Protection from Fraud & Identity Theft

The best way to defend yourself against identity theft and fraudulent scams is to protect your personal information, safe guard your electronic access devices and know how to identify scams.  Below are recommendations on simple actions you can take to help protect you, your family and your finances.   

Chances are your computer/tablet and mobile device (devices) contains a goldmine of personal and financial information. Make sure you're taking the necessary precautions to protect them.

We offer a number of safeguards to protect your account information, including Voice ID, which allows you to access your accounts over the phone using your voice, and Touch/Face ID, which allows you to access your accounts through our mobile app using your fingerprint or face.

You can sign up for email and text alerts to help manage your card activity. Get an alert any time a transaction is made over a certain dollar amount, if you are approaching your credit limit, or if there is a name or address change on the account.  

Our mobile app provides the personalization, security and flexibility that enhances your banking experience while providing an extra layer of security to help protect your identity.

Protect your identity and enhance your safety and security by reviewing the recommendations below.

Social engineering works by gaining someone’s trust and getting them to disclose information that should be kept secure.

Scammers usually contact people by phone (vishing), text (smishing) or email (phishing). They’ll claim to be someone in a position of trust, such as bank staff, representatives of telecoms or utility companies, or even law enforcement. Having gained the person’s trust, they’ll then ask for sensitive information or things which will enable them access to the person’s bank accounts.

There are things your bank would never ask for, such as:

• Your 4-digit PIN
• Online Banking codes like your secure key or password

Your bank/law enforcement would also never ask to:

• Confirm a transaction you didn’t complete is “authorized”
• Share your passwords
• Send money or purchase gift cards
• Transfer funds to a different account for 'safekeeping'
• Collect your credit or debit cards, check books or cash

Use caution when asked for a one-time passcode (OTP)

Beware of fraudsters trying to steal your money or access your account by tricking you into sharing an OTP. An OTP is a string of random numbers that acts as a one-time code to authenticate you for a single transaction or log on session.

Fraudsters will try to get you to share the OTP by pretending to be someone you trust - like your bank or a government agency - with an urgent situation. The name and phone number they contact you through may appear genuine, but fraudsters can replicate these details by 'number spoofing'.

To protect yourself:

• Always fully read and follow the instructions provided in the HSBC OTP text message. This will confirm whether your OTP is intended for verbal authentication, or only to be entered online.
• If you think you might be the target of a fraudster, hang up and call us on a trusted number - you can find this on the back of your card or bank statement.
   

Passcode Scams

Fraudsters will ask you to share a one-time passcode which will allow them to impersonate you and try to steal money from your account.

They may claim that:

• you need to share a code using your security device to stop a payment debiting your bank account
• you need to share a code received in an unexpected text or email to prevent a suspicious transaction
• you need to confirm that you made a transaction on your account. However, you didn’t originate the transaction. In reality they will use these codes to validate their fraudulent activity.

If you suspect a scam, please call us using the number on the back of your card or bank statement.

Vishing

Fraudsters call out of the blue and may claim to be your bank (verifying a suspicious transaction), law enforcement (your arrest is imminent), a family member in distress, or another trusted organization like your broadband provider. To make the call seem more convincing they may already have some information on you, such as your account number, account activity, address and even some personal details. They can also make the call seem authentic by making their phone number look like a number you know and trust. This is known as 'number spoofing'. The caller will then try to persuade you to take action, for example:

• Transfer money to another account for 'safekeeping' or 'holding'
• Withdraw cash and hand it over 'for investigation'
• Send money or purchase gift cards
• Give private information, which can then be used to gain access to your finances
  
  

Phishing

Be wary of unsolicited emails that appear to be from your bank or another trusted organization (government agencies, IRS, Social Security Administration, etc.) and contain links to websites urging you to provide confidential, personal or financial information. The emails may appear to come from a legitimate source and often warn that your account may be shut down unless you take some action or they may say you’re owed money. They will stress the urgency for you to comply with their request.

If you receive one of these emails, don’t reply or click on a link, or open the attachments if you’re not sure they are genuine. Instead, contact the company using a phone number you know is genuine.

