HSBC Fraud Guide
HSBC takes fraud & other financial crimes very seriously. Even though we have market-leading fraud detection systems, we want you to be aware of the different ways criminals may try to steal not just your money but also your company’s identity.
Keep your finances and personal data safe
Much has been made in the news media recently about the hazards of online hacking and data breaches, but what is seldom reported is how much simpler it is to "hack" people than computers. This process is called social engineering, and is far easier to do than one might think.
How social engineering works
Social engineering exploits aspects of human nature - behaviours that come naturally to us. Key to social engineering is the manipulation of trust - gaining a target's trust and thereby getting them to disclose information that should be kept secure.
Scammers contact their targets, usually via telephone (vishing), text or email (phishing), purporting to be individuals in positions of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained their target's trust, they then request sensitive information or items which allow them access to their target's bank accounts - things your bank would never request themselves, such as:
- Your 4-digit PIN
- Credit or debit cards, chequebooks or cash
- Online Banking codes or passwords
- Transfer of funds to a different account for "safekeeping"
Common Fraud Types
This involves a fraudster making phone calls to a company, posing as bank staff, the Police, regular supplier / client or other officials in a position of trust. The call may be made to coerce a company financial controller into:
- Sending their money to another account often purportedly for ‘safe keeping’ or ‘holding’;
- Withdrawing cash and handing it over to the fraudster for investigation;
- Giving personal financial information, which can then be used to gain access to your company bank accounts?.
- Be wary of unsolicited approaches by phone, especially if asked to provide any of your company’s restricted information.
- If you are suspicious, don’t be afraid to terminate the call and, say no to requests for information.
- It takes two people to terminate a call, so ensure the caller has also hung up and you have a clear line, you can use a different phone line to test the number.
- Fraudsters can use ‘call spoofing’ to deliberately falsify the telephone number relayed on the caller ID to show as a genuine bank number.
- HSBC will never call you to ask you to generate a Secure Key code by pressing the yellow button or ask for your PIN number.
- Never share company security details beyond authorised staff. It is important to keep your account and security details safe.
Criminals may already have basic information about your company in their possession (i.e. name, address, account details), do not assume a caller is genuine because they have these details or because they claim to represent a legitimate organisation.
The Business E-mail Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform payments using an email from a company owner (CEO or CFO) as the authority to carry out the payment. Little does the payment processor know that the email is not a genuine company request.
There are two variations of this fraud type, which are as follows – Email spoofing – This involves the manipulation of an email address to make the senders email address appear to have originated from someone or somewhere other than the actual source.
The fraudsters spoofs the vendors email to submit the modified invoice. It doesn’t require compromising the vendor’s email system, but instead sends the invoice from an email that is so close to the domain of the vendor that most people would miss the change, for example, @CompanyABC.com instead of @CompanyACB.com.
Compromised Email Account - This involves the compromise of an executives email account within the organisation, such as the CFO (Chief Financial Officer). The fraudster sends a request for a payment from the compromised email account to another, often junior employee to action.
- Make sure staff are aware to check the email address the payment request is sent from, and have suitable checks in place to verify any new payment request received by way of email.
- Always regularly review your organisations controls to make sure that you have suitable payment controls in place to not fall victim to this type of fraud.
This type of fraud occurs when a fraudster tricks an organisation into changing the bank account payee details for a payment. Fraudsters pretend to be a regular supplier of the organisation and inform them of a change of bank account details.
This can include:
creating bogus customer records and bank accounts so that false payments can be generated. How to reduce your organisation’s risk of becoming a victim of invoice fraud - Make sure staff that process invoices and requests are aware of this scenario when undertaking amendments to long standing payment instructions.
Always verify changes to financial arrangements with a supplier directly using established contact details you have on file.
This is where people receive e-mails directing them to websites where they are asked to provide confidential personal or financial information. Whilst these e-mails may appear to come from a legitimate site, these emails are designed to steal your personal information and use it to access your accounts. This is known as Phishing. Do not reply or click on a link in an e-mail that warns you that your account may be shut down unless you confirm your personal information. Instead contact the company, in a way that you are sure is genuine such as an authenticated telephone number.
You should delete these e-mails immediately.
Be wary of suspicious text messages sent by fraudsters that look like they have come from your bank to trick you into giving over your personal and financial information (by calling a number or clicking a link).
It's important to remember:
- HSBC will never ask you for your full PIN or password
- HSBC will never text you a link that takes you directly to our login page
- Fraudsters can use 'text spoofing' to deliberately falsify the telephone number to appear as 'HSBC' to seem like a genuine bank text
- Never share your security details with anyone else
- If you have suspicions regarding a text message from HSBC, call us on a known number (eg number on the back of your card) to check before acting on it
If you suspect a text is Smishing, please forward it to firstname.lastname@example.org
This fraud type involves the alteration, forgery or counterfeiting of cheques drawn out of your Business account. To help your company not become a victim of cheque fraud, below are some tips on how to try and minimise this risk - Check your cheques. Add extra information to them, like an account reference number. Use your full signature when you sign your cheques – not just initials.
