Here are some useful tips and suggestions to stay safe
Received messages claiming to be from HSBC? Look closely
Criminals are using spoofing tactics to entice you to open links that prompt you to reveal your personal information.
Your account credentials (e.g. online banking username and password, one-time passcode, and credit card credentials) and other sensitive personal information such as your National Identity Card number and date of birth are important and should be well protected. If fraudsters manage to steal such information, it may result in financial loss. Remember to keep your personal information safe!
HSBC will never send any SMS or email with a link requesting you to log on to online banking. If you receive message with such request and claiming to be from HSBC, ask yourself:
Is this message unexpected?
Does the message include suspicious hyperlinks or QR codes?
Is the message requesting for your personal information, like your account credentials, ATM PIN, etc.?
Are you being asked to do something unusual, e.g. log on to your account via a link, transfer money or provide one time passcode (OTPs)?
If your answer is "yes", then remember:
Do not open links or scan QR codes
Do not download any attachments
Do not reply or disclose sensitive information
Watch out for fake websites and social media accounts
Criminals use fake social media accounts and websites. They set them up to con people into giving away their personal details, passwords and bank details.
They may even make these look like it comes from us and might contain a link to a website. They could also ask you to make a phone call or contact them through different messaging applications and by email.
They are good at making these look realistic. But the fake ones often share some common characteristics:
Strange looking profile, too good to be true offers, email or web addresses
Poor design, typos or bad spelling
They ask you to do something unusual
A website site that requires you to log in but doesn't display the padlock symbol in the address bar when you do so
If in doubt or if you come across similar websites and social media account:
Don't click on any links.
Don't respond or call on the phone number provided therein.
Report the page through the social media provider.
Reporting Phishing and Smishing
To report phishing websites, smishing texts or suspicious emails which have requested personal banking information contact us via Phishing@hsbc.com. We'll send you an automatic response to let you know we've received your email but are unable to provide personalised responses to this mailbox.
Please ensure you copy the full email, smishing text or website address (URL) into the body of the email.
Please do not send any personal customer verification details within the email.
Kindly note emails will be processed by a third party on behalf of HSBC Global Services (UK) Limited and by HSBC Group companies.
If you believe you have shared your confidential information either online, by telephone or any other means call us immediately using the telephone number on the back of your card.
HSBC may send you emails from time to time but will never ask for your security information or encourage you to log on to Internet Banking. HSBC will never attach a link to a web page that would ask for this information. If you receive an unsolicited email from HSBC encouraging you to do this, it will be a "Phishing" email. See 'How Social Engineering works' (below) for more information.
How social engineering works
Social engineering works by gaining someone's trust and getting them to disclose information that should be kept secure.
Scammers usually contact people by phone (vishing), text (smishing) or email (phishing). They'll claim to be someone in a position of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained the person's trust, they'll then ask for sensitive information or things which will enable them access to the person's bank accounts.
There are things your bank would never ask for, such as:
your 6-digit PIN
online banking codes like your secure key or password
Your bank would also never ask to:
collect your credit or debit cards, cheque books or cash
transfer funds to a different account for 'safekeeping'
Criminals call out of the blue and may claim to be your bank, the police or another trusted organisation like your broadband provider. To make the call seem more convincing they may already have some information on you, such as your account number, address and even some account details. They can also make the call seem authentic by making their phone number look like a number you know and trust. This is known as 'number spoofing'. The caller will then try to persuade you to:
transfer money to another account for 'safekeeping' or 'holding'
withdraw cash and hand it over 'for investigation'
give private information, which can then be used to gain access to your finances
Be wary of unsolicited emails that appear to be from your bank or another trusted organisation (government tax institution) and contain links to websites urging you to provide confidential, personal or financial information. The emails may appear to come from a legitimate source and often warn your account may be shut down unless you take some action or they may say you're owed money.
If you receive one of these emails, don't reply or click on a link that you're not sure is genuine. Instead, contact the company using a phone number you know is genuine.
Phishing emails typically:
warn you of some sudden change in an account which means you have to confirm you still use the service
sometimes have poor spelling and grammar
ask for confidential or security information such as your online banking details, passwords, account numbers or PINs
include instructions to reply, complete a form or document attached to the email or click through to a website to verify your account
Don't open attachments or click on links if you suspect they may not be genuine.
If you're suspicious of an email claiming to be from HSBC, forward it to email@example.com, delete it and empty your deleted items.
Smishing (SMS phishing)
Another thing to watch out for is suspicious text messages that look like they have come from HSBC or another trusted organisation. These may be sent by criminals trying to trick you into giving your personal and financial information (by calling a number or clicking a link).
It's important to remember the following:
Banks and other organisations such as the police or service providers will never ask you for your full PIN, password or banking codes.
Fraudsters can mimic text headers so that their messages can join a conversation beneath ones you know are genuine.
If you're unsure whether a text claiming to be from HSBC is genuine, forward it on to firstname.lastname@example.org and we'll investigate it.
Never share your security details with anyone else.
Shop online safely
Don't be in a rush to order online, since there are so many untrustworthy website and personal sellers out there! If you want to protect your money, here a few reminders to safeguard your confidential information:
Watch out for third-party apps that can't be verified .Verify if the websites or individual sellers are legitimate merchants, especially those on social media.
Browse on a computer instead of a mobile phone – you're less likely to accidentally click on a link, and computers are not as vulnerable to data theft.
Type in a URL instead of clicking on a link.
Check that a website's URL begins with https://, which means any data sent will be secure, then double-check for the encrypted padlock on the payment page.
Steer clear of pop-ups or turn them off.
Take time to read privacy notices, terms and conditions, especially for sellers who will save your personal and credit card information to keep your data safe.
Check your statements regularly to make sure no unauthorised transactions are being made.
Be careful about potential privacy leakage. When making online transactions, don't leave traces for hackers to track you. Take note of below points and prevent your personal data from being leaked:
• Manage App's Permission Always download from an official and trustworthy source, but more importantly, be careful of the level of access you grant to the app, such as contacts, photo album and personal information.
• Install Antivirus and Anti-theft software Install an antivirus software with a good reputation so as to block suspicious websites and malicious programmes. Scan your files for virus detection
• Make sure you keep it up to date from time to time Always have the latest security protection- update your smartphone's operating system and security patches regularly via official channels.
Change your PINS and passwords immediately if you think your personal data has been compromised.
Stay vigilant for charity scams exploiting war in Ukraine
Be cautious on social media posts - Be sceptical of social media posts that promote a charity unless you verify that the organization is legitimate. The friend recommending it may not have done their research and the number of likes for a social media post doesn't say much about its legitimacy.
Research on the beneficiary – Use caution to check the charities/beneficiary carefully before giving. Only donate to authentic charities that are vetted and recognized by international organizations. Be wary of messages even from trusted sources unless you verify that the message is authentic. To do this, contact said source by other means than the one by which you received it, e.g., by phone on websites if you got it by email, etc.
Do not send cash or money wire - Avoid donating cash or through wire. Never click on an ad or social media post if you want to donate. Instead, after establishing the charity is authentic, donate directly through its website.
Beware of requests for personal information – Do not reply to any email/message from what appears to be a valid charity or relief organization, that requests for you to provide personal information or banking information of any kind.
Beware of links and attachments - Avoid clicking on links or downloading attachments in unsolicited emails or social media messages, particularly from unknown sources and those that add to the sense of alarm. They may attempt to lure you into unwittingly downloading malware onto your device.
Don't give in to undue pressure – Scammers will attempt to use the urgency of the situation to rush you into donating. Be leery of high-pressure pitches and requests to wire money.