How do Social Engineering scams work?

Sophisticated fraudsters aim convincing 'spear' phishing emails at carefully selected groups, researching recipients through social media, website information or public facts about their organisation.

High-volume phishing, on the other hand, targets as many recipients as possible - of whom only a tiny percentage have to be caught for possible success. Fake invoices, delivery notifications, receipts and banking updates can all be used as lures in these attempts.

Many vishing campaigns are high volume, using auto-dial and broadband calling to contact thousands of potential victims per hour. They try to drive fear-based responses: for example, a spurious bank call-back service which pretends to alert the victim to bank account fraud, then requests detailed card information on response.

Targeting organisations, attackers often impersonate a senior employee requiring urgent assistance. They may pretend to be in a rush, in an attempt to take control of the conversation.

Smishing texts typically request urgent action, which often means clicking on a malicious link that in turn enables data theft. Spam filters stop many phishing emails from reaching inboxes, but no mainstream solution yet exists to prevent texts from reaching their intended target.

What to look out for

Fraudsters may use one or more of the following tactics to try to target your organisation:

Warning signs	Recommended actions
You receive a call from an unknown long distance number or a redirect from the operator.	Ask for the caller’s identity (eg. Who they are, where they are from and why they need the information). Confirm the caller’s identity through your organisation’s verification process.
Over-friendly or intimidating people claiming that something is very urgent or important, and even threatening to complain. These people can cite familiar information including the name of your department or manager to pressure you into disclosing information.	Trust your instincts. If you receive a suspicious call for bank or staff information, do not provide any information. Report the call through your organisation’s internal processes.
Requests that are unusual or that require you to ‘cut corners’ or make exceptions to established procedures.	If in doubt, ask questions to help you verify whether the request is genuine or not. Engage your manager or HSBCnet System Administrator for a second opinion before taking any further action.
You receive an email that appears to be from a colleague within your organisation. When you reply, the email address of the recipient changes to an external party.	If you think you’ve received a suspicious email, do not reply, click on any links or open any attachments. Report the email to your HSBCnet System Administrator and forward the email to @hsbcnet.phishing@hsbc.com. Then delete the email from your inbox.
An unexpected text is sent to your mobile phone claiming to be from HSBC asking you to click a link to take urgent action.	Don’t click any links in texts you weren’t expecting to receive. Don’t reply to the text using the contact information provided in the text. If in doubt, verify the text using known HSBC contacts.

If you are ever doubtful about your HSBCnet activities or the authenticity of incoming telephone calls, texts or emails purporting to be from HSBC, please call your local HSBCnet Support Centre or your HSBCnet Representative for further verification.