HSBC takes fraud & other financial crimes very seriously. Even though we have market-leading fraud detection systems, we want you to be aware of the different ways criminals may try to steal not just your money but also your company’s identity.
Much has been made in the news media recently about the hazards of online hacking and data breaches, but what is seldom reported is how much simpler it is to "hack" people than computers. This process is called social engineering, and is far easier to do than one might think.
Social engineering exploits aspects of human nature - behaviours that come naturally to us. Key to social engineering is the manipulation of trust - gaining a target's trust and thereby getting them to disclose information that should be kept secure.
Scammers contact their targets, usually via telephone (vishing), text or email (phishing), purporting to be individuals in positions of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained their target's trust, they then request sensitive information or items which allow them access to their target's bank accounts - things your bank would never request themselves, such as:
This involves a fraudster making phone calls to a company, posing as bank staff, the Police, regular supplier / client or other officials in a position of trust. The call may be made to coerce a company financial controller into:
Criminals may already have basic information about your company in their possession (i.e. name, address, account details), do not assume a caller is genuine because they have these details or because they claim to represent a legitimate organisation.
The Business E-mail Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform payments using an email from a company owner (CEO or CFO) as the authority to carry out the payment. Little does the payment processor know that the email is not a genuine company request.
There are two variations of this fraud type, which are as follows – Email spoofing – This involves the manipulation of an email address to make the senders email address appear to have originated from someone or somewhere other than the actual source.
The fraudsters spoofs the vendors email to submit the modified invoice. It doesn’t require compromising the vendor’s email system, but instead sends the invoice from an email that is so close to the domain of the vendor that most people would miss the change, for example, @CompanyABC.com instead of @CompanyACB.com.
Compromised Email Account - This involves the compromise of an executives email account within the organisation, such as the CFO (Chief Financial Officer). The fraudster sends a request for a payment from the compromised email account to another, often junior employee to action.
This type of fraud occurs when a fraudster tricks an organisation into changing the bank account payee details for a payment. Fraudsters pretend to be a regular supplier of the organisation and inform them of a change of bank account details.
This can include:
creating bogus customer records and bank accounts so that false payments can be generated. How to reduce your organisation’s risk of becoming a victim of invoice fraud - Make sure staff that process invoices and requests are aware of this scenario when undertaking amendments to long standing payment instructions.
Always verify changes to financial arrangements with a supplier directly using established contact details you have on file.
This is where people receive e-mails directing them to websites where they are asked to provide confidential personal or financial information. Whilst these e-mails may appear to come from a legitimate site, these emails are designed to steal your personal information and use it to access your accounts. This is known as Phishing. Do not reply or click on a link in an e-mail that warns you that your account may be shut down unless you confirm your personal information. Instead contact the company, in a way that you are sure is genuine such as an authenticated telephone number.
You should delete these e-mails immediately.
Be wary of suspicious text messages sent by fraudsters that look like they have come from your bank to trick you into giving over your personal and financial information (by calling a number or clicking a link).
It's important to remember:
If you suspect a text is Smishing, please forward it to email@example.com
This fraud type involves the alteration, forgery or counterfeiting of cheques drawn out of your Business account. To help your company not become a victim of cheque fraud, below are some tips on how to try and minimise this risk - Check your cheques. Add extra information to them, like an account reference number. Use your full signature when you sign your cheques – not just initials.
Match your cheque counterfoils to your statements. Let us know about discrepancies. Keep any spare chequebooks in a safe place.
Protecting your Card
Protecting your PIN
Protecting yourself at the ATM
Protecting your company cards over the Telephone
Protecting yourself whilst using your card in person
Using a variety of methods, criminals may obtain important pieces of personal and identity data such as credit card numbers, expiry dates, dates of birth or mothers’ maiden names. This information can be used to gain access to bank accounts or open new credit facilities.
Help to minimise this risk by following these simple steps:
Unfortunately, we are seeing fraudsters trying to exploit the coronavirus outbreak by posing as trusted organisations like banks and even the World Health Organisation. We are seeing fraudsters specifically target the medical sector and wanted to provide some examples of the types of fraud attempts we are seeing to help protect you from these attacks. These attempts are typically made through the following channels:
They may look identical to the phone numbers and e-mail addresses you have seen before, so please take extra precautions and never call/e-mail any one back using the information in the message. Please use the numbers on the HSBC website or call your Relationship Manager if you have any doubts.
Payment Diversion Scams
Fraudsters are aware that the medical sector is making large purchases to cope with the virus and attacking both the genuine supplier as well as the buyers of these goods by amending the payment details for invoices to their account. When making large payments to a supplier for the first time, please call the supplier on a trusted phone number (i.e. a phone number you know belongs to the supplier) to verify the bank account details before making the payment. Please also follow the same verification process for existing suppliers where you are notified of any changes to the supplier’s bank account details. Never use a phone number or e-mail on an invoice when conducting a verification call.
Criminals are targeting medical workers with fake texts offering goodwill payments from the government because of coronavirus. The government won’t text, email or call about tax rebates or penalties so it could be a scam. Look out for bad spelling, odd addresses and generic greetings. As a rule, never click on links in unsolicited emails or texts.
Fraudsters are using Coronavirus to offer fake goods that won't be received, such as face masks, hand gel & more. If a deal looks too good to be true, it probably is. Be careful when buying products online. Use secure payment methods recommended by reputable online retailers and auction websites, and be wary of requests to pay via bank transfer.
Fraudsters are pretending to be bank or government staff (e.g. police officers) and asking you to transfer funds to ‘safe accounts’ due to Coronavirus. HSBC will never ask you for any PINs, passwords or to move money to a safe account. If you are at all suspicious, hang up or don’t reply to the message.
Should your company become a victim of fraud, please remember to report the incident to HSBC as soon as possible via your Relationship Manager (RM)