Watch out for fake websites and social media accounts
Criminals use fake social media accounts and websites. They set them up to con people into giving away their personal details, passwords and bank details.
They may even make these look like it comes from us and might contain a link to a website. They could also ask you to make a phone call or contact them through different messaging applications and by email.
They are good at making these look realistic. But the fake ones often share some common characteristics:
- Strange looking profile, too good to be true offers, email or web addresses
- Poor design, typos or bad spelling
- They ask you to do something unusual
- A website site that requires you to log in but doesn't display the padlock symbol in the address bar when you do so
If in doubt or if you come across similar websites and social media account:
- Don't click on any links.
- Don't respond or call on the phone number provided therein.
- Report the page through the social media provider.
Reporting Phishing and Smishing
To report phishing websites, smishing texts or suspicious emails which have requested personal banking information contact us via Phishing@hsbc.com. We'll send you an automatic response to let you know we've received your email but are unable to provide personalised responses to this mailbox.
Please ensure you copy the full email, smishing text or website address (URL) into the body of the email.
Please do not send any personal customer verification details within the email.
Kindly note emails will be processed by a third party on behalf of HSBC Global Services (UK) Limited and by HSBC Group companies.
If you believe you have shared your confidential information either online, by telephone or any other means call us immediately using the telephone number on the back of your card.
HSBC may send you emails from time to time but will never ask for your security information or encourage you to log on to Internet Banking. HSBC will never attach a link to a web page that would ask for this information. If you receive an unsolicited email from HSBC encouraging you to do this, it will be a "Phishing" email. See 'How Social Engineering works' (below) for more information.
How social engineering works
Social engineering works by gaining someone's trust and getting them to disclose information that should be kept secure.
Scammers usually contact people by phone (vishing), text (smishing) or email (phishing). They'll claim to be someone in a position of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained the person's trust, they'll then ask for sensitive information or things which will enable them access to the person's bank accounts.
There are things your bank would never ask for, such as:
- your 6-digit PIN
- online banking codes like your secure key or password
Your bank would also never ask to:
- collect your credit or debit cards, cheque books or cash
- transfer funds to a different account for 'safekeeping'
Criminals call out of the blue and may claim to be your bank, the police or another trusted organisation like your broadband provider. To make the call seem more convincing they may already have some information on you, such as your account number, address and even some account details. They can also make the call seem authentic by making their phone number look like a number you know and trust. This is known as 'number spoofing'. The caller will then try to persuade you to:
- transfer money to another account for 'safekeeping' or 'holding'
- withdraw cash and hand it over 'for investigation'
- give private information, which can then be used to gain access to your finances
Be wary of unsolicited emails that appear to be from your bank or another trusted organisation (government tax institution) and contain links to websites urging you to provide confidential, personal or financial information. The emails may appear to come from a legitimate source and often warn your account may be shut down unless you take some action or they may say you're owed money.
If you receive one of these emails, don't reply or click on a link that you're not sure is genuine. Instead, contact the company using a phone number you know is genuine.
Phishing emails typically:
- warn you of some sudden change in an account which means you have to confirm you still use the service
- sometimes have poor spelling and grammar
- ask for confidential or security information such as your online banking details, passwords, account numbers or PINs
- include instructions to reply, complete a form or document attached to the email or click through to a website to verify your account
Don't open attachments or click on links if you suspect they may not be genuine.
If you're suspicious of an email claiming to be from HSBC, forward it to email@example.com, delete it and empty your deleted items.
Smishing (SMS phishing)
Another thing to watch out for is suspicious text messages that look like they have come from HSBC or another trusted organisation. These may be sent by criminals trying to trick you into giving your personal and financial information (by calling a number or clicking a link).
It's important to remember the following:
- Banks and other organisations such as the police or service providers will never ask you for your full PIN, password or banking codes.
- Fraudsters can mimic text headers so that their messages can join a conversation beneath ones you know are genuine.
If you're unsure whether a text claiming to be from HSBC is genuine, forward it on to firstname.lastname@example.org and we'll investigate it.
Never share your security details with anyone else.
Shop online safely
Don't be in a rush to order online, since there are so many untrustworthy website and personal sellers out there! If you want to protect your money, here a few reminders to safeguard your confidential information:
- Watch out for third-party apps that can't be verified .Verify if the websites or individual sellers are legitimate merchants, especially those on social media.
- Browse on a computer instead of a mobile phone – you're less likely to accidentally click on a link, and computers are not as vulnerable to data theft.
- Type in a URL instead of clicking on a link.
- Check that a website's URL begins with https://, which means any data sent will be secure, then double-check for the encrypted padlock on the payment page.
- Steer clear of pop-ups or turn them off.
- Take time to read privacy notices, terms and conditions, especially for sellers who will save your personal and credit card information to keep your data safe.
- Check your statements regularly to make sure no unauthorised transactions are being made.
- Be careful about potential privacy leakage. When making online transactions, don't leave traces for hackers to track you. Take note of below points and prevent your personal data from being leaked:
• Manage App's Permission
Always download from an official and trustworthy source, but more importantly, be careful of the level of access you grant to the app, such as contacts, photo album and personal information.
• Install Antivirus and Anti-theft software
Install an antivirus software with a good reputation so as to block suspicious websites and malicious programmes. Scan your files for virus detection
• Make sure you keep it up to date from time to time
Always have the latest security protection- update your smartphone's operating system and security patches regularly via official channels.
Change your PINS and passwords immediately if you think your personal data has been compromised.