How do fraudsters operate?
Fraudsters exploit human nature - behaviours that come naturally to us. Key to this is the manipulation of trust - gaining a target's trust and getting them to disclose information that should be kept secure.
Common fraud methods
Phishing involves fraudsters sending an unsolicited e-mail that appears to be from your bank or an online retailer requesting you to update your personal and financial information such as date of birth, online login information, account details, credit card numbers, PINs etc.
The e-mail may contain a link that takes you to a website that looks identical (or very similar) to the organisation's genuine site. Fraudsters can then capture personal data like passwords as you type it in or download malware onto your computer.
Smishing (SMS Phishing)
Smishing involves text messages sent by fraudsters that look like they have come from your bank to trick you into giving over your personal and financial information (by calling a number or clicking a link). Fraudsters also use 'text spoofing' to deliberately falsify the telephone number to appear as 'HSBC' to seem like a genuine bank sms.
SIM Swap Fraud is when a fraudster duplicates the SIM of your mobile number without your knowledge or authorization. This allows the fraudster to receive all your calls and text messages, obtain personal details and then conduct financial transactions with your bank.
Redirection of Funds
Redirection of Funds is when an individual receives a payment request via email that appears genuine but is in fact fraudulent.
Computer takeover (remote access takeover)
Computer takeover involves fraudsters impersonating internet service providers, computer companies, banks, software firms and law enforcement to steal money from online bank accounts.
Criminals use technology to take control of victims' computers from remote locations, by calling and offering to help with a slow computer or internet connection.
They will say they can fix it but need to access their computer to do so. Victims are then asked either to visit a website or enter a command prompt on their computer, giving the scammers control of the machine remotely.
To avoid falling victim to this scam:
- be wary of unsolicited approaches by phone claiming to offer a refund or compensation
- avoid letting someone you do not know or trust have access to your computer, especially remotely
- never log onto your internet bank while someone else has access to your computer
Never disclose your:
- One Time Password generated from your Secure Key to anyone
- SMS password sent to your mobile phone
- six digit card PIN to anyone, including the bank or police
- password or online banking codes
- personal details unless you are sure who you are talking to
Fraudsters call out of the blue claiming that a fraud has already happened, or may be imminent. They may already have some information about you, and may pose as bank staff, the police and other officials or companies in a position of trust. The fraudster will then try to persuade you to:
- transfer money to another account for 'safekeeping' or 'holding'
- withdraw cash and hand it over 'for investigation'
- divulge private information, which can then be used to gain access to your finances
Be vigilant - warning signs to look out for
- be wary of unsolicited approaches by phone, especially if you are asked to provide personal information
- beware of unsolicited e-mails or SMS messages asking you to update or verify your personal details, Personal Internet Banking login or security details such as Secure Key passwords/values or Credit Card Debit Card PINs. HSBC will never request this type of information
- beware of instructions to reply, complete a form or document attached to the email or click, through to a website in order to verify your account
- links within emails or SMS from HSBC will never take you directly to our login page and will always take you to information pages
How to protect yourself
- don't open attachments or click on links if you suspect they may not be genuine
- never share your security details such as PIN or passwords with anyone
- install anti-virus software and keep it up-to-date to protect you against viruses such a malware, trojans, spyware and adware
- keep your browser up-to-date as modern browser software adds protection against fake websites
- keep your software up-to-date as it's harder for viruses to infect updated software
If you are in doubt about the legitimacy of the e-mail/SMS, or if you think that you have been a victim of a phishing/smishing/vishing scam, please contact firstname.lastname@example.org.