Beware of phishing

Phishing is a common tactic that fraudsters use to trick people into revealing sensitive information that they can use to commit crime. The fraudster impersonates an organisation, such as a government agency, a bank, an online payment service provider, an online retailer or a business partner, in an email or text message that includes a request for sensitive information, such as your password, personal details or credit card details. The phishing emails, text messages or websites often look like those of the organisation they claim to be from.

Phishing emails and text messages may also contain links, QR codes or files that, if opened, will install malware on your device. This allows the scammers to gain access to sensitive information.

If you notice any of these warning signs, a communication could be a phishing scam:

• Unspecified recipient: Beware of emails with no (or vague) recipient details.
• Suspicious sender: Check the sender's email address carefully – a scammer's address might look almost identical to the organisation's genuine email address, but with some small differences.
• Urgent language: A phishing email might use language that encourages you to act quickly – for example, by asking you to click a link or open an attachment to see an important notification from your bank.
• Suspicious links: Phishing emails may include a hyperlink that looks like the organisation's genuine website address, but reveals another URL when you hover over it.
• Grammar and spelling mistakes: Phishing messages often contain grammatical errors or typos.

Here are some examples of fraudsters impersonating government officials or service providers to gain sensitive information.

Government services:  Fraudsters have been impersonating staff from the Inland Revenue Department by sending phishing emails headed 'HK-Refund-Online-Confirmation'. The emails include a hyperlink to a fraudulent website that allows the scammers to obtain victims' personal information, such as credit card details.

Service providers: People have been targeted by phishing SMS messages from fraudsters impersonating a delivery service provider. The messages claim that the recipient's express parcel could not be delivered. Victims have been lured into clicking on the embedded link, directing them to a fraudulent company website that asks them to provide their personal information, including credit card details.

HSBC will never send you SMS or email messages that contain embedded hyperlinks to websites or mobile applications to carry out transactions. We will never ask you to provide sensitive personal information, such as your login details and OTPs, via a hyperlink.

If you receive an SMS or email with a request to provide your internet banking login details via an embedded hyperlink, the messages should not be from HSBC. If you think a hyperlink or attachment in an SMS or email is suspicious, do not click on it. Always access internet banking by going directly to our website or opening the HSBC mobile app.

If you aren't sure if an email claiming to be from HSBC is genuine, please call our hotline on +852 2748 8288 to verify.

• Never click on the hyperlinks in suspicious emails or messages.
• Never log on to an unverified website. If you think a URL looks suspicious, please call our hotline on +852 2748 8288 to verify it, or simply delete the email that contains the URL without clicking on the link. Alternatively, you can check the URL using anti-scam tools such as Scameter by CyberDefender, which is supported by the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force.
• Be extra cautious if a website asks you for your personal information or credit card details.
• Check your account statement/activity log for any unauthorised purchases or transactions.
• If you think that a fraudster might have gained access to your account, contact HSBC immediately.
• Regularly update your computer's antivirus software and run scans.
• If you suspect that you have become the victim of a scam, save the relevant emails or messages and report it to the police.