Phishing emails typically:

• Warn you of some sudden change in an account, which means you have to confirm you still use the service.
• Sometimes have poor spelling, grammar, generic greetings.
• Ask for confidential or security information such as your Online Banking details, passwords, account numbers or PINs.
• Include instructions to reply, complete a form or document attached to the email or click through to a website to verify your account.
• Include links that don’t match the URL of the legitimate site. The URL may not be a direct match for the valid site (i.e., you see www.hbsc.com or www.hsb.com instead of us.hsbc.com). The URL may also contain numbers such as an IP address or an "@" symbol.

If you’re suspicious of an email claiming to be from HSBC, forward it to phishing@hsbc.com

• We’ll send you an automatic response to let you know we’ve received your email but are unable to provide personalized responses from this mailbox. 
• Please ensure you copy the full email, smishing text or website address (URL) into the body of the email. 
• Please do not send any personal customer verification details within the email. 
• Kindly note emails will be processed by a third party on behalf of HSBC Global Services (UK) Limited and by HSBC Group companies.             
• Additionally, you can also report the phishing attempt to the Federal Trade Commission (FTC) or to the Federal Bureau of Investigation Internet Crime Complaint Center (Ic3).

We also recommend you delete the email and empty your deleted files.

If you feel you entered a phishing site and/or shared your information:

• Run a virus and spyware scan on your devices, and
• Contact your financial institution immediately using a trusted phone number, change your passwords, and consider putting a block on your credit report.

Additional ways to protect yourself from Phishing:

• Never provide your personal information to unverified sites.
• Use trusted websites that you enter directly into your web browser or verified bookmarks. 
• Back up your device(s) so that if you are attacked by a ransomware you have a copy of your personal/financial data.

Tip: If HSBC sends an email to your personal email address, it will always include a personal or account identifier. Any links included will be to an HSBC website information page, not directly to a page that requires login credentials or personal information.

Reminder: No one at HSBC will ever ask you for your password.

Smishing (SMS/text phishing)

Another thing to watch out for is suspicious text messages that look like they have come from HSBC or another trusted organization. These may be sent by criminals trying to trick you into giving your personal and financial information (by calling a number or clicking a link).

It's important to remember the following:

• Banks and other organizations such as the police or service providers will never ask you for your full PIN, password or banking codes.
• Fraudsters can mimic text headers so their messages can join a conversation beneath ones you know are genuine.
• Don't withdraw cash and hand it over 'for investigation.'
• Don't send money or purchase gift cards.
• Don't give private information including passcodes, which can then be used to gain access to your finances.

If you’re suspicious of an SMS/text message claiming to be from HSBC, forward it to phishing@hsbc.com

• We’ll send you an automatic response to let you know we’ve received your email but are unable to provide personalized responses to this mailbox. 
• Please ensure you copy the full email, smishing text or website address (URL) into the body of the email. 
• Please do not send any personal customer verification details within the email. 
• Kindly note emails will be processed by a third party on behalf of HSBC Global Services (UK) Limited and by HSBC Group companies.

If you feel you entered a phishing site and/or shared your information

• Run a virus and spyware scan on your devices.
• Contact your financial institution immediately using a trusted phone number, change your passwords, and consider putting a block on your credit report.

Additional ways to protect yourself from Smishing

• Never share your security details or information.
• Block people you don't want to know, especially complete strangers. Adjust your message settings so only people on your contact list can message you.
• Don't reply to strangers, especially if their messages are rude or annoying. It could be a predator.
• Don't click on unsolicited links or attachments. They could contain a virus or spyware.
• Don't create a profile that includes personal information. It can open you up to harassment and attract predators.

Tip: Reply with a simple Yes or No to HSBC Fraud Alerts, we don’t require any personal/account information.

• Use a newer operating system, set your browser to block pop-ups and increase the security settings.
• Download security patches and updates. Turn on automatic updates so you have the latest fixes to problems as they arise. To check for patches and updates you should visit the publisher's website regularly, typically their 'Download' section. Generally, the latest versions of an operating system family (like Microsoft Windows) or browser (like Internet Explorer, Google Chrome, Safari, etc.) have the most up-to-date security features.
  

