Email security & spotting phishing
Scammers sometimes send emails that pretend to be from Credicorp to trick you into handing over passwords, card details or money. This guide explains how to tell a genuine Credicorp email from a fake, what we will never ask you for by email, and how to report anything suspicious.
The quick test
A genuine Credicorp email always:
- comes from an address ending in
@credicorp.co.uk; - passes the automatic SPF, DKIM and DMARC checks your email provider runs; and
- never asks for your password, full card number or security codes.
If a message fails any of these, do not click anything — report it to abuse@credicorp.co.uk.
What Credicorp will never ask for by email
We will never email you to ask for any of the following. If a message asks for these, it is a scam — no matter how official it looks:
- your mailbox or account password;
- your full card number, card PIN or the security code on the back of your card;
- your full account number and sort code together;
- a one-time security code we have sent to your phone;
- that you “verify” or “confirm” your details through a link to avoid your account being suspended or closed.
We will also never email you asking you to move money to a “safe” account, or pressure you to act within minutes. Genuine account requests are made through your secure Credicorp account, not by asking you to reply with sensitive details.
Check the sender domain
The most reliable check is the part of the sender’s address after the @ sign — this is the domain. For genuine Credicorp mail the domain is always exactly:
| Genuine domain | credicorp.co.uk |
|---|---|
| Genuine sender, example | support@credicorp.co.uk |
Be careful, because the display name (the friendly name shown in your inbox) can be faked to read “Credicorp” while the real address is something else entirely. Select or tap the sender name to reveal the full address before you trust it.
Watch out for look-alike domains that only pretend to be us, for example:
credicorp-uk.com— extra words and the wrong ending;credicorp.co.uk.secure-login.net— our name appears, but the real domain issecure-login.net;credlcorp.co.ukorcredicorp.co.ukwith swapped or accented letters — a single changed character.
If you are unsure, do not use the links in the email. Instead, type credicorp.co.uk into your browser yourself, or sign in to webmail directly at https://webmail.credicorp.co.uk/.
The authentication we use (in plain language)
Behind the scenes, Credicorp publishes three standard email-authentication records for credicorp.co.uk. You don’t need to configure anything — most major email providers check these for you automatically — but it helps to know what they do:
- SPF is like a guest list: it tells the world exactly which mail servers are allowed to send email for credicorp.co.uk. Mail from anywhere else is suspect.
- DKIM adds a tamper-proof signature to every genuine message. If a scammer changes the message, or sends it without our private key, the signature won’t match.
- DMARC ties the two together and gives receiving providers an instruction: if a message claims to be from credicorp.co.uk but fails the SPF and DKIM checks, reject it or send it to spam.
In practice this means a forged “credicorp.co.uk” email is very likely to be blocked or land in your junk folder before you ever see it. It is a strong safety net — but it is not perfect, so the human checks above still matter.
Other signs of a phishing email
- Urgency and threats — “act now”, “your account will be closed”, “final warning”.
- Unexpected attachments — especially
.zip,.htmlor documents asking you to “enable content”. - Links that don’t match — hover your mouse over a link (or press and hold on a phone) to preview where it really goes before clicking.
- Requests to reply with personal details, or to move the conversation to a different email address, phone number or messaging app.
- Slightly wrong wording, spelling or formatting in what claims to be an official message.
How to report a suspicious email
If you receive an email that pretends to be from Credicorp, or any mail you believe is phishing or abuse:
- Don’t click any links and don’t open any attachments.
- Forward the message to abuse@credicorp.co.uk. If you can, include the full email headers — they help us trace where it came from.
- Delete the email afterwards.
- If you think you may have entered your details on a fake site, change your password straight away at
https://webmail.credicorp.co.uk/and contact us.
Security researchers and technical contacts can find our reporting details in our security.txt file. You can also reach our mail team at postmaster@credicorp.co.uk.
Worried about your mailbox?
If you think someone may have your password, change it now and review your account.
Open webmail → Report abuse →Related: Sign in to Webmail · Email settings · Mail help.