quiet compromise
A takeover is not always obvious. Look out for warning signs such as emails disappearing, replies you did not write, mail rules that quietly forward or delete messages, and contacts saying they received a strange message from you. Any of these can mean someone else is inside the account.
Why it matters for your account with us
- We communicate with you about your business loan by email, so a compromised inbox puts that information at risk.
- Recovery and verification steps can involve your email address.
If you think your business email has been compromised, secure it first, then contact us through a verified channel so we can be alert to any fraudulent attempts to use it against your account.
See also: How to complain by email, How do I report suspected fraud or a suspicious message?, How often are statements issued, and can I get one on request?.
Protecting your business from social media and messaging scams
Not every scam arrives by email. Fraudsters increasingly use social media platforms and messaging apps to approach businesses, sometimes posing as a lender, a supplier or even a member of staff. These channels can feel informal, which is exactly what makes them risky.
Common approaches
- A profile claiming to be Credicorp offering quick finance or a special deal.
- A direct message asking you to click a link to verify your account or claim funds.
- An account copying our name, logo or branding to look official.
- A message that moves the conversation onto a private app and presses you to act fast.
How to check
- We will never agree your loan terms or ask for sensitive details through a social media message.
- Look for tell-tale signs of a fake profile, such as a recently created account, few genuine posts, or a slightly altered name.
- Do not click links in unsolicited messages. Go to our official website or your portal directly.
If you are contacted
Do not share any account details or make any payment based on a social media or messaging contact. Report and block the account, and let us know through a verified channel so we can request its removal and warn other businesses.
See also: How to spot a fake firm using the Credicorp name, Advance-fee and fake loan offer scams and Safe habits when using public Wi-Fi for business.
Protecting your company from CEO and director impersonation fraud
CEO fraud, sometimes called director impersonation or business email compromise, targets the people in your business who can move money. A criminal pretends to be a director or senior figure and instructs a member of staff to make an urgent, often confidential, payment.
How it works
- An email or message appears to come from a director, sometimes from a spoofed or compromised account.
- It asks for an urgent payment or a change to supplier or lender bank details.
- It stresses secrecy and speed, discouraging the usual checks.
- It may reference a real deal or relationship to seem genuine.
How to defend against it
- Agree a rule that any payment request or change to bank details is verified in person or by a known phone number, never by replying to the message.
- Be suspicious of urgency and secrecy. Genuine requests can withstand a quick check.
- Make sure finance staff feel able to question a request, even one that appears to come from the top.
Where we fit in
If a request claims to relate to your loan with us, confirm it against your portal and contact us through a verified channel before acting. We will never pressure your staff into a secret or rushed payment, and our genuine repayment arrangements are visible in your account.
See also: Who can authorise payment changes on my company's account?, Spotting fake invoices and payment redirection fraud and Can a non-UK company or overseas director apply?.
Recognising fake phone calls claiming to be from Credicorp
A convincing phone call can be one of the hardest scams to spot, because the caller may sound calm, professional and well-informed. Criminals can also fake the number that shows on your screen, so caller ID alone is never proof of who is calling.
Common pressure tactics
- Creating urgency, such as claiming your account is at immediate risk.
- Asking you to confirm a security code that has just arrived on your phone.
- Asking you to move money to a so-called safe account.
- Telling you to keep the call secret or not to hang up to verify.
What a genuine call from us will not do
- We will not ask for your portal password or two-factor code.
- We will not ask you to transfer money to a new account during the call.
- We will not object if you want to call us back to confirm who we are.
The safest response
If you are unsure, hang up. Wait a short while, then call us back on a number you already trust from your portal or our official website. Genuine callers will always understand you taking this step to protect your business.
See also: How do you verify it is really me on the phone?, Are your phone calls recorded? and Can I make a complaint over the phone?.
Recognising phishing and smishing messages
Phishing is a fake email, and smishing is a fake text message, both designed to look like they come from a company you trust so you hand over a login or a payment. They are common, but they share tell-tale signs. Once you know them, they are much easier to spot.