• Disable "File and Printer Sharing" on your computer to prevent unauthorized access.
• Turn your computer off when you're not using it. If you're not connected to the Internet, you can't be hacked or infected.

Create a strong password

• Avoid using the same password for multiple accounts/websites

• Use unique passwords with a combination of words, numbers, symbols and using both upper- and lower-case letters

• Use a phrase known to you and pick the first letter of each word and then unique numbers and symbols

• When selecting passwords use a combination of words that have a meaning to you but appear random to others

• Avoid easily guessed passwords, such as “password” or “user”, special dates, phone number, or family/pets names

• Don’t recycle passwords for example BlueDog1, BlueDog2, BlueDog3 

• Don't use ascending or descending number patterns for example 1234 or 4321

• Don’t store your list of passwords on your computer or write them down

• If you must store them, ensure they’re encrypted in a way that is indecipherable to others

Secure your wireless network

A wireless network allows you to connect your computer to the Internet without having to use a cable. It typically contains a wireless router, which uses radio signals to transfer data to computers within the network. Some wireless routers are pre-set with very insecure settings to help users connect to them for the first time – but this also means that other people could access your Internet account quite easily. For this reason, you should always consult your manual or online guide to find out how to connect more securely through your wireless network – usually by creating a strong password.

HSBC recommends using selected web browser versions with HSBC Internet Banking.

• Ensure your software is up to date. Check the manufacturer's website (or search Google) to see if a software update is available. If there's a new one, download it.
• Follow strong passwords recommendations.
  
• Paying to access a Wi-Fi network doesn't mean it's secure. Access fees do not equal security.
• Use a Virtual Private Network (VPN). This provides secure access to an organization's network and allows you to get on line behind a secure layer that protects your information.
• Turn off cookies and auto fill. This can be a privacy threat.
• Be selective about the applications you are downloading.

• Maintain a current SPAM filter, anti-virus software and firewall to help identify and block suspicious emails. Anti-virus and anti-spy software protects you, your privacy and your money.
• If your operating system has a built-in firewall, enable it. Or install a third-party firewall to block hackers.
• Follow strong passwords recommendations.
• Use encryption software to protect data stored on your devices.

Cyber criminals are using more sophisticated methods to steal your information. They will use data available on the “dark web” typically received through data breaches, as well as attempt to have you provide them the data directly by taking advantage of your Internet behavior.

If you've followed our guidelines for securing your devices, you've already made it harder for someone to steal your identity. But all the safeguards in the world won't help you if you provide your personal information to Cyber Criminals. 

• Don’t share your personal or financial information online. 
• Set social media accounts to private (when possible) and limit the information shared, cyber criminals use that data to answer security questions or target you for Identity theft.
  • Monitor for Cryptojacking.
• Know who you are doing business with.
  • Access online banking sites by typing the URL directly into the address bar. 
  • Review the website's privacy policy to learn how your information will be used and protected. 
• Don’t allow third parties to take control of your device unless you have contacted a trusted source. Be cautious of any phone call you receive asking you to share your device information or access.
• Be aware of pop-ups as they may indicate you have malware on your computer.
• Only use trusted Wi-Fi networks or service providers and enable security protection such as Wi-Fi Protected Access (WPA), if possible.
  • When using public Wi-Fi, do not enter account numbers, passwords, or any other personal details.
• Follow Strong Password recommendations.
• Never share passwords, login credentials, or any information that can be used to authenticate your identity.
• Change Passwords if you believe they have been compromised (replied to an unsolicited email or text, data breach at a company you use) and regularly (at least every 90 days) as a safety measure.
• Always change the default password on all devices, operational systems, etc. to a strong password.
• When completing challenge questions, select questions only you know the answer to and questions that the answer can’t be located on social media or a website.
• HSBC will never ask for your device passwords.

• Don't click on pop-ups. Better yet, set your browser to block them.
  
