HSBC Fraud Guide

At HSBC we aim to protect our customers as much as possible from Fraud and Cybercrime. One of the best ways to do this is through education and within the Fraud Centre you will be able to find support and guidance, helping to protect you from Fraud and Cybercrime.

Read our guide to Fraud and Scam here (PDF, 1.56MB)also watch a replay of a Fraud and Cyber Awareness Webinar in our HSBC UK website here.

If you want to learn more on the psychology behind scam and how to recognize them, watch our Interactive Case Study here.

Keep your finances and personal data safe

Much has been made in the news media recently about the hazards of online hacking and data breaches, but what is seldom reported is how much simpler it is to "hack" people than computers. This process is called social engineering, and is far easier to do than one might think.

Read our guide to Malware fraud here (PDF, 315KB)

How social engineering works

Social engineering exploits aspects of human nature - behaviours that come naturally to us. Key to social engineering is the manipulation of trust - gaining a target's trust and thereby getting them to disclose information that should be kept secure.

Scammers contact their targets, usually via telephone (vishing), text or email (phishing), purporting to be individuals in positions of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained their target's trust, they then request sensitive information or items which allow them access to their target's bank accounts - things your bank would never request themselves, such as:

Your 4-digit PIN
Credit or debit cards, chequebooks or cash
Online Banking codes or passwords
Transfer of funds to a different account for "safekeeping"

Read our guide to Social Engineering fraud here (PDF, 227KB)

Common Fraud Types

Remote Access Takeover

This type of fraud happens when a fraudster takes control of your device and uses this control to make payments from your bank account without your knowledge or authorisation. This will usually happen after the fraudsters have sent you a link, asked you to visit a website or download a piece of software, which helps them to remotely access your device. They may know information about you and your business and use this information to appear credible

Fraudsters use a number of tactics to steal your money using Remote Access Takeover. They may use more than one at a time. This can include:

Calling you using spoofed Number
Giving you links, website and software to click on or download
Asking you to generate, enter and/or give authorisation codes

Remember:

Never give out your Online Banking usernames, passwords, authorisation codes, or any One Time Passcodes (OTPs)
Remember numbers can be spoofed and never rely on the caller ID to know who’s calling.
For unexpected calls, don’t be afraid to return the call using an independently verified number, such as one from the caller’s official website. Use a different phone or call a known contact first to be sure the line is ‘clear’.
Be wary of suspicious emails and text messages. Especially those which contain links and ask for information. Always validate these requests with the company directly, using the contact guidance above.
Never click on any links, visit web addresses, or download software as a result of a phone call you weren’t expecting.
Your security device, or secure key, is personal to you. If someone calls and asks you to use this device, end the call and contact your bank immediately.
HSBC will never ask you to participate in an ongoing investigation, advise you how to answer questions or ask you to send your money to a safe account.

Vishing

This involves a fraudster making phone calls to a company, posing as bank staff, the Police, regular supplier / client or other officials in a position of trust. The call may be made to coerce a company financial controller into:

Sending their money to another account often purportedly for ‘safe keeping’ or ‘holding’;
Withdrawing cash and handing it over to the fraudster for investigation;
Giving personal financial information, which can then be used to gain access to your company bank accounts?.

Remember,

Be wary of unsolicited approaches by phone, especially if asked to provide any of your company’s restricted information.
If you are suspicious, don’t be afraid to terminate the call and, say no to requests for information.
It takes two people to terminate a call, so ensure the caller has also hung up and you have a clear line, you can use a different phone line to test the number.
Fraudsters can use ‘call spoofing’ to deliberately falsify the telephone number relayed on the caller ID to show as a genuine bank number.
HSBC will never call you to ask you to generate a Secure Key code by pressing the yellow button or ask for your PIN number.
Never share company security details beyond authorised staff. It is important to keep your account and security details safe.

Criminals may already have basic information about your company in their possession (i.e. name, address, account details), do not assume a caller is genuine because they have these details or because they claim to represent a legitimate organisation.

Business Email Compromise

The Business E-mail Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform payments using an email from a company owner (CEO or CFO) as the authority to carry out the payment. Little does the payment processor know that the email is not a genuine company request.

There are two variations of this fraud type, which are as follows – Email spoofing – This involves the manipulation of an email address to make the senders email address appear to have originated from someone or somewhere other than the actual source.

The fraudsters spoofs the vendors email to submit the modified invoice. It doesn't require compromising the vendor's email system, but instead sends the invoice from an email that is so close to the domain of the vendor that most people would miss the change, for example, @CompanyABC.com instead of @CompanyACB.com.

Compromised Email Account - This involves the compromise of an executives email account within the organisation, such as the CFO (Chief Financial Officer). The fraudster sends a request for a payment from the compromised email account to another, often junior employee to action.

Remember,

Make sure staff are aware to check the email address the payment request is sent from, and have suitable checks in place to verify any new payment request received by way of email.
Always regularly review your organisations controls to make sure that you have suitable payment controls in place to not fall victim to this type of fraud.

Payment Diversion/Invoice Fraud

This type of fraud occurs when a fraudster tricks an organisation into changing the bank account payee details for a payment. Fraudsters pretend to be a regular supplier of the organisation and inform them of a change of bank account details.