The signs to look for
| Sign | What it looks like |
|---|---|
| Urgency or threat | "Act now or your account will be closed." Genuine messages do not pressure you to act in a panic. |
| Asks for secrets | Requests your password, PIN, full card number or a one-time code — things we never ask for. |
| Odd link or sender | A web address that is not on our genuine-domains list, or a sender address that is almost-but-not-quite right. |
| "Safe account" | Tells you to move money to a new account to protect it. This is always a scam. |
| Small details that don't fit | Your name missing, an amount or reference that is wrong, clumsy spelling, or a request you were not expecting. |
Even if a message looks convincing, do not use its link or phone number. Open credicorp.co.uk yourself, sign in, and check. If it was genuine, the information will be there; if it was a scam, you have lost nothing.
What to do with one
Do not reply, tap links or call the number. You can report scam texts to your mobile network (often by forwarding to 7726) and suspicious emails to the National Cyber Security Centre at report@phishing.gov.uk. Then delete it. If you are not sure whether a message is real, check how we will and won't contact you.
If you have already clicked or shared something, act quickly — see what to do if you think you have been scammed. For confirming a website is genuinely ours, see which Credicorp websites are genuinely ours.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How do I spot a scam pretending to be from Credicorp?.
Reviewing suspicious login activity on your account
Keeping an eye on who is signing in to your company account is one of the simplest and most effective security habits you can build. A quick check now and then can catch a problem early, before anyone can do harm.
How to check your recent sign-in activity
Sign in to your account at clients.credicorp.co.uk/login and go to Settings → Security. Look for a section labelled Recent activity, Sign-in history or Login sessions. This shows a list of recent sign-ins, typically with:
- The date and time of each sign-in.
- The device or browser used (for example, "Chrome on Windows" or "Safari on iPhone").
- An approximate location based on the IP address.
- Whether the sign-in succeeded or failed.
What a normal sign-in looks like
Most sign-ins will be from devices and locations you recognise: your office computer, your phone, your home broadband connection. A sign-in from a new device or a different city is not automatically a problem — it might be you travelling, working from a different site, or using a new phone — but it is worth a closer look if you were not expecting it.
Red flags to watch for
Take action if you see any of these in your sign-in history:
- A sign-in from a country you have never visited or done business in.
- A sign-in at an unusual time — for example, the middle of the night when nobody on your team is working.
- Several failed sign-in attempts in a short window — this can mean someone is trying to guess a password.
- A sign-in from a device or browser you do not recognise combined with a location that does not match your team.
- A sign-in that succeeded but you know nobody on your team was active at that moment.
What to do if you see something suspicious
- Change your password immediately. Go to Settings → Security and choose a strong, unique password that you do not use anywhere else. See choosing a strong password for your business account.
- Check which devices are trusted. Review the list of trusted devices in your security settings and remove any you do not recognise. See what is a trusted device and how do I remove one.
- Review your contact details. Confirm your phone number and email address are still correct — a common fraud tactic is to change these so that future alerts go to the criminal. See why keeping your contact details up to date matters for security.
- Check for unauthorised changes. Look for new users added to the account, changes to bank details, or requests you did not raise.
- Tell us. Contact us through a verified channel and let us know what you saw. We can help you secure the account and investigate. See how to report suspected fraud to Credicorp.
What we do on our side
Credicorp monitors for unusual sign-in patterns automatically. If our systems detect a sign-in that looks out of the ordinary — such as a new device in an unexpected location — we may send you an alert or require an extra verification step. These checks happen in the background and do not slow down normal sign-ins. See what account activity alerts tell you for the alerts you may receive.
Building a regular habit
Pick a regular time to glance at your sign-in history — once a week is a good rhythm, or whenever you are already signed in to check a statement. The check takes less than a minute, and it is one of the most effective ways to catch a problem before it becomes serious.
If you use a shared account
If more than one person on your team signs in to the same account, make sure each person has their own user login rather than sharing credentials. Individual logins give you a clear audit trail and let you remove access for one person without resetting everyone else. See adding users to your company account and managing who can access your company account.
See also: Advance-fee and fake loan offer scams, How Credicorp will — and won't — contact you, How do I spot a scam pretending to be from Credicorp?.
Safe habits when using public Wi-Fi for business
Cafes, stations, hotels and shared workspaces make it easy to keep your business running from anywhere. The trade-off is that public Wi-Fi networks are not under your control, and that can expose your account information if you are not careful.
The main risks
- Someone on the same network potentially intercepting unprotected traffic.
