To report phishing websites, smishing texts or suspicious emails which have requested personal banking information contact us via Phishing@hsbc.com. We'll send you an automatic response to let you know we've received your email but are unable to provide personalised responses to this mailbox.
Please ensure you copy the full email, smishing text or website address (URL) into the body of the email.
Please do not send any personal customer verification details within the email.
Kindly note emails will be processed by a third party on behalf of HSBC Global Services (UK) Limited and by HSBC Group companies.
If you believe you have shared your confidential information either online, by telephone or any other means call us immediately using the telephone number on the back of your card.
HSBC may send you emails from time to time but will never ask for your security information or encourage you to log on to Internet Banking. HSBC will never attach a link to a web page that would ask for this information. If you receive an unsolicited email from HSBC encouraging you to do this, it will be a "Phishing" email. See 'How Social Engineering works' (below) for more information.
How social engineering works
Social engineering works by gaining someone's trust and getting them to disclose information that should be kept secure.
Scammers usually contact people by phone (vishing), text (smishing) or email (phishing). They'll claim to be someone in a position of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained the person's trust, they'll then ask for sensitive information or things which will enable them access to the person's bank accounts.
There are things your bank would never ask for, such as:
- your 6-digit PIN
- online banking codes like your secure key or password
Your bank would also never ask to:
- collect your credit or debit cards, cheque books or cash
- transfer funds to a different account for 'safekeeping'
Criminals call out of the blue and may claim to be your bank, the police or another trusted organisation like your broadband provider. To make the call seem more convincing they may already have some information on you, such as your account number, address and even some account details. They can also make the call seem authentic by making their phone number look like a number you know and trust. This is known as 'number spoofing'. The caller will then try to persuade you to:
- transfer money to another account for 'safekeeping' or 'holding'
- withdraw cash and hand it over 'for investigation'
- give private information, which can then be used to gain access to your finances
Be wary of unsolicited emails that appear to be from your bank or another trusted organisation (government tax institution) and contain links to websites urging you to provide confidential, personal or financial information. The emails may appear to come from a legitimate source and often warn your account may be shut down unless you take some action or they may say you're owed money.
If you receive one of these emails, don't reply or click on a link that you're not sure is genuine. Instead, contact the company using a phone number you know is genuine.
Phishing emails typically:
- warn you of some sudden change in an account which means you have to confirm you still use the service
- sometimes have poor spelling and grammar
- ask for confidential or security information such as your online banking details, passwords, account numbers or PINs
- include instructions to reply, complete a form or document attached to the email or click through to a website to verify your account
Don't open attachments or click on links if you suspect they may not be genuine.
If you're suspicious of an email claiming to be from HSBC, forward it to firstname.lastname@example.org, delete it and empty your deleted items.
Smishing (SMS phishing)
Another thing to watch out for is suspicious text messages that look like they have come from HSBC or another trusted organisation. These may be sent by criminals trying to trick you into giving your personal and financial information (by calling a number or clicking a link).
It's important to remember the following:
- Banks and other organisations such as the police or service providers will never ask you for your full PIN, password or banking codes.
- Fraudsters can mimic text headers so that their messages can join a conversation beneath ones you know are genuine.
If you're unsure whether a text claiming to be from HSBC is genuine, forward it on to email@example.com and we'll investigate it.
Never share your security details with anyone else.