Email security & spotting phishing

Scammers sometimes send emails that pretend to be from Credicorp to trick you into handing over passwords, card details or money. This guide explains how to tell a genuine Credicorp email from a fake, what we will never ask you for by email, and how to report anything suspicious.

The quick test

A genuine Credicorp email always:

  • comes from an address ending in @credicorp.co.uk;
  • passes the automatic SPF, DKIM and DMARC checks your email provider runs; and
  • never asks for your password, full card number or security codes.

If a message fails any of these, do not click anything — report it to abuse@credicorp.co.uk.

What Credicorp will never ask for by email

We will never email you to ask for any of the following. If a message asks for these, it is a scam — no matter how official it looks:

We will also never email you asking you to move money to a “safe” account, or pressure you to act within minutes. Genuine account requests are made through your secure Credicorp account, not by asking you to reply with sensitive details.

Check the sender domain

The most reliable check is the part of the sender’s address after the @ sign — this is the domain. For genuine Credicorp mail the domain is always exactly:

Genuine domaincredicorp.co.uk
Genuine sender, examplesupport@credicorp.co.uk

Be careful, because the display name (the friendly name shown in your inbox) can be faked to read “Credicorp” while the real address is something else entirely. Select or tap the sender name to reveal the full address before you trust it.

Watch out for look-alike domains that only pretend to be us, for example:

If you are unsure, do not use the links in the email. Instead, type credicorp.co.uk into your browser yourself, or sign in to webmail directly at https://webmail.credicorp.co.uk/.

The authentication we use (in plain language)

Behind the scenes, Credicorp publishes three standard email-authentication records for credicorp.co.uk. You don’t need to configure anything — most major email providers check these for you automatically — but it helps to know what they do:

In practice this means a forged “credicorp.co.uk” email is very likely to be blocked or land in your junk folder before you ever see it. It is a strong safety net — but it is not perfect, so the human checks above still matter.

Other signs of a phishing email

How to report a suspicious email

If you receive an email that pretends to be from Credicorp, or any mail you believe is phishing or abuse:

  1. Don’t click any links and don’t open any attachments.
  2. Forward the message to abuse@credicorp.co.uk. If you can, include the full email headers — they help us trace where it came from.
  3. Delete the email afterwards.
  4. If you think you may have entered your details on a fake site, change your password straight away at https://webmail.credicorp.co.uk/ and contact us.

Security researchers and technical contacts can find our reporting details in our security.txt file. You can also reach our mail team at postmaster@credicorp.co.uk.

Worried about your mailbox?

If you think someone may have your password, change it now and review your account.

Open webmail → Report abuse →

Related: Sign in to Webmail · Email settings · Mail help.