- Fake hotspots set up to look like a genuine free network.
- Shoulder surfing, where someone simply watches your screen or keyboard.
How to reduce the risk
- Avoid signing in to your portal or doing sensitive financial tasks on public Wi-Fi where you can.
- If you must, use a reputable VPN to encrypt your connection.
- Consider using your phone's own mobile data, which is generally safer than an open network.
- Check the exact network name with staff rather than guessing, to avoid fake hotspots.
Good habits anywhere
- Keep two-factor authentication switched on, so a stolen password alone is not enough.
- Sign out fully when you finish, rather than just closing the lid.
- Be aware of who can see your screen in a public place.
If you think your account may have been accessed while you were on an untrusted network, change your password and contact us through a verified channel.
See also: Using Credicorp Flex without becoming over-reliant on it, Keeping your devices secure for business finance and Protecting your business from social media and messaging scams.
Setting up a passkey for your Credicorp account
Setting up a passkey takes about a minute and removes the need to type a password on every sign-in. A passkey is stored on your phone, computer, password manager or security key — and it is tied to our genuine site, so it will never work on a fake look-alike domain. For an overview of what passkeys are and why they are safer, see how passkeys work on Credicorp sign-in.
Before you start
You need a device or password manager that supports passkeys. Most modern phones, laptops and browsers do — including iPhones and iPads (iOS 16+), Android phones (Android 9+), Windows (Windows Hello), Macs (Touch ID or Apple Silicon), and password managers such as 1Password, Bitwarden, iCloud Keychain and Google Password Manager. A hardware security key (such as a YubiKey) also works.
Make sure your device is unlocked and that Bluetooth is on if you are using a phone to sign in on a desktop browser — the browser may need to talk to your phone to complete the passkey check.
Step 1: sign in with your current method
Start at clients.credicorp.co.uk/login and sign in with your existing email and password. You cannot create a passkey without first signing in — this is how we confirm the passkey belongs to the right account.
Step 2: go to your security settings
Once signed in, open Settings and look for the Security or Sign-in methods section. Select Add a passkey or Register a passkey. The exact label may vary, but the action is the same.
Step 3: create the passkey
Your browser or device will prompt you to verify your identity — typically with a fingerprint, face scan, device PIN or security key tap. This verification happens on your device and is never sent to Credicorp. Once confirmed, the passkey is created and linked to your account.
You can name the passkey so you can tell it apart later — for example, "Work iPhone" or "1Password vault". This is helpful if you register more than one.
Step 4: sign in with your passkey next time
The next time you visit the sign-in page, select Sign in with a passkey instead of typing your password. Your device will ask you to unlock (fingerprint, face or PIN) and the sign-in completes. There is no password to remember or type.
Registering more than one passkey
It is a good idea to register at least two passkeys on different devices — for example, one on your phone and one in a password manager. If you lose a device, you can still sign in with the other one. You can register additional passkeys from the same Security settings page.
If you lose the device with your passkey
You can still sign in with your email and password as a fallback. If you have registered a second passkey, use that instead. Once you are back in, go to Security settings and remove the passkey tied to the lost device. You can also register a new one. See what is a trusted device and how do I remove one for the removal steps.
Removing a passkey you no longer use
If you replace a device or stop using a password manager, remove its passkey from your account. Go to Settings → Security, find the passkey in your list, and select Remove. This stops the old passkey from being accepted, even if the device still holds it.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How Credicorp will — and won't — contact you.
Spotting fake invoices and payment redirection fraud
One of the most damaging frauds for any business is payment redirection, where a criminal poses as a supplier or lender and persuades you to send money to the wrong account. Because they are sometimes able to copy real branding and email styles, these messages can look convincing.
Warning signs
- An unexpected message saying our payment or bank details have changed.
- Pressure to pay quickly or to keep the change confidential.
- An invoice or reference that does not match what you see in your portal.
- An email address that is slightly different from our genuine ones.
How to protect your company
- Treat any change to payment details as suspicious until you have confirmed it independently.
- Check the amount and reference against the statement in your portal.
- Call us back on a number you already trust, not one supplied in the message.
- Make sure more than one person in your finance team is aware of how we genuinely collect repayments.
If you have already paid
Contact your bank straight away, as a fast report gives the best chance of recovering funds. Then tell us through a verified channel so we can confirm what is genuine and review your account. Reporting quickly protects both your business and others.
