Social Engineering: do you know how to spot a fraudster?

Last updated: 7 January 2020

Do you know who you're actually talking to on the other end of the phone? Does an email or text message look genuine? Be vigilant. Thieves now have various clever ways to steal information for fraudulent purposes. Read on to learn how to protect your organisation from fraudsters.

These tactics are known as social engineering, and it's on the rise.

What you need to know

Fraudsters use various techniques to get information, including:

Phishing – email
Smishing – text messages
Vishing – phone conversation.

Phishing

Emails may create a sense of fear, urgency or opportunity to encourage recipients to click on a link or open an attachment that then infects their machine with a virus or malware. This then allows criminals to steal information or money and/or disrupt a computer system.

While many fraudsters act randomly, some target specific groups of employees or customers. This is called spear phishing. One example is CEO fraud, where criminals impersonate senior executives and instruct colleagues to transfer money to them.

Another tactic is payment diversion fraud. Criminals will send an email claiming to be from a supplier. It says its bank details have changed so funds should be transferred to another account instead. Don't reply to these emails. Always take the extra step of verifying any requests through an alternative communication method.

Smishing

Text messages may claim that your bank suspects there has been fraudulent activity on your account, that you are in trouble with tax authorities, or have won some money.

Smishing texts typically request urgent action, which often means clicking on a malicious link that in turn enables data theft. Spam filters stop many phishing emails from reaching inboxes, but no mainstream solution yet exists to prevent texts from reaching their intended target.

Vishing

Fraudsters will often create a sense of panic to get a quick response over the phone. They may pretend to be a colleague or a customer in a rush or requiring urgent assistance.

Fraudsters may call you pretending to be from HSBC. They may try to direct you to perform actions which would enable unauthorised payments to be sent to the criminal. This could include providing security codes generated from your token.

What you can do

It is important that you raise awareness of the potential impact of social engineering within your organisation, and implement a policy for reporting suspected cases.

Top tips to stay safe from social engineering:

Never share financial or company information with people you don't know
Don't be rushed into making a quick decision
Never click on links in text messages or emails, or open or download attachments, unless you are sure they are safe
Be careful about the information you share on social media as this can provide fraudsters with many small pieces of information that make a bigger picture
Always call phone numbers you know and have checked. If someone claims to be a colleague, check their name on your organisation’s staff directory and call them back on their internal telephone number
Forward any suspicious emails to @hsbcnet.phishing@hsbc.com

Learn how to spot suspicious calls, texts and emails >

Under no circumstances will HSBC ever ask you to ask you to divulge any of your security details over the phone, by text message or via email.

If you are ever doubtful about your HSBCnet activities or the authenticity of incoming telephone calls, texts or emails purporting to be from HSBC, please call your local HSBCnet Support Centre or your HSBCnet representative for further verification.