Security

Scams that copy real lender brands are unfortunately common. We take this seriously and want every customer to feel confident about telling our messages apart from a fake. Here is what to look for.

Things a genuine Credicorp Limited message will do

• It will be signed from Credicorp Limited and use an email address ending @credicorp.co.uk.
• It will reference your real account or reference number, not a generic "Dear Customer".
• It will direct you to credicorp.co.uk or to your own bank — never to an unfamiliar third-party domain.
• It will give you time to act. If a payment is due, we will tell you when, but we will not pressure you to act in the next five minutes.

Things a scam often does

• Uses a slightly-wrong domain — credi-corp.co.uk, credicorp-pay.com, anything that is not the real credicorp.co.uk.
• Creates urgency: "your account will be suspended in one hour", "final notice", "act now".
• Asks you to pay to a new bank account that you have not seen on any previous statement.
• Asks for your full card number, your online-banking password, or a one-time security code (your bank will never ask for these either, and neither will we).
• Sends a link asking you to "log in to verify" — we do not operate a customer log-in like this and we will not ask you to.

If something looks wrong

Do not click links and do not call any phone number in the suspicious message itself. Instead:

1. Open this website directly by typing credicorp.co.uk into your browser.
2. Use the phone number or email address on the Contact Us page to ask us about the message you received.
3. If money has already moved, contact your bank straight away and ask them to attempt a recall.
4. You can also report the message to Action Fraud (the UK's national reporting centre for fraud and cybercrime) at actionfraud.police.uk, or by forwarding suspicious texts to 7726.

How we will handle a reported scam

If you tell us about a message that is impersonating Credicorp, we will look into it, take it seriously, and treat any disclosure carefully. We will not blame you — scams are designed to be convincing, and reporting one helps us protect other customers. Our Audio Recording and Privacy notices explain how the information you share with us is handled.

Open this answer →

Looking after your information is one of our most important responsibilities. Below are the practical measures behind that, with the formal detail set out in our Privacy Policy.

The basics

• Encryption in transit. The connection to this website, our online forms and our payment page is encrypted using TLS. You should see https:// in the address bar — if you do not, please contact us before sending personal information.
• Access controls. Access to customer records is limited to colleagues who need it for their role, logged centrally, and reviewed regularly.
• UK-based processing. Customer information is held on systems located in the United Kingdom. Where we use third-party processors, they are listed in our Privacy Policy and contracted under UK data-protection terms.
• Retention with purpose. We keep your information only for as long as we need it for the original purpose — for example, to administer your account, meet our regulatory record-keeping obligations, or defend against a future complaint or claim.

Calls and recordings

Calls to and from Credicorp Limited are recorded — see our Audio Recording page for the full detail. Recordings are stored on the same secure systems as the rest of the customer record and are subject to the same access controls and retention rules.

Sharing your information

We share information only where there is a clear lawful basis to do so. The most common cases are:

• credit reference agencies — see our article on credit-file impact;
• our regulators and government bodies, where the law requires us to;
• service providers operating on our behalf under contract;
• related group companies (for example CM Beyer Limited in the UK and Credicorp Pty Limited in Australia) only where a specific shared service applies and a lawful basis exists.

You have rights over the information we hold — to see it, to correct it and, in some cases, to ask for it to be deleted. Those rights are set out in the Privacy Policy, and the quickest way to exercise them is the General Support Enquiry form on our Forms & Requests page (mark it as a data request) or by emailing our privacy team.

Open this answer →

If you call us or we call you about your account, we need to confirm we are actually speaking to you before discussing any account-specific information. This protects you from impersonation and protects us from disclosing your details to anyone else.

What we will normally ask

• Your full name as it appears on the account.
• Your date of birth.
• The address we hold for you (or the previous address, if you have moved recently).
• A small set of digits from your Credicorp account or reference number — never the whole thing back to us, just enough to confirm.
• One or two security questions if these have been agreed with you previously.

What we will never ask

To be completely clear: we will never ask for any of the following, on any call, in any email, or via any text message:

• your online-banking password or PIN;
• the full long number on the front of your debit card;
• a one-time security code that has been sent to you (these codes are for you to use, never to be read out to anyone else);
• remote access to your computer.

If anyone calling claims to be from Credicorp and asks for any of the above, end the call. The genuine Credicorp Limited will not be upset that you hung up — quite the opposite — and you are welcome to call us back on the number listed on our Contact Us page to confirm whether the original call was real.

Outbound calls from us

When we call you we will tell you who we are and why we are calling. If you would like to verify it is really us before discussing anything sensitive, please feel free to ask for our name and call us back on the published contact number. We would much rather you took an extra minute to verify than push on with a call that did not feel right.

Special arrangements

If a regular phone conversation is difficult — because of a hearing impairment, a language need, a health condition, or because someone else needs to be on the call with you — please use the Additional Support Needs form on our Forms & Requests page. We will note the requirements on your account so they are respected on every call.

Our wider approach to security is covered in How do you keep my information secure? and How do I spot a scam pretending to be from Credicorp?.

Open this answer →

"Credicorp" is a name that appears in more than one place, and scammers like to hide in that confusion. This article is a plain reference you can check against: the websites that are genuinely ours, the related group domains, and the names that are not us. When in doubt, type the address yourself rather than following a link.

Our official UK customer site

The official customer website for Credicorp Limited (registered in England and Wales, company number 16093826) is credicorp.co.uk. That is the site to apply, manage your account, and find our real contact details. Every official email address we use ends @credicorp.co.uk. If you want to confirm the company exists and the details match, look us up on the Companies House register.

Related sites in our group

A small number of other domains are genuinely connected to us as part of the wider group, each serving its own audience:

• credicorp.com.au — our related Australian company, Credicorp Pty Limited. It serves Australian customers and has its own contact details.
• cmbeyer.co.uk — CM Beyer Limited, our related UK company.
• Group-aligned domains under the creditcorp.co.uk and creditcorpgroup.co.uk names — see is Credicorp the same as 'Creditcorp' with a T for how those fit in.

Even with these, the rule holds: each company answers only for its own customers, so use the site that matches your account.

Names that are NOT us

Two kinds of "not us" are worth knowing apart:

• Unrelated companies abroad. Credicorp Inc / Credicorp Ltd of Peru and Bermuda (BCP, NYSE: BAP) and Banco de Crédito del Perú, and Credit Corp Group Limited of Australia (ASX: CCP), are separate, unrelated companies. We are not connected with them — see is Credicorp the same as Credicorp in Peru.
• Look-alike scam domains. Addresses such as credi-corp.co.uk or credicorp-pay.com are not ours. A genuine address is exactly credicorp.co.uk — an extra hyphen, an added word, or a different ending is a warning sign.

How to check you are in the right place

1. Type credicorp.co.uk into your browser yourself, rather than tapping a link in an email or text.
2. Confirm any contact email ends @credicorp.co.uk.
3. If a message points you somewhere else, or asks you to pay an unfamiliar account, treat it as suspect — see how to spot a scam pretending to be from Credicorp and how to know you are dealing with the genuine Credicorp Limited.

If anything does not match, do not act on it — contact us using the details on this site and we will confirm whether it really came from us.

Open this answer →