• Don't give out personal information to blogs, forums and other social networking sites.
• When shopping online, use secure sites that encrypt your credit card information.
  
• Be suspicious of odd error messages. Don't click on them or respond to them.
• Scan your computer to remove any virus or spyware.
• Scan your computer files regularly, once a week at a minimum.

• Sign the back of your card when you get it and select a secure Personal Identification Number (PIN).
• Don’t let your card out of your control or leave it unattended.
• Use Tap & Go when possible – with facial or fingerprint security.
• When using your card online:
  •check reviews of the company
  •make sure the website is secure
  •say no to the site storing your card information
  
• Be cautious about who you share your card information with, especially if it's not a business you frequently use, or someone calls you unexpectedly.
• Use electronic statements and check your account frequently.
• Notify the bank immediately if your card is lost or stolen, or you identify unauthorized activity.
• Respond promptly to bank issued fraud alerts. If you're in any doubt that a call, text or email is really from us, call the telephone number on the back of your card.
• HSBC will never ask you to authenticate a transaction you did not authorize.
• HSBC will never ask you for your card PIN or your online banking password.

• Be aware of your surroundings, your personal safety is critical.
• Don’t lose focus on your transaction. Criminals use distraction tactics to take advantage of you looking away.
• Use well-lit ATMs that are visible to business employees and under video surveillance.
• Conduct ATM transactions during the day, when possible.
• Protect your PIN by covering the keypad while you enter the number. Never share your PIN
• Look for signs of machine tampering such as:
  •notices telling you to use a specific machine, or to enter your password multiple times, or on a second device
  •a keypad that's loose, spongy or not attached properly
  •glue residue around the card slot or keypad
  •parts or colors that don’t match the rest of the machine
  •panels that are not secure, have signs of tampering or are covered with unusual stickers
  
• Card readers will normally match other readers at that location.

If in doubt look for safe alternatives and report anything suspicious to the merchant or financial institution, or to local law enforcement.

• Don’t let incoming or outgoing mail sit in your mailbox. You can significantly reduce the chance of being victimized simply by removing your mail from your mailbox every day.
• Find secure ways to send mail, such as depositing it at your local Post Office or place of business, or by handing it to a letter carrier.
• Sign up for USPS Informed Delivery and get daily digest emails that preview your mail and packages scheduled to arrive soon.
• If you are traveling for an extended period of time, contact your local Post Office to pause delivery of your mail until you return.
• Become involved and engaged in your neighborhood via neighborhood watches and local social media groups to spread awareness and share information.
• Keep an eye out for your letter carrier. If you see something that looks suspicious, or you see someone following your carrier, call 911.

The US Postal Service is encouraging customers to report stolen mail as soon as possible by submitting an online complaint to the Postal Inspection Service at www.uspis.gov/report or calling 877-876-2455. Additionally, individuals are encouraged to report allegations of Postal Service employee misconduct, including attempts to corrupt a Postal Service employee, to the United States Postal Service OIG at 1-888-877-7644 or www.uspsoig.gov.

When logging on, a pop-up window appears stating the service is not available and to try later. A misspelled domain name in the address line. Lotteries that charge a fee to collect your winnings. Requests to pick up or send cash to a person overseas and they offer to share the money. All of these tricks and more have been used to take someone's money or identity. To avoid being conned, learn the telltale signs below.

Be suspicious of the following:

