Social engineering: do you know how to spot a fraudster?

Last updated: 3 May 2021

Do you know who you're actually talking to on the other end of the phone? Does an email or text message look genuine? Be vigilant. Criminals now have various clever ways to steal information for fraudulent purposes. These tactics are known as social engineering, and it's on the rise.

What you need to know

Fraudsters use various techniques to get information, including:

Fraudsters will often create a sense of panic to get a quick response over the phone. They may pretend to be a colleague or a customer in a rush or requiring urgent assistance.

Fraudsters may call you pretending to be from HSBC. The number they’re calling from may even show up on call display as an HSBC number (this tactic is known as ‘caller ID spoofing’). They may try to direct you to take actions which would enable unauthorised payments to be sent to the fraudster. This could include providing security codes generated from your Security Device.

Emails may create a sense of fear, urgency or opportunity to encourage recipients to click on a link or open an attachment that then infects their machine with a virus or malware. This then allows fraudsters to steal information or money and/or disrupt a computer system.

While many fraudsters act randomly, some target specific groups of employees or customers. This is called spear phishing. One example is CEO fraud, where criminals impersonate senior executives and instruct colleagues to transfer money to them.

Another tactic is payment diversion fraud. Frausters will send an email claiming to be from a supplier. It says its bank details have changed so funds should be transferred to another account instead. Don't reply to these emails. Always take the extra step of verifying any requests through an alternative communication method.

Text messages may claim that your bank suspects there has been fraudulent activity on your account, that you are in trouble with tax authorities, or have won some money.

Smishing texts typically request urgent action, which often means clicking on a malicious link that in turn enables data theft. Spam filters stop many phishing emails from reaching inboxes, but no mainstream solution yet exists to prevent texts from reaching their intended target.

Under no circumstances will HSBC ever ask you to divulge any of your security details over the phone, by text message or via email.

What you can do

It is important that you raise awareness of the potential impact of social engineering within your organisation, and implement a policy for reporting suspected cases.

Top tips to help stay safe from social engineering Never share financial or company information with people you don't know Don't be rushed into making a quick decision Never click on links in text messages or emails, or open or download attachments, unless you are sure they are safe Be careful about the information you share on social media as this can provide fraudsters with many small pieces of information that make a bigger picture Always call phone numbers you know and have checked. If someone claims to be a colleague, check their name on your organisation’s staff directory and call them back on their internal number Forward any suspicious emails to hsbcnet.phishing@hsbc.com Learn how to spot suspicious calls, texts, and emails >

Stay vigilant and report suspicious activity

If you’re ever doubtful about your HSBCnet activities or the authenticity of incoming telephone calls, texts or emails purporting to be from HSBC, contact your local HSBCnet Support Centre or HSBC representative immediately.