Security principles

Read the security principles

    • make sure you are connected to our website of ePromak Plus service: https://epp.millenniumbm.pl/
    • do not log in to the ePromak Plus system via a page you receive by email
    • do not give your ID (login) and password to anyone - our staff will never call you to ask for your password ; you only need to give your telephone password when you call the Helpdesk to make a telephone request:
      • to activate a mailed token
      • to synchronise a token
      • to unblock the token
    • if you suspect that someone may have found out your password, change it as soon as possible in the ePromak Plus system, at the Customer Service Point (if you have activated the telephone service) or via our Helpdesk at 801-601-601.
    • when using the ePromak Plus system, ensure that your internet browser is set up correctly; the procedure is described in the technical information for users, which you will find in the ePromak Plus system under the icon with the question mark
    • change your password at least once a month (in the ePromak Plus system you can change your password by selecting "Settings", "Personalisation" at the bottom of the window you will find the button "Change password"); you can also increase your login security by using a token (a device which generates one-time passwords for logging in),
    • keep your operating system up to date
    • check your operating system at least once a week with a spyware scanner
    • use antivirus, firewall and anti-spyware software to protect against spyware and unwanted advertising

    Read below about the risks of using online trading systems.

  • Your password and identifier (login) are transmitted to our server in encrypted form, using the SSL protocol with a 128 bit encryption key (if your browser has an encryption key of less than 128 bits, transmission will not be possible for security reasons). Encrypting the connection with the SSL protocol of the longest length currently in use is considered secure and provides guarantees of confidentiality provided you connect to our server.
    If you use a token, a new password is generated each time you log in.
    To generate a password for logging in via token, enter your individual PIN number.

    For security reasons, you will only transfer money from your investment account via the ePromak Plus system to the bank accounts that you provide in the contract concluded with us for the operation of a brokerage account.

  • There is a risk that unauthorised people will try to intercept your login and password by impersonating our website. To prevent this, please check your SSL certificate. SSL certificate data is available in your browsers.

    Our valid SSL certificate:

    SHA-256 fingerprint
    97 74 92 26 22 85 5A 04 AF B9 40 AF 7C D4 FB FE EC 45 CF 37 44 17 A7 D0 BF 7D 23 39 93 D9 49 DE

    Public key
    01ff673c2a3b080b66429a4e3c03c399

Basic security principles when using telephone services

  • Before disclosing any information, we need to ensure that you are the person calling us. To do this, we ask for your name, account number and telephone password.

  • We do not send emails, text messages or call you requesting contact to unknown telephone numbers. If you receive such a request, please contact our helpline.

    You can find our telephone numbers at and at the CSP. We also include information on telephone numbers on the quarterly statements that we send to your address. Only use these official telephone numbers. Do not use phone numbers you find on Internet search engines.

  • To make sure that the person who is contacting you is our employee, you can interrupt the call and call back on our number. As current technology allows the call to be redirected to a phone number other than the one you have dialled, you can verify the employee, for example, by asking them about the status of your bill. Please note that the employee must verify your identity before answering such a question.

  • Our staff only ask for data that enables you to complete a transaction if you want to place an order during an ongoing call. We never ask for your PIN, bank account numbers or passwords to access the online system.

  • We never ask for your personal details in full. Our questions are limited to selected characters from your PESEL numbers, identity document numbers or selected details from your address.

  • Not all telephone contacts with the Brokerage require identification and authentication of the Investor. A request for publicly available information, including the Brokerage’s offer or its presentation by a Brokerage employee, does not carry the need for identification.

  • In order to control the quality of service, we record conversations with investors. You may refuse to have a call recorded by us, but this may prevent you from using the service.

  • We do not call during evening and night hours or on Sundays and public holidays, unless otherwise stated in the contract or by individual arrangement.

  • Do not give out your personal data to third parties, in particular your password, which is used to make telephone instructions and your brokerage account number.

  • Take special care when storing IDs, passwords and other data that are used in your identity identification and authentication and authorisation processes. If you lose them, contact us as soon as possible. Do not give personal data to third parties, in particular the password you use to make telephone instructions and your brokerage account number.

  • Do not make a telephone call to us in public places, rooms with a lot of people, crowded means of transport, etc.

  • In emergency situations, you should be able to quickly contact our office, e.g. to block telephone and internet services in case you suspect that unauthorised persons have found out your identification data, lost your token, etc.

  • If you want to learn more about the security of financial services, read the publications of the Financial Supervisory Commission - in Polish

    Security on the web: Financial Supervision Authority (knf.gov.pl)

    Campaigns: Attention! Cyber fraud - Financial Supervision Commission (knf.gov.pl)

    Educational materials: Cyber Security (knf.gov.pl)

Threats on the internet

Data stealing

Internet scammers often try to obtain user data. Get to know the methods to avoid having your sensitive information stolen.

  • phishing - a method of impersonating an institution (such as a bank) in order to obtain specific information. In most cases, criminals send fake notifications in the form of e-mails or text messages requesting data. In addition, the message may contain a hidden link to a fake website for the institution in question. After being redirected to such a page you will be asked to enter your login, password or one-time pass code. Links to such pages may also be positioned in search engines for phishing websites. The URLs of these sites are slightly different from the genuine addresses. It is sufficient to make the change so that it includes the original URL name, but with an additional character or word.
  • pharming- a method much more dangerous than phishing because it is more difficult to detect. Like phishing, it involves redirection to a fake website. In this case, even if you type in the correct website address, you get to a fake website. The attack involves tampering with the settings of the domain name system (DNS). DNS translates the name of the page (https://epp.millenniumbm.pl/) into the corresponding numerical address (IP). There are also ways of modifying files on a computer that, bypassing the DNS servers, can redirect us to a fake website. In this case, however, the computer would first have to be infected with a Trojan, i.e. special software used to steal confidential data.