Have you ever received the following types of email, SMS, phone call, or spam messages over instant messengers etc.?
- Does it ask you to do something unusual, like transfer money to an unknown account, or email your account details to someone?
- Warns you of some sudden change in an account which means you have to click hyperlink and confirm you still use the service
- Asks for confidential or security information such as your online banking details, passwords, account numbers or PINs
Table of content
Social engineering scam and phishing
What is a social engineering scam?
How social engineering works
Social engineering works by gaining someone’s trust and getting them to disclose information that should be kept secure.
Scammers usually contact people by phone (vishing), text (smishing), email (phishing) or Spam over instant messaging (SPIM). They’ll claim to be someone in a position of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained the person’s trust, they’ll then ask for sensitive information or things which will enable them access to the person’s bank accounts.
There are things your bank would never ask for, such as:
- your 4-digit PIN
- online banking codes like your secure key or password
Your bank would also never ask:
- your credit or debit cards or verification code (OTP) for internet purchase or digital wallet binding
- transfer funds to a different account for 'safekeeping'
What is Phishing?
What is Phishing?
Phishing is when a criminal sends you an email that tries to get you to give them your passwords and bank details or clicks the embedded links, QR code or file attachment to implant malware to the victim’s device. The email will say it is from a legitimate organisation or companies like a bank, online payment service or online retailer. It often looks very similar to an actual email sent by those organisation or companies, and it will contain a link or QR code that takes you to a website that also looks very similar to the organisation or companies’ genuine site.
Once you arrive at the fake site, it will usually prompt you to enter personal security information, such as your account number, PIN or security code. The phishing site records everything you enter, and then uses your information to steal your money or conduct credit card or bank account fraud.
What to do if you encountered phishing?
What to do if you receive a suspicious email/SMS
HSBC may send you emails from time to time but will never ask for your security information or encourage you to log on to Internet Banking. HSBC will never attach a link to a web page that would ask for this information. If you receive an unsolicited email from HSBC encouraging you to do this, it will be a "Phishing" email.
To report phishing websites, smishing texts or suspicious emails which have requested personal banking information contact us via firstname.lastname@example.org. We’ll send you an automatic response to let you know we’ve received your email but are unable to provide personalised responses to this mailbox.
Please ensure you copy the full email, smishing text or website address (URL) into the body of the email.
Please do not send any personal customer verification details within the email.
Kindly note emails will be processed by a third party on behalf of HSBC Global Services (UK) Limited and by HSBC Group companies.
If you believe you have shared your confidential information either online, by telephone or any other means call us immediately using the telephone number on the back of your card or the customer service hotline recorded on our HSBC Official website.