See also: Protecting your company from CEO and director impersonation fraud, How do I pay by bank transfer?, Recognising fake phone calls claiming to be from Credicorp.
We are not connected with other companies using a similar name
There are financial companies in other parts of the world with names that look or sound similar to ours. Because impersonation and confusion can be used to mislead businesses, we want to be clear about who we are and who we are not connected with.
Who we are
Credicorp here is a lender to UK limited companies and LLPs for business purposes. We provide the Credicorp Flex and Credicorp Slice products. Our genuine websites and portal are listed in our other security articles, and your account information lives in your business portal.
Who we are not
- We are not connected with Credicorp Inc or Banco de Credito del Peru.
- We are not connected with Credit Corp Group of Australia.
- Any similarity in name does not mean any shared ownership, systems or services.
Why it matters for security
Fraudsters sometimes exploit the existence of similarly named firms to make a scam seem more credible, or to send you to the wrong website. If you are ever unsure whether you are dealing with the right company, do not rely on the name alone. Check the website address carefully and contact us through the verified details in your portal before sharing any information or making any payment.
See also: Which Credicorp websites are genuinely ours?, Does the group share my data between its companies?, Is the decision fair and unbiased?.
What are the safe ways to make repayments to Credicorp?
Authorised Push Payment (APP) fraud — where a business is tricked into transferring money to a fraudster's account — is one of the most costly types of financial crime affecting UK companies. Paying safely means verifying details through channels you trust independently.
Use the details in your original agreement
Your repayment account details are set out in your loan agreement or facility documentation. If you need to make a payment, use those details. Do not rely on account numbers sent to you by email or text, even if the message appears to come from us.
If you receive changed payment details, verify before acting
We will never ask you to change your repayment destination via an unsolicited email or text. If you receive a message claiming our bank details have changed, treat this as a red flag. Call us on the number on our official website — not a number provided in the message — before transferring any funds.
Confirmation of Payee
Most UK banks now support Confirmation of Payee (CoP), which checks that the account name matches the sort code and account number before you send money. If CoP returns a mismatch when you enter our details, stop and contact us. Do not override a CoP warning without speaking to us first.
We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.
See also: What will Credicorp never ask me for?, How do I report a suspicious message claiming to be Credicorp?.
What information we will and won't ask you to confirm
Verification works both ways. We may ask you certain questions to be sure we are speaking to an authorised person on your company's account, but there are some things we will never ask for. Knowing the difference is a powerful defence against impersonation.
What we may ask to confirm your identity
- Details about your business that match our records.
- Information you have previously provided as part of your account.
- A code sent to you that you enter into our official portal yourself, not one you read out to a caller.
What we will never ask for
- Your portal password.
- Your two-factor authentication code read out loud or typed into a message.
- Full security details for your business bank account.
- A payment to a new account given to you over the phone or by message.
Turning the check around
You are always entitled to verify us, too. If a caller or message asks for something on the never list, stop and contact us yourself through the verified details in your portal or on our official website. A genuine member of our team will never mind you taking a moment to confirm who they are before you share anything.
See also: How Credicorp will — and won't — contact you, A debt collection agency has contacted me - is it genuine? and Complaining on behalf of your company.
What is a trusted device and how do I remove one?
A trusted device is a phone, tablet or computer you have told Credicorp you use regularly. It can reduce repeated security checks on that device, but it does not make the device an owner of the account and it does not bypass your normal permissions.
When to trust a device
Only trust a device if it is yours or managed by your business, protected with a screen lock, and not shared with people who should not access the account. Do not trust a public computer, a borrowed phone, or a shared browser profile.
When to remove a trusted device
- The device has been lost, stolen, sold or repaired.
- A colleague has left the business or changed role.
- You used a shared computer by mistake.
- You see a device or location you do not recognise.
- You changed your password because you think access may have been exposed.
How to remove one
- Sign in from a device you still control. Customers should start at clients.credicorp.co.uk/login. Staff should use the internal app or SSO route.
- Open security settings. Look for trusted devices, remembered devices or active sign-ins.
- Remove anything you do not recognise or no longer use. If there is an option to remove all trusted devices, use it after a password reset or suspected compromise.
