Understand how criminals use the internet

Criminals are in it for the money. There are many ways for them to make money online:

  • Steal your passwords and bank details with viruses, fake emails and fake websites
  • Ask you to provide security details
  • Send spam with bogus offers and products
  • Take over your computer and use it to attack other people's computers

We take your online banking security and privacy very seriously. Protecting yourself and your money takes a bit of know-how.

Don't share private information online

Double-check privacy settings on social networking sites.

What's your mother's maiden name? What's the name of the first school you went to? What was your favourite subject at school? What's your address? Birthday? Phone number?

All this information is useful to people who want to steal your identity or break into your online banking. You wouldn't give this information away to a stranger in the street but if you use social networking sites, you could be over-sharing personal data.

You may want to think carefully about the information you put into your profiles on sites like this. It is also a good idea that you check the privacy settings on each site that you use to make sure you only share personal information with people you trust.

Please also remember that you must take all reasonable precautions to keep your details safe and prevent any unauthorised use of any cards and security details. If any information forms part of your security details, you should therefore make sure that you do not disclose it to anyone else – see terms and conditions that apply to your account(s) for more detail.

How social engineering works

Social engineering exploits aspects of human nature - behaviours that come naturally to us. Key to social engineering is the manipulation of trust - gaining a target's trust and thereby getting them to disclose information that should be kept secure.

Scammers contact their targets, usually via telephone (vishing), text (smishing) or email (phishing), purporting to be individuals in positions of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained their target's trust, they then request sensitive information or items which allow them access to their target's bank accounts - things your bank would never request themselves, such as:

  • Your 4-digit PIN
  • Credit or debit cards, chequebooks or cash
  • Online banking codes or passwords
  • Transfer of funds to a different account for "safekeeping"

Common social engineering scams:

Vishing

Fraudsters call out of the blue claiming that a fraud has already happened, or may be imminent. They may already have some information about you, and may pose as bank staff, the police and other officials or companies in a position of trust. 

The fraudster will then try to persuade you to:

  • Transfer money to another account for "safekeeping" or "holding"
  • Withdraw cash and hand it over "for investigation"
  • Divulge private information, which can then be used to gain access to your finances

In many cases, these cold callers will suggest you hang up the phone and call them back on another number. However, it is easy for them to keep the connection open and intercept the call, so all the information you think you're giving to your bank is actually going to them.

It's important to remember:

  • Be wary of unsolicited approaches by phone, especially if you are asked to provide any personal information
  • If you are suspicious or feel vulnerable, don't be afraid to end the call and refuse requests for information
  • Fraudsters can use "call spoofing" to deliberately falsify the telephone number relayed on your caller ID to show as a genuine bank number
  • HSBC will never call you to ask you to generate a Secure Key code or ask for your PIN number
  • Never share your security details with anyone else

Criminals may already have some basic information about you (name, address, account details); don't assume a caller is genuine because they have these details or because they claim to represent a legitimate organisation.

Smishing (SMS Phishing)

Be wary of suspicious text messages sent by fraudsters that look like they have come from your bank to trick you into giving over your personal and financial information (by calling a number or clicking a link).

It's important to remember:

  • HSBC will never ask you for your full PIN or password
  • HSBC will never text you a link that takes you directly to our login page
  • Fraudsters can use "text spoofing" to deliberately falsify the telephone number to appear as "HSBC" to seem like a genuine bank text
  • Never share your security details with anyone else

If you have suspicions regarding a text message from HSBC, call us on a known number (e.g. number on the back of your card) to check before acting on it

If you suspect a text is Smishing, please forward it to phishing@hsbc.com

Phishing

Be wary of unsolicited emails that appear to be from your bank and contain links to websites urging you to provide confidential, personal or financial information. The emails may appear to come from a legitimate site and often warn that your account may be shut down unless you take some action. These emails are designed to steal your personal information and use it to access your accounts.

Do not reply to or, click on a link from any email that you are not sure is genuine. Instead contact the company, using an authenticated telephone number.

Phishing emails typically:

  • Warn you of some sudden change in an account which requires you to verify that you still use the service
  • Use poor spelling and grammar
  • Request confidential or security information such as your internet banking details, passwords, account numbers or PINs
  • Include instructions to reply, complete a form or document attached to the email or click through to a website in order to verify your account. Don't open attachments or click on links if you suspect they may not be genuine.

If you receive a suspicious-looking email purporting to be from HSBC, forward it to phishing@hsbc.com , delete it and empty your deleted items.

Tips to stay secure

Protect your mobile phone

Your mobile phone may contain personal information. You may even use it for internet banking and online shopping.

You may want to think about:

  • Setting and using a security PIN code
  • Adjusting the phone settings so that it locks automatically if you don't use it for five or ten minutes
  • Not storing passwords or other sensitive information on your phone in a way that can be understood by someone else
  • Not storing your home phone number and address under "home" in the contact list (you wouldn't want a thief to be able to know your address and be able to check if you're home)
  • Be wary of voicemail and text message scams
  • Clicking on links in text messages can be risky - be careful

Protecting your Passwords

  • Use different passwords for different systems.
  • Do not be tempted to use passwords that can easily be guessed such as children’s names or birth dates.
  • Never write down your passwords, however if you have no alternative, record them in a way that cannot be understood by anybody else.
  • Instead of using your Mother’s Maiden as your memorable name, consider using the name of your favourite cartoon character or another fictional person.
  • Use a mixture of numbers and letters of upper and lower case to strengthen your password.