What is phishing?
Phishing is when a criminal sends you an email, SMS or phone call pretending to be from a legitimate organisation, such as a bank, online payment service, online retailer, or even a government department. They will often look very similar to genuine communications from these organisations. The communication will aim to get you to divulge passwords / bank details or other personal information by asking you click embedded links, scan QR codes or download attached files to implant malware on your device.
Besides, the embedded links will take you to a website that also looks very similar to the organisation's genuine site. Once you arrive at the fake site, it will usually prompt you to enter sensitive personal information, such as your account number, PIN, security code or one-time passwords (OTPs). The phishing site records everything you enter, and then the criminal can use your information to log into your actual account and steal your money.
Recently criminals may encourage you to redeem special offers on social media platforms by clicking on suspicious link or installing app on your device. While this application may look and act like something useful (for example a shopping application), it may in fact contain malware that allow the criminals to control your phone and/or capture sensitive data.
To spot a phishing attempt, ask yourself the following questions:
- Are you being asked for personal information, like credit card number or account password?
- Were you expecting this message?
- Does it have an attachment?
- Are you being asked to do something unusual, like transfer money to an unknown source, or email / SMS your account details to someone, or install a new application on your phone?
- Are you being asked to act with urgency to complete the actions?
- Does the sender’s email address or phone number match the name of the company that it claims to be from?
- Is your email address or phone number different from the one that you gave that company?
- Was it sent or cc’d to more than just you?
How can I tell if I'm being phished?
Fake or fraudulent websites:
- Do not have an address (“domain name”) that exactly matches the HSBC official site. Always go to the HSBC website directly.
- May be for an offer that looks too good to be true, especially if the sites request you download an “APK" file or app. These may contain malware that can allow an attacker to control your phone. This could even be the case if it is linked from a reputable social media site.
Phishing SMSes/emails/calls:
- Make false claims pretending to be from the Bank – e.g. fake incentives/rewards, request for urgent contact and notifications of new payee/recipient or payments when you haven't done so
- Include a hyperlink requesting you to log on or enter sensitive personal information
- Could make use of spoofing tactics that mimic the bank as the sender of the message
- Have a sense of ‘urgency’ – e.g. you must do this now or the offer will expire / you will lose your money.
- It is not unusual for a phishing SMS attempt to come with phone call - a phone call from the fraudster purporting to be the Bank. They may know personal details about you and/or your transactional history and appear convincing
See some examples of phishing SMSes
See some examples of phishing emails
How to protect yourself from phishing
Follow these tips to prevent falling prey to phishing:
- Never click on links or attachments on suspicious emails, SMS, messages, websites and/or social media
- Only download and install apps by trusted and verified developers via official channels/stores
- Never grant full control of your device to any third party or share screen unless you're absolutely certain of the source’s trustworthiness
- Never enter your sensitive personal information, credit card credentials or passwords on suspicious websites
- If in doubt, verify with relevant organisation and company via official channels
- HSBC will never ask for sensitive personal information nor ask customers to log into HSBC Online Banking via emails or SMSes
What should I do if I'm being phished?
If an email,SMS or call seems suspicious, don’t reply to it. Don't click on any links. Don't open any attachments. We would never send you any messages with a link requesting that you log on to online banking or provide your usernames and passwords. And if you do receive a message claiming to be from HSBC and asking you to provide your account credentials or sensitive personal information, report it to us via: Phishing@hsbc.com. Just forward us the email, website address (URL) or send us a screen shot of the SMS you received. You'll receive an automated response from us when we've received your email.
If you believe you have disclosed account credentials or sensitive personal information to a fraudster, please report it to us via our customer service hotlines immediately:
HSBC Global Private Banking customers: (852) 2233 3033
HSBC Premier Elite customers: (852) 2233 3033
HSBC Premier customers: (852) 2233 3322
Other customers: (852) 2233 3000
SMS Sender Registration Scheme
To assist public in identifying SMS sender and prevent them from falling prey to phishing SMS, Office of the Communications Authority, the Hong Kong Monetary Authority, the Hong Kong Police Force, the Hong Kong Association of Banks and the telecommunications industry have established the “SMS Sender Registration Scheme”. Starting from 28th January 2024, major local banks will only use registered sender IDs starting with “#” to send one-way SMS to local mobile users.
| Sender ID | SMS Type | |
|---|---|---|
| 1 | #HSBC | General Information |
| 2 | #HSBCsecure | Non-Forwarding (e.g. One-Time Password) |
| 3 | #PayMe | Non-Forwarding (e.g. One-Time Password) |
| 4 | #HSBCnotice | Dual-Forwarding (e.g. Transaction alert) |
| 1 | |
| Sender ID | #HSBC |
| SMS Type | General Information |
| 2 | |
| Sender ID | #HSBCsecure |
| SMS Type | Non-Forwarding (e.g. One-Time Password) |
| 3 | |
| Sender ID | #PayMe |
| SMS Type | Non-Forwarding (e.g. One-Time Password) |
| 4 | |
| Sender ID | #HSBCnotice |
| SMS Type | Dual-Forwarding (e.g. Transaction alert) |
Please note that the SMS Sender Registration Scheme is not appliable to:
- SMS messages of which receiving parties are expected to reply to the senders via phone numbers (2-way SMS) ; or
- Local subscribers of Single-Card-Multiple-Numbers/One-Card-Two-Numbers mobile service provided by non-Hong Kong operators.
HSBC reminder: If you receive SMS from unknown sender, please be vigilant and do not disclose any personal, account or credit card information, or transfer money as per requested. Do not click on suspicious link in SMS. If in doubt, you can use "Scameter" launched by the police to evaluate the fraud risk of the phone number or URL.
Security tips from HKMA
Protect your Personal Digital Keys; Beware of Fraudulent Links!
In this digital age, it is important to keep your Personal Digital Keys safe. They are your account credentials (eg online banking username and password, one-time passcode, and credit card credentials) and other sensitive personal information (eg your HKID number and date of birth). Please keep them well-protected as you would do with the keys to your home. If fraudsters manage to steal such information, it could result in financial loss. Remember to keep your Personal Digital Keys safe!
Learn more about other security tips on HKMA website.