- Sign out and sign back in. This confirms the device list and your recovery details are still current.
If a password reset or support action revokes trusted devices automatically, that is expected. It protects the account by forcing fresh checks after a sensitive change.
If you cannot remove it yourself
If you cannot sign in or you think an unauthorised person has access, contact us through an official route. Customers can use the General Support Enquiry form or Contact Us. Staff should contact internal support so the account and device list can be checked.
A trusted device usually remembers that a security check was recently completed. A passkey is a sign-in method that proves possession of a device, password manager or security key. You may need to manage both.
For related help, see how passkeys work and what single logout does when you sign out.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How Credicorp will — and won't — contact you.
What is payment diversion fraud and how do I protect my business from it?
Payment diversion fraud — sometimes called invoice fraud or business email compromise — occurs when criminals intercept communications between your business and a supplier, lender, or client, then redirect payments to an account they control. It is among the most financially damaging frauds affecting UK limited companies.
How the attack typically unfolds
A fraudster monitors your email — often after compromising one mailbox — and identifies an expected payment. They then send a message appearing to come from the legitimate party (or from you, to your own finance team) stating that bank details have changed. The payment is made to the fraudster's account, and the loss is often difficult to recover.
Indicators your business may be targeted
- Unexpected emails from a supplier or lender informing you of changed payment details
- Email addresses that look almost right but contain small differences: a character substitution, an extra letter, or a different domain suffix
- Unusual urgency — requests to make a payment outside your normal cycle or before a deadline that did not previously exist
- A phone number in the email that, when called, connects you to the fraudster rather than the genuine party
Preventive controls
Implement a mandatory call-back policy: any changed payment details must be verified by calling the supplier or lender on a number sourced independently — from their official website or your existing records — before any funds move. For high-value transactions, require a second authoriser. Train all staff involved in payments to follow this process without exception, including for apparently urgent requests from senior figures within your own business.
We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.
See also: What are the safe ways to make repayments to Credicorp?, What will Credicorp never ask me for?.
What is single sign-on and where do I sign in?
Single sign-on, often shortened to SSO, means one secure Credicorp sign-in can open the Credicorp services your account is allowed to use. You still only see the customer or staff tools linked to your role, but you should not have to keep separate passwords for each one.
For customers
Start from the customer portal at clients.credicorp.co.uk/login. If the sign-in screen sends you through the Credicorp SSO service, continue there and you will be returned to the customer portal after a successful sign-in.
Do not use staff-only links unless a Credicorp team member has specifically told you to. Your account, statements, payments and support requests remain inside the customer portal.
For staff and internal users
Staff SSO is hosted at sso.credicorp.co.uk. Sign in there, or follow the sign-in button from the internal app you are trying to open. The SSO service checks who you are and then returns you to the app if your role has access.
What to check before signing in
- Check the domain. Customer sign-in is on clients.credicorp.co.uk and Credicorp SSO is on sso.credicorp.co.uk.
- Do not follow unexpected links. Type the address yourself if an email or text feels unusual.
- Never share codes or recovery details. We will never ask you to read out a one-time code, passkey prompt, password or recovery key.
If you cannot sign in
- Start from the right surface. Customers should go to clients.credicorp.co.uk/login. Staff should use the internal app link or sso.credicorp.co.uk.
- Use the recovery option on the sign-in page. Reset your password or use the recovery route shown there if your passkey is not available.
- Check whether your account still has access. A role change, removed company access, or a staff account change can mean the sign-in succeeds but the app still refuses entry.
- Contact the right team. Customers can use the General Support Enquiry form or Contact Us. Staff should use the internal support route for access changes.
SSO is a sign-in service, not a permission override. It proves who is signing in, then each Credicorp app still decides what that person is allowed to see or do.
For related guidance, see how passkeys work on Credicorp sign-in, trusted devices, and what single logout does when you sign out.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How Credicorp will — and won't — contact you.
What should I do if I clicked a suspicious link?
It happens to careful people too. A message looks convincing, you click, and then realise something is wrong. The good news is that acting quickly can limit or even prevent harm. Work through these steps in order.
If you only clicked the link
- Do not enter any details on the page that opened.
- Close the page and do not download anything it offers.
- Run a security scan on your device if you have software for it.
If you entered your login details
- Change your portal password immediately from a device you trust.
