What Can Someone Do with My IBAN?
The short answer: not very much that could harm you – at least not without your knowledge. The IBAN (International Bank Account Number) uniquely identifies your bank account, much like a postal address identifies your home. And just like with an address: anyone who wants to send you money needs it.
- ✓
Send you money
Anyone can transfer money to your account – that is the purpose of an IBAN and not a security issue.
- ⚠
Initiate a SEPA direct debit (with restrictions)
A SEPA direct debit additionally requires a written mandate. Without this mandate, a debit is not possible – and if one does occur, the bank must reverse it.
- ✓
Create a GiroCode
Someone could create a GiroCode with your IBAN – but this only means they can request a payment to you.
IBAN for Credit Transfer vs. Direct Debit – The Difference
SEPA Credit Transfer
- →Actively initiated by the payer
- →Recipient has no control
- →Only recipient IBAN needed
- →Safe and standardised
SEPA Direct Debit
- →Collected by the creditor
- →Requires written mandate
- →IBAN + mandate + creditor ID needed
- →Refundable within 8 weeks
An unauthorised SEPA direct debit is a reversal case and is punishable by law. The bank must reverse an unauthorised debit within 8 weeks (13 months if no mandate exists). In practice, the risk of an unauthorised debit is very low.
Is a GiroCode Safe?
No debit possible
A GiroCode is a payment request, not a direct debit mandate. It contains no information that would allow a debit.
Confirmation required by the payer
Even if someone scans a GiroCode, they must actively confirm the transfer with a TAN, Face ID or fingerprint. No automatic debit is possible.
No secret data in the code
A GiroCode contains only data you already publish on an invoice: name, IBAN, amount, payment reference. No PINs, no passwords.
EPC standard with error correction
The QR code uses error correction level M, meaning it remains reliably readable even with minor damage.
QR Code Phishing (Quishing) – How to Spot It
A real threat does exist, however: so-called quishing (QR code phishing). Fraudsters replace legitimate QR codes with manipulated ones that redirect to phishing sites or fake payment recipients.
- 🔍
Check recipient details
After scanning, always check the pre-filled recipient name and IBAN in your banking app before confirming.
- 📌
Be wary of physical stickers
QR codes that appear to be stickers placed over other codes may be manipulated. Check whether the code is printed directly or stuck on top.
- 🏦
Open your banking app directly
Always open your banking app directly – never via a link in an email or SMS. Scan the GiroCode only from within the app.
- 📧
Verify emailed invoices
For invoices by email: check that the sender and content match the expected invoice. If in doubt, contact the sender by phone.
Privacy at the GiroCode Generator
Users of the GiroCode Generator at girocodegenerator.com can be assured: all entered data – IBAN, amount, name, payment reference – is processed exclusively locally in the browser. No data is transmitted to servers, no logging, no storage.
How local processing works
The QR code is generated entirely in the browser using a JavaScript library. This means: even without a network connection (offline mode), the generator continues to work. Your banking data never leaves your computer or device.
Conclusion
Sharing your IBAN is far safer than many people think. For a regular transfer to you it is necessary – and it does not enable a debit without your mandate. A GiroCode with your IBAN is a practical, secure tool for modern invoicing.
The only real danger comes from manipulated QR codes (quishing) – and this can be minimised by simple precautions: check recipient details, open your banking app directly, and stay sceptical about unexpected payment requests.