HSBC Fraud Guide

HSBC takes fraud & other financial crimes very seriously. Even though we have market-leading fraud detection systems, we want you to be aware of the different ways criminals may try to steal not just your money but also your company’s identity.

Keep your finances and personal data safe

Much has been made in the news media recently about the hazards of online hacking and data breaches, but what is seldom reported is how much simpler it is to "hack" people than computers. This process is called social engineering, and is far easier to do than one might think.

How social engineering works

Social engineering exploits aspects of human nature - behaviours that come naturally to us. Key to social engineering is the manipulation of trust - gaining a target's trust and thereby getting them to disclose information that should be kept secure.

Scammers contact their targets, usually via telephone (vishing), text or email (phishing), purporting to be individuals in positions of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained their target's trust, they then request sensitive information or items which allow them access to their target's bank accounts - things your bank would never request themselves, such as:

  • Your 4-digit PIN
  • Credit or debit cards, chequebooks or cash
  • Online Banking codes or passwords
  • Transfer of funds to a different account for "safekeeping"

Common Fraud Types

Vishing

This involves a fraudster making phone calls to a company, posing as bank staff, the Police, regular supplier / client or other officials in a position of trust. The call may be made to coerce a company financial controller into:
Sending their money to another account often purportedly for ‘safe keeping’ or ‘holding’;
Withdrawing cash and handing it over to the fraudster for investigation;
Giving personal financial information, which can then be used to gain access to your company bank accounts?.

 

Remember,
Be wary of unsolicited approaches by phone, especially if asked to provide any of your company’s restricted information.
If you are suspicious, don’t be afraid to terminate the call and, say no to requests for information.
It takes two people to terminate a call, so ensure the caller has also hung up and you have a clear line, you can use a different phone line to test the number.
Fraudsters can use ‘call spoofing’ to deliberately falsify the telephone number relayed on the caller ID to show as a genuine bank number.
HSBC will never call you to ask you to generate a Secure Key code by pressing the yellow button or ask for your PIN number.
Never share company security details beyond authorised staff. It is important to keep your account and security details safe.

 

Criminals may already have basic information about your company in their possession (i.e. name, address, account details), do not assume a caller is genuine because they have these details or because they claim to represent a legitimate organisation.

Business Email Compromise

The Business E-mail Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform payments using an email from a company owner (CEO or CFO) as the authority to carry out the payment. Little does the payment processor know that the email is not a genuine company request.

 

There are two variations of this fraud type, which are as follows –
Email spoofing – This involves the manipulation of an email address to make the senders email address appear to have originated from someone or somewhere other than the actual source.
The fraudsters spoofs the vendors email to submit the modified invoice. It doesn’t require compromising the vendor’s email system, but instead sends the invoice from an email that is so close to the domain of the vendor that most people would miss the change, for example, @CompanyABC.com instead of @CompanyACB.com.
Compromised Email Account - This involves the compromise of an executives email account within the organisation, such as the CFO (Chief Financial Officer). The fraudster sends a request for a payment from the compromised email account to another, often junior employee to action.

Remember,
Make sure staff are aware to check the email address the payment request is sent from, and have suitable checks in place to verify any new payment request received by way of email. Always regularly review your organisations controls to make sure that you have suitable payment controls in place to not fall victim to this type of fraud.

Payment Diversion / Invoice Fraud

This type of fraud occurs when a fraudster tricks an organisation into changing the bank account payee details for a payment. Fraudsters pretend to be a regular supplier of the organisation and inform them of a change of bank account details.

This can include:
creating bogus customer records and bank accounts so that false payments can be generated

How to reduce your organisation’s risk of becoming a victim of invoice fraud - Make sure staff that process invoices and requests are aware of this scenario when undertaking amendments to long standing payment instructions.

Always verify changes to financial arrangements with a supplier directly using established contact details you have on file.

Phishing

This is where people receive e-mails directing them to websites where they are asked to provide confidential personal or financial information. Whilst these e-mails may appear to come from a legitimate site, these emails are designed to steal your personal information and use it to access your accounts. This is known as Phishing. Do not reply or click on a link in an e-mail that warns you that your account may be shut down unless you confirm your personal information. Instead contact the company, in a way that you are sure is genuine such as an authenticated telephone number.
You should delete these e-mails immediately.

Smishing (SMS Phishing)

Be wary of suspicious text messages sent by fraudsters that look like they have come from your bank to trick you into giving over your personal and financial information (by calling a number or clicking a link).