- Change the password anywhere else you use the same one.
- Check that your two-factor authentication is still set up correctly and that no new authorised users have been added.
If you entered a payment or bank detail
Contact your bank straight away. The faster you report, the better the chance of stopping or recovering a payment.
Then tell us
Contact us through the verified details in your portal or on our official website so we can review recent activity on your account and watch for anything unusual. Reporting it also helps us protect other businesses from the same scam. There is no need to feel embarrassed. Telling us early is exactly the right thing to do.
See also: What to do if you miss a payment on your Credicorp loan, Reviewing suspicious login activity on your account, How we protect your account behind the scenes.
What should I do if I think my Credicorp account has been compromised?
If you believe your account has been accessed without authorisation, speed matters. The faster you act, the more limited the potential damage.
Immediate steps
- Change your password immediately from a device you trust, using a network you control.
- Revoke active sessions if your account portal provides this option — this logs out any other active logins.
- Disable or rotate 2FA if you believe your authentication device has also been compromised, then re-enrol on a clean device.
- Contact Credicorp without delay using the official number or secure message facility on our website. Explain what you have observed and ask us to flag your account for additional scrutiny.
Review what may have been seen or changed
Log into your account as soon as it is secured and check recent activity: logins, drawdown requests, repayment schedule changes, and contact detail updates. Make a note of anything unfamiliar and share those details with our support team.
Notify relevant parties
If sensitive company information has been exposed, you may need to notify your accountant, other financial providers, and — depending on the nature of the data — the ICO under your own GDPR obligations as a data controller. Also report the incident to Action Fraud.
We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.
See also: How do I keep my Credicorp business account secure?, How do I report a suspicious message claiming to be Credicorp?.
What single logout does when you sign out
Single logout means signing out of one Credicorp app can also tell other Credicorp apps connected to the same SSO session to close their sessions. It is designed to reduce the chance that one app stays open after you think you have signed out.
What happens when you sign out
- The app you are using signs you out locally. Its own session is cleared first.
- Credicorp SSO is told to end the shared sign-in. This stops the same SSO session being reused.
- Connected apps may receive a logout signal. Apps that support single logout close their related sessions in the background.
- You land on a signed-out page. From there, signing in again starts a new session.
What single logout does not replace
Single logout is a useful safety net, but it is not a reason to leave a shared computer unlocked. Always close the browser on shared devices, avoid saving passwords in shared browsers, and lock your screen when you step away.
If one app still looks signed in
- Refresh the page. Some tabs only notice the logout after a refresh.
- Use the app's own sign-out button. If a tab stayed open, sign out there as well.
- Close the browser on shared devices. This is especially important on public or shared computers.
- Remove trusted devices if needed. If the device is not yours, see how to remove a trusted device.
Recovery after accidental sign-out
If you signed out by mistake, go back to the service you were using and sign in again. Customers should start from clients.credicorp.co.uk/login. Staff should use the internal app link or sso.credicorp.co.uk.
Signing out closes access from the browser. It does not close your Credicorp account, cancel a loan, cancel a payment, or submit a support request. Use the customer portal or the relevant help form for those actions.
For the wider sign-in journey, see what single sign-on is and how to sign in to your Credicorp account.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How Credicorp will — and won't — contact you.
What to do if you think you have been scammed
If you think you have fallen for a scam, the most important thing is to act quickly — and not to feel embarrassed. Scams are designed by professionals to catch out careful people, and the sooner you act, the more can often be done. Work through these steps in order.
- Contact your bank immediately. If you have moved money or shared card or banking details, call your bank straight away — most have a 24/7 fraud line, and many cards have a number on the back. They can try to stop or recall a payment and protect your account.
- Secure your logins. Change the password on any account you think is affected, and on your email. If you shared a one-time code, tell the relevant provider. For your Credicorp account, see keeping your portal login secure.
- Tell us, if it involved your Credicorp account. Contact us through the official site so we can help secure your account and watch for anything unusual. Let us know what was shared.
- Report it. In England, Wales and Northern Ireland, report fraud to Action Fraud on 0300 123 2040 or actionfraud.police.uk; in Scotland, report to Police Scotland on 101. You can report scam texts by forwarding to 7726 and phishing emails to report@phishing.gov.uk.