This can include:

creating bogus customer records and bank accounts so that false payments can be generated. How to reduce your organisation's risk of becoming a victim of invoice fraud - Make sure staff that process invoices and requests are aware of this scenario when undertaking amendments to long standing payment instructions.

Always verify changes to financial arrangements with a supplier directly using established contact details you have on file.

Phishing

This is where people receive e-mails directing them to websites where they are asked to provide confidential personal or financial information. Whilst these e-mails may appear to come from a legitimate site, these emails are designed to steal your personal information and use it to access your accounts. This is known as Phishing. Do not reply or click on a link in an e-mail that warns you that your account may be shut down unless you confirm your personal information. Instead contact the company, in a way that you are sure is genuine such as an authenticated telephone number.

You should delete these e-mails immediately.

Smishing (SMS Phishing)

Be wary of suspicious text messages sent by fraudsters that look like they have come from your bank to trick you into giving over your personal and financial information (by calling a number or clicking a link).

It's important to remember:

HSBC will never ask you for your full PIN or password
HSBC will never text you a link that takes you directly to our login page
Fraudsters can use 'text spoofing' to deliberately falsify the telephone number to appear as 'HSBC' to seem like a genuine bank text
Never share your security details with anyone else
If you have suspicions regarding a text message from HSBC, call us on a known number (eg number on the back of your card) to check before acting on it

If you suspect a text is Smishing, please forward it to phishing@hsbc.com

Cheque Fraud

This fraud type involves the alteration, forgery or counterfeiting of cheques drawn out of your Business account. To help your company not become a victim of cheque fraud, below are some tips on how to try and minimise this risk - Check your cheques. Add extra information to them, like an account reference number. Use your full signature when you sign your cheques – not just initials.

Match your cheque counterfoils to your statements. Let us know about discrepancies. Keep any spare chequebooks in a safe place.

Card Fraud

Protecting your Card

Sign and activate your new card as soon as you receive it.
You can activate your card either through internet banking, by calling us (using the number in the useful contacts below) or by using an HSBC ATM (for Visa debit cards, unless a new PIN has been issued).
Contact us (using the number in the useful contacts below) if your replacement card does not arrive a week before your old one expires.

Protecting your PIN

Never write down or otherwise record your PINs and other security details in a way that can be understood by someone else.
Destroy your PIN advice as soon as possible.
Choose a PIN number that cannot be associated with you and isn’t a sequence such as 1234 or 1111. Ideally choose a random combination or a sequence of numbers which are important to you.

Protecting yourself at the ATM

A device may have been fitted to the ATM, which could enable the fraudster to steal your card or capture the information contained within the magnetic strip. If you notice anything unusual attached to the ATM, do not try to remove it. Move away from the machine and call our Lost and Stolen Cards team (using the number in the useful contacts below) or the police.
Always stand close to the machine and use your hand as a shield over the keyboard.
Criminals may try to watch you entering your PIN, before trying to steal your card.
If the cash machine does not return your card, do not re-enter the PIN. Report the loss of your card to our 24 hour Lost and Stolen Cards team (using the number in the useful contacts below).

Protecting your company cards over the Telephone

When making card payments over the phone, you should have your card in front of you as you may be asked information such as expiry date, issue number and the three-digit security code on the signature strip. However, NEVER divulge your PIN over the telephone, even if asked.
Try to avoid saying your card information in public places where people may overhear.
Request postal or email confirmation of the transaction.

Protecting yourself whilst using your card in person

Try to use your hand as a shield when entering your PIN.
If you encounter any problems whilst using your card, please call our Customer Telephone Service team (using the number in the useful contacts below).
Please keep your cards in a secure place at all times.

Identity Fraud

Using a variety of methods, criminals may obtain important pieces of personal and identity data such as credit card numbers, expiry dates, dates of birth or mothers’ maiden names. This information can be used to gain access to bank accounts or open new credit facilities.

Help to minimise this risk by following these simple steps:

Shred all receipts or any letters, which contain your business name and address or personal information.
Switch off your postal statements to prevent unnecessary documents being sent via the mail.
Set up a telephone security number, as this is a secure way for us to identify you when you call us.
Don’t give your telephone security number out to anyone who contacts you. HBSC will NEVER ask for your telephone security number if WE call YOU.

Generative AI Fraud

Generative Artificial Intelligence (AI) is a technology that enables computers to perform complex tasks and generate writing, audio, or even video made content. AI tools are also capable of making decisions by analysing large amounts of data and using advanced models, giving the impression of interacting with a real person.

This technology significantly the capabilities of fraudsters, allowing them to impersonate individuals or businesses more easily. For instance, by improving fraudsters’ attacks, by impersonating voices during phone calls, or even by manipulating faces and voices through fake videos (deepfake).

You can use these advice below to protect against yourself and your business against Generative AI fraud:

Regularly update anti-fraud controls.
Use daily security codes and enhanced verification processes.
Ensure active monitoring and provide regular training, especially on the risks related to deepfakes and phishing attempts.

Useful Contacts and Resources

Should your company become a victim of fraud, please remember to report the incident to HSBC as soon as possible either via contacting our Customer Support Team or via your Relationship Manager (RM). For additional contact options, please consult the list of contacts below by country.