It's important to remember:

  • HSBC will never ask you for your full PIN or password
  • HSBC will never text you a link that takes you directly to our login page
  • Fraudsters can use 'text spoofing' to deliberately falsify the telephone number to appear as 'HSBC' to seem like a genuine bank text
  • Never share your security details with anyone else
  • If you have suspicions regarding a text message from HSBC, call us on a known number (eg number on the back of your card) to check before acting on it

If you suspect a text is Smishing, please forward it to phishing@hsbc.com

Cheque Fraud

This fraud type involves the alteration, forgery or counterfeiting of cheques drawn out your Business account. To help your company not become a victim of cheque fraud, below are some tips on how to try and minimise this risk -
Check your cheques. Add extra information to them, like an account reference number.
Use your full signature when you sign your cheques – not just initials.
Match your cheque counterfoils to your statements. Let us know about discrepancies.
Keep any spare chequebooks in a safe place.

Card Fraud

Protecting your Card
Sign and activate your new card as soon as you receive it.
You can activate your card either through internet banking, by calling us (using the number in the useful contacts below) or by using an HSBC ATM (for Visa debit cards, unless a new PIN has been issued).
Contact us (using the number in the useful contacts below) if your replacement card does not arrive a week before your old one expires.

Protecting your PIN
Never write down or otherwise record your PINs and other security details in a way that can be understood by someone else.
Destroy your PIN advice as soon as possible.
Choose a PIN number that cannot be associated with you and isn’t a sequence such as 1234 or 1111. Ideally choose a random combination or a sequence of numbers which are important to you.

Protecting yourself at the ATM
A device may have been fitted to the ATM, which could enable the fraudster to steal your card or capture the information contained within the magnetic strip. If you notice anything unusual attached to the ATM, do not try to remove it. Move away from the machine and call our Lost and Stolen Cards team (using the number in the useful contacts below) or the police.
Always stand close to the machine and use your hand as a shield over the keyboard. Criminals may try to watch you entering your PIN, before trying to steal your card.
If the cash machine does not return your card, do not re-enter the PIN. Report the loss of your card to our 24 hour Lost and Stolen Cards team (using the number in the useful contacts below).

Protecting your company cards over the Telephone
When making card payments over the phone, you should have your card in front of you as you may be asked information such as expiry date, issue number and the three-digit security code on the signature strip. However, NEVER divulge your PIN over the telephone, even if asked.
Try to avoid saying your card information in public places where people may overhear.
Request postal or email confirmation of the transaction.

Protecting yourself whilst using your card in person
Try to use your hand as a shield when entering your PIN.
If you encounter any problems whilst using your card, please call our Customer Telephone Service team (using the number in the useful contacts below).
Please keep your cards in a secure place at all times.

Identity Fraud

Using a variety of methods, criminals may obtain important pieces of personal and identity data such as credit card numbers, expiry dates, dates of birth or mothers’ maiden names. This information can be used to gain access to bank accounts or open new credit facilities.
Help to minimise this risk by following these simple steps:
Shred all receipts or any letters, which contain your business name and address or personal information. Switch off your postal statements to prevent unnecessary documents being sent via the mail.
Set up a telephone security number, as this is a secure way for us to identify you when you call us.
Don’t give your telephone security number out to anyone who contacts you. HBSC will NEVER ask for your telephone security number if WE call YOU.
If you have lost or had stolen important documents such as a passport, consider registering for the CIFAS Protective Registration Service (see link below).

Useful contacts & Resources

Should your company become a victim of fraud, please remember to report the incident to HSBC as soon as possible either via the telephone numbers as below, or via your Relationship Manager (RM).

Business Telephone Services
(Please call this number in the first instance)

03457 60 60 60 or if overseas +44 1226 260 878 Textphone 03457 125 563 or if overseas 44 1792 494 394

Security Reset Team
Please call the main telephone banking number above if suspect you may have divulged your security details

Lost or Stolen Cards
03456 007 010 or if overseas 44 1442 422 929

http://www.business.hsbc.uk/en-gb/bib-help-centre
http://www.hsbcnet.com/gbm/about-hsbcnet/security-alerts
www.cardwatch.org.uk
www.chipandpin.co.uk
http://www.fca.org.uk/
www.cifas.org.uk
www.equifax.co.uk
www.identitytheft.org.uk
https://www.getsafeonline.org/business/
http://www.actionfraud.police.uk/small-businesses-know-your-business

You are leaving the HSBC Commercial Banking website.

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.

You are leaving the HSBC CMB website.

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.