- Get free advice if you need it. Citizens Advice can help with next steps, and your bank can advise on protecting yourself going forward.
Modern scams are sophisticated and relentless. Reporting quickly helps you and helps others, and we will always treat you with respect — never judgement — if a scam has used our name against you.
To recognise the next one before it lands, see recognising phishing and smishing and how we will and won't contact you.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How do I spot a scam pretending to be from Credicorp?.
What will Credicorp never ask me for?
Fraudsters often impersonate lenders and ask for sensitive information that a genuine firm would never need. Understanding what we will never ask for is one of the quickest ways to identify a scam.
Things we will never ask for
- Your full password. We will never ask you to provide your account password in full, by phone, email, SMS, or any other channel.
- One-time codes or 2FA tokens. We will never ask you to read out or share an authentication code you have received — if someone is asking for this, they are likely trying to hijack your account.
- Upfront fees to release a loan. Legitimate lenders do not ask for fees to be paid before funds are disbursed. Any advance-fee demand is a strong indicator of fraud.
- Urgent bank transfers to a new or unverified account. We will not ask your company to make an unexpected payment to an account that differs from your normal repayment arrangements.
- Director personal bank account details. Our lending is to the company; we do not require directors' personal financial information as a routine matter.
If something feels off, treat it as suspicious
Trust your instincts. If a call, email, or message creates pressure to act immediately and bypasses your normal process, pause. Hang up or close the message, then contact us directly using details you find independently on our official website.
We lend only to UK limited companies and LLPs, and the loan is to the company with no director personal guarantee. As business finance outside the consumer-credit regime, it is not covered by the Financial Ombudsman Service or FSCS.
See also: How do I spot a phishing email pretending to be Credicorp?, How do I report a suspicious message claiming to be Credicorp?.
What your account activity alerts are telling you
Notifications about activity on your account, such as a new sign-in or a change to your details, are not just admin. They are an early-warning system. Paying attention to them can be the difference between catching fraud quickly and finding out too late.
Alerts worth watching
- A sign-in from a device, browser or location you do not recognise.
- A change to your password, email address or contact details that you did not make.
- A new authorised user being added to the account.
- Repeated failed login attempts.
What to do if an alert looks wrong
If you receive a notification for something you did not do, act quickly. Sign in directly through your portal, not via any link in the alert, change your password, and check who currently has access. Then contact us through a verified channel so we can review recent activity.
Keep alerts switched on
- Make sure notifications are enabled in your account settings.
- Check they go to an address that is itself well secured.
- If more than one person uses the account, agree who watches for these alerts.
A genuine alert from us will never ask you to confirm your password or two-factor code, so treat any that does as suspicious. For a full guide on checking your sign-in history and what red flags to look for, see reviewing suspicious login activity on your account. To add a passkey for stronger sign-in protection, see setting up a passkey for your Credicorp account.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How Credicorp will — and won't — contact you.
Which Credicorp websites are genuinely ours?
"Credicorp" is a name that appears in more than one place, and scammers like to hide in that confusion. This article is a plain reference you can check against: the websites that are genuinely ours, the related group domains, and the names that are not us. When in doubt, type the address yourself rather than following a link.
Our official UK customer site
The official customer website for Credicorp Limited (registered in England and Wales, company number 16093826) is credicorp.co.uk. That is the site to apply, manage your account, and find our real contact details. Every official email address we use ends @credicorp.co.uk. If you want to confirm the company exists and the details match, look us up on the Companies House register.
Related sites in our group
A small number of other domains are genuinely connected to us as part of the wider group, each serving its own audience:
- credicorp.com.au — our related Australian company, Credicorp Pty Limited. It serves Australian customers and has its own contact details.
- cmbeyer.co.uk — CM Beyer Limited, our related UK company.
- Group-aligned domains under the creditcorp.co.uk and creditcorpgroup.co.uk names — see is Credicorp the same as 'Creditcorp' with a T for how those fit in.
Even with these, the rule holds: each company answers only for its own customers, so use the site that matches your account.
Names that are NOT us
Two kinds of "not us" are worth knowing apart:
- Unrelated companies abroad. Credicorp Inc / Credicorp Ltd of Peru and Bermuda (BCP, NYSE: BAP) and Banco de Crédito del Perú, and Credit Corp Group Limited of Australia (ASX: CCP), are separate, unrelated companies. We are not connected with them — see is Credicorp the same as Credicorp in Peru.