• Automated messages with urgent requests to verify your account, and/or to fix a computer issue.
• Being asked to send funds, share personal, financial or computer data. These requests are often the start of a scam.
• Additional warning signs include:
  •Being asked to you use your bank account for an ACH or wire until they get their own account and you can keep some of the funds for the use of your account.
  •Being asked to negotiate a check and you are allowed to keep some of the funds for your trouble.
  •Funds appearing in your account that you were not expecting and then someone asks you to send them the funds. 
  •Requests for funds from people who you recently met on dating sites or other social media sites. Often they say they need the funds to pay for medical, travel, passports, business needs and they will repay you soon. 
  •Requests to send funds through mobile applications, mail cash, gift cards or any card that holds a monetary value.
  •Promises of money. “You have won the lottery”, “You have a Tax Refund waiting”, ‘’Business/job opportunities’’ that involve receiving money for strangers.
  •Big threats. “Your account/computer has been hacked”, “Your going to be arrested”, “Your family member is hurt and needs medical care”.
  •Sense of urgency or secrecy . “Act now or it'll be too late”, “Don't tell anyone”, “You must do it NOW”.
  •Work-at-home schemes that require you to buy something or open a bank account to negotiate Payments/business checks. 
  •Donations to unregistered charities.  Most commonly occur after a national disaster or tragic event. 

Vishing Scam

This involves a fraudster making phone calls to an HSBC customer posing as bank staff, the fraud investigation team, police etc.. The call is made to obtain personal financial information, which often includes credit/debit card details (including PIN), One Time Passcodes (OTP), bank account details and/or personal information. This information is then used to gain access to your finances.

• Voicemails asking you to call a number with an "809", "284", "876" or other international code. You'll end up with an expensive phone bill.
• Calls that ask you to dial a two-digit code preceded or followed by the "#" or "*" key (for example, *79 or 72#) and then an 800 number. This is a call-forwarding scam.
• Text message asking for urgent confirmation of personal or account information.

Remember:

• If a deal or offer sounds too good to be true, it probably is.
• Exercise caution anytime someone asks you to use your account, buy gift cards, or send funds transfers for them.
• Just because the funds are available in your account doesn’t mean the deposited item can’t be returned and debited from your account.
• Be wary of unsolicited calls. 
• Never grant a stranger remote access to your computer or share your login credentials or password.
  
• No one at HSBC will ever ask you for your password. 

• American Bankers Association - Financial Caregiving
• US Department of Justice - Elder Justice Initiative
• AARP - Elder Financial Abuse: Stopping Fraud in the Family
• Office for Victim Crimes - National Elder Fraud Hotline - Providing Help, Restoring Hope

• Annual Credit Report.Com https://www.annualcreditreport.com/index.action
• Better Business Bureau – Scam Tracker https://www.bbb.org/scamtracker/us
• Consumer Financial Protection Bureau https://www.consumerfinance.gov/
• Credit Reporting Agencies
  • Equifax – Everything You Need to Know About Identity Theft, All in One Place https://www.equifax.com/personal/education/identity-theft/
  • Experian – How Do I Report Identity Theft https://www.experian.com/blogs/ask-experian/how-do-i-report-identity-theft/
  • TransUnion – Identity Theft https://www.transunion.com/identity-protection
• Coronavirus Information Center - How to avoid Coronavirus/COVID-19 Scams
• Elder Financial Exploitation – National Adult Protective Services Association https://www.napsa-now.org/financial-exploitation/
• Elder Justice Initiative – US Department of Justice https://www.justice.gov/elderjustice
• Federal Bureau of Investigation - Internet Crime Complaint Center (Ic3) https://www.ic3.gov/default.aspx
• Federal Trade Commission https://www.ftc.gov/
• Federal Trade Commission – Report fraud
• Federal Trade Commission – Report identity theft
• Financial Industry Regulatory Authority (FINRA) - Avoid Fraud | FINRA.org
• Internal Revenue Service – How to Report Fraud https://www.irs.gov/individuals/how-do-you-report-suspected-tax-fraud-activity
• Social Security Administration – Identity Theft and Your Social Security Number https://www.ssa.gov/pubs/EN-05-10064.pdf
• United States Department of Justice – Report Fraud https://www.justice.gov/criminal-fraud/report-fraud
• United States Department of State – Bureau of Consular Affairs – Passport or Visa Fraud https://travel.state.gov/content/travel/en/contact-us/reporting-fraud.html
• United States Government – Identity Theft https://www.usa.gov/identity-theft
• United States Government – Report Scams and Frauds https://www.usa.gov/stop-scams-frauds
• United States Postal Inspectors  https://postalinspectors.uspis.gov/