Match your cheque counterfoils to your statements. Let us know about discrepancies. Keep any spare chequebooks in a safe place.
Protecting your Card
- Sign and activate your new card as soon as you receive it.
- You can activate your card either through internet banking, by calling us (using the number in the useful contacts below) or by using an HSBC ATM (for Visa debit cards, unless a new PIN has been issued).
- Contact us (using the number in the useful contacts below) if your replacement card does not arrive a week before your old one expires.
Protecting your PIN
- Never write down or otherwise record your PINs and other security details in a way that can be understood by someone else.
- Destroy your PIN advice as soon as possible.
- Choose a PIN number that cannot be associated with you and isn’t a sequence such as 1234 or 1111. Ideally choose a random combination or a sequence of numbers which are important to you.
Protecting yourself at the ATM
- A device may have been fitted to the ATM, which could enable the fraudster to steal your card or capture the information contained within the magnetic strip. If you notice anything unusual attached to the ATM, do not try to remove it. Move away from the machine and call our Lost and Stolen Cards team (using the number in the useful contacts below) or the police.
- Always stand close to the machine and use your hand as a shield over the keyboard.
- Criminals may try to watch you entering your PIN, before trying to steal your card.
If the cash machine does not return your card, do not re-enter the PIN. Report the loss of your card to our 24 hour Lost and Stolen Cards team (using the number in the useful contacts below).
Protecting your company cards over the Telephone
- When making card payments over the phone, you should have your card in front of you as you may be asked information such as expiry date, issue number and the three-digit security code on the signature strip. However, NEVER divulge your PIN over the telephone, even if asked.
- Try to avoid saying your card information in public places where people may overhear.
- Request postal or email confirmation of the transaction.
Protecting yourself whilst using your card in person
- Try to use your hand as a shield when entering your PIN.
- If you encounter any problems whilst using your card, please call our Customer Telephone Service team (using the number in the useful contacts below).
- Please keep your cards in a secure place at all times.
Using a variety of methods, criminals may obtain important pieces of personal and identity data such as credit card numbers, expiry dates, dates of birth or mothers’ maiden names. This information can be used to gain access to bank accounts or open new credit facilities.
Help to minimise this risk by following these simple steps:
- Shred all receipts or any letters, which contain your business name and address or personal information.
- Switch off your postal statements to prevent unnecessary documents being sent via the mail.
- Set up a telephone security number, as this is a secure way for us to identify you when you call us.
- Don’t give your telephone security number out to anyone who contacts you. HBSC will NEVER ask for your telephone security number if WE call YOU.
Medical Sector Specific Fraud
Unfortunately, we are seeing fraudsters trying to exploit the coronavirus outbreak by posing as trusted organisations like banks and even the World Health Organisation. We are seeing fraudsters specifically target the medical sector and wanted to provide some examples of the types of fraud attempts we are seeing to help protect you from these attacks. These attempts are typically made through the following channels:
- phone calls
- text messages (SMS)
- social media posts
They may look identical to the phone numbers and e-mail addresses you have seen before, so please take extra precautions and never call/e-mail any one back using the information in the message. Please use the numbers on the HSBC website or call your Relationship Manager if you have any doubts.
Examples of fraud to watch out for
Payment Diversion Scams
Fraudsters are aware that the medical sector is making large purchases to cope with the virus and attacking both the genuine supplier as well as the buyers of these goods by amending the payment details for invoices to their account. When making large payments to a supplier for the first time, please call the supplier on a trusted phone number (i.e. a phone number you know belongs to the supplier) to verify the bank account details before making the payment. Please also follow the same verification process for existing suppliers where you are notified of any changes to the supplier’s bank account details. Never use a phone number or e-mail on an invoice when conducting a verification call.
Criminals are targeting medical workers with fake texts offering goodwill payments from the government because of coronavirus. The government won’t text, email or call about tax rebates or penalties so it could be a scam. Look out for bad spelling, odd addresses and generic greetings. As a rule, never click on links in unsolicited emails or texts.
Fraudsters are using Coronavirus to offer fake goods that won't be received, such as face masks, hand gel & more. If a deal looks too good to be true, it probably is. Be careful when buying products online. Use secure payment methods recommended by reputable online retailers and auction websites, and be wary of requests to pay via bank transfer.
Fraudsters are pretending to be bank or government staff (e.g. police officers) and asking you to transfer funds to ‘safe accounts’ due to Coronavirus. HSBC will never ask you for any PINs, passwords or to move money to a safe account. If you are at all suspicious, hang up or don’t reply to the message.