Verify the URL
Real login pages are on the operator's verified domain. If the URL is misspelled, uses unusual characters, or starts with a different prefix, it's not the operator.
This page addresses the research questions readers ask about logging in. We do not promote any login URL we cannot verify, and we do not collect credentials on this desk.
We do not run a login form on this desk. Any login form on third-party sites that claim to be the operator is a phishing risk.

The most common cause of account compromise is password reuse. Use a unique password per operator and a password manager to keep them organised.
Long rather than complex. Four random words plus two digits and a symbol is harder to crack than a short complex string. Length is the multiplier.
Do not use the operator name, your username, your date of birth, or any word in a dictionary. Avoid sequential patterns and substitutions like 'passw0rd'.
If you cannot recover your account via the password reset flow, contact customer care. Be ready to verify your identity with the same documents used at signup.


Real login pages are on the operator's verified domain. If the URL is misspelled, uses unusual characters, or starts with a different prefix, it's not the operator.
Click the padlock icon in the address bar. A real login page has a valid certificate issued to the operator's domain.
If you receive an email asking you to log in, type the URL into the address bar directly instead of clicking the link.
If a site looks like the operator but is on a different domain, do not enter credentials. Close the tab and report it to customer care.