Learn how to spot suspicious calls, texts and emails

Close < Previous | Next >

Learn how to spot suspicious calls, texts and emails

Last updated: 31 August 2020

Criminals may contact you by email, via SMS or by phone to con you into giving away passwords and bank details. They may even use fake invoices, delivery notifications, receipts and banking updates as lures to divert payment funds to a fraudulent account.

It pays to be on your guard because these attempts can be quite convincing.

HSBC will never ask you for any log on or security details, or ask you to generate security codes over the telephone or through any other method of communication.

What to look out for

Fraudsters are good at making their attacks appear realistic. But their attempts often share some common characteristics:

Look legitimate at first glance
Fraudsters can make the phone number you see on your Caller ID look just like a trusted contact. You might also receive an email that looks like it comes from us and it might contain a link to a website that looks like HSBCnet. When you try to log on, they can steal your password.
Designed to generate fear-based responses
For example, a spurious bank call-back service which pretends to alert you to bank account fraud, then requests detailed account information on response.
Invoke a sense of urgency
Attackers often impersonate a senior employee or a vendor requiring urgent assistance. They may pretend to be in a rush and attempt to take control of the conversation.

Here are some tactics criminals may use to target your organisation:

Warning signs	Recommended next steps
It’s important to be cautious if you receive a call from an unknown number. But increasingly, criminals are using ‘Caller ID spoofing’ to make their call look like it’s coming from a recognizable contact (including HSBC).	Always ask the caller to clearly identify themselves (eg. Who they are, where they are from and why they need the information). Confirm the caller’s identity through your organisation’s verification process. If the caller says they’re from HSBC and you weren’t expecting the call, you can always end the call and call back using a verified phone number.
Over-friendly or intimidating people claiming that something is very urgent or important. They may even threaten to complain. Criminals can cite familiar information including the name of your department or manager to pressure you into disclosing information.	Trust your instincts. If you receive a suspicious call for bank or staff information, do not provide any information. Report the call through your organisation’s internal processes.
Requests that are unusual or that require you to ‘cut corners’ or make exceptions to established procedures.	If in doubt, ask questions to help you verify whether the request is genuine or not. Contact your manager or HSBCnet System Administrator for a second opinion before taking any further action.
You receive an email that appears to be from a colleague within your organisation. When you reply, the email address of the recipient changes to an external party.	If you think you’ve received a suspicious email, do not reply, click on any links or open any attachments. Report the email to your HSBCnet System Administrator and forward the email to hsbcnet.phishing@hsbc.com. Then delete the email from your inbox.
An unexpected text is sent to your mobile phone claiming to be from HSBC asking you to click a link to take urgent action.	Don’t click any links in texts you weren’t expecting to receive. Don’t reply to the text using the contact information provided in the text. Verify the text by reaching out to your known contact at HSBC.

Warning signs

Recommended next steps

It’s important to be cautious if you receive a call from an unknown number.

But increasingly, criminals are using ‘Caller ID spoofing’ to make their call look like it’s coming from a recognizable contact (including HSBC).

Always ask the caller to clearly identify themselves (eg. Who they are, where they are from and why they need the information). Confirm the caller’s identity through your organisation’s verification process.

If the caller says they’re from HSBC and you weren’t expecting the call, you can always end the call and call back using a verified phone number.

Over-friendly or intimidating people claiming that something is very urgent or important. They may even threaten to complain.

Criminals can cite familiar information including the name of your department or manager to pressure you into disclosing information.

Trust your instincts.

If you receive a suspicious call for bank or staff information, do not provide any information.

Report the call through your organisation’s internal processes.

Requests that are unusual or that require you to ‘cut corners’ or make exceptions to established procedures.

If in doubt, ask questions to help you verify whether the request is genuine or not.

Contact your manager or HSBCnet System Administrator for a second opinion before taking any further action.

You receive an email that appears to be from a colleague within your organisation. When you reply, the email address of the recipient changes to an external party.

If you think you’ve received a suspicious email, do not reply, click on any links or open any attachments.

Report the email to your HSBCnet System Administrator and forward the email to hsbcnet.phishing@hsbc.com. Then delete the email from your inbox.

An unexpected text is sent to your mobile phone claiming to be from HSBC asking you to click a link to take urgent action.

Don’t click any links in texts you weren’t expecting to receive. Don’t reply to the text using the contact information provided in the text.

Verify the text by reaching out to your known contact at HSBC.

Stay vigilant

If you’re ever in doubt, stop. Hang up the call. Don’t click on any links or open any attachments. Then contact us for further verification.