- Look-alike scam domains. Addresses such as
credi-corp.co.ukorcredicorp-pay.comare not ours. A genuine address is exactlycredicorp.co.uk— an extra hyphen, an added word, or a different ending is a warning sign.
How to check you are in the right place
- Type the address yourself. Navigate to credicorp.co.uk directly in your browser — do not tap a link in an email or text
- Check the email domain. Confirm any contact email address ends
@credicorp.co.uk - Treat unexpected redirects as suspect. If a message points you somewhere else, or asks you to pay an unfamiliar account, do not act — see how to spot a scam pretending to be from Credicorp and how to know you are dealing with the genuine Credicorp Limited
If anything does not match, do not act on it — contact us using the details on this site and we will confirm whether it really came from us.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How Credicorp will — and won't — contact you.
Why Credicorp lending is not covered by the FOS or FSCS
Scammers often misuse the names of well-known protection schemes to sound legitimate, so it helps to know the true position. Credicorp lends only to UK limited companies and LLPs for business purposes. This kind of business lending sits outside the FCA's consumer-credit regime.
What this means in practice
- The Financial Ombudsman Service does not cover this lending, so you would not be able to escalate a complaint about it to the FOS.
- The Financial Services Compensation Scheme (FSCS) does not apply.
- No personal guarantees are taken from directors. The loan is to the company, not to you as an individual.
Why we are upfront about this
Being clear about what does and does not apply is part of treating you fairly. It also helps you spot fraud. If anyone claiming to be from Credicorp tells you that your business loan is FSCS-protected or that you can take a dispute to the Financial Ombudsman, treat that as a warning sign that they may not be genuine.
How we handle concerns
We take complaints and concerns seriously and have our own process for dealing with them. If you have an issue with your account, contact us directly through a verified channel and we will work with you to resolve it.
See also: What protections apply when a loan is outside the FCA regime?, What FOS and FSCS cover — and why a loan to a company falls outside both, How difficulty support differs for business borrowers versus consumers.
Why keeping your contact details up to date matters for security
It is easy to overlook contact details when a phone number changes or a colleague leaves, but keeping them current is an important part of keeping your account secure. They are the channels through which security alerts reach you and through which we can confirm genuine requests.
Why current details protect you
- Security alerts and one-time codes need to reach a number or address you actually control.
- Out-of-date details can mean an alert about suspicious activity goes to someone who has left your business.
- If we ever need to confirm an unusual request, accurate details help us reach the right person quickly.
Watch out for unrequested changes
A common fraud tactic is to quietly change the contact details on an account so that future alerts and codes go to the criminal instead of you. If you receive a notification about a change to your phone number or email that you did not make, treat it as a serious warning sign and act immediately.
Keeping them current safely
- Update details yourself by signing in to your portal directly.
- Remove contact points tied to people who have left the business.
- Never make a change because an unsolicited caller or message told you to.
If something looks wrong, contact us through a verified channel and we will help you check and correct it.
See also: Keeping your company details current with us during the term, Keeping your portal login secure, Keeping your devices secure for business finance.
Will Credicorp ever ask for my password or 2FA code?
This is one of the clearest tests you can apply to any contact claiming to be from Credicorp. We will never ask you to tell us your portal password, and we will never ask you to read out or type in your two-factor authentication code.
Why we never ask
Your password and your one-time codes are yours alone. Our team does not need them to help you, and our systems do not work that way. A genuine request for help, a payment query or an account update will never require you to hand these over.
How fraudsters use this trick
- They call or message pretending to be from our security or payments team.
- They claim there is a problem and create a sense of urgency.
- They ask you to confirm a code that has just arrived on your phone, which is actually the code that lets them into your account.
What to do if you are asked
- Stop. Do not share anything.
- Hang up or close the message.
- Contact us yourself using the details in your portal or on our official website, not the number or link the other person gave you.
If you have already shared a code or password, change your password immediately and tell us through a verified channel so we can secure your account.
For related safety guidance, see what information we will and will not ask you to confirm, setting up two-factor authentication and how to report suspected fraud.
See also: Advance-fee and fake loan offer scams, Choosing a strong password for your business account, How Credicorp will — and won't — contact you.