On this page

At HSBC, we take Online Security very seriously and we want to protect our customers as much as possible. That's why we are providing you with this important advice. While we have equipped HSBC Online Banking with industry standard security technology and practices to ensure that our customers are protected against fraud, you play an important part in protecting your account and transactions too.

Social engineering

  • Phishing - These are email scams where a fraudster will send you an email pretending to be a legitimate organisation such as a bank. The email will ask you to update or verify your personal or financial information. Sometimes you'll be sent to log on to a website that looks legitimate, but is fake. The objective is to encourage you to provide your secure information so the fraudster can hack into your accounts
  • Vishing - This kind of fraud is a social-engineering scam. It's the telephone equivalent of phishing, where a fraudster will phone you and try to trick you into giving your private information. Be wary of anyone who calls you asking you to disclose information. If in doubt, always end the call and ring us back. Anyone legitimately calling from HSBC will not be upset if you say you prefer to phone us directly
  • Smishing - Another form of phishing, Smishing happens when the fraudster tries to obtain your private information via a text or SMS message. Smishing is becoming an emerging threat and it is important that you stay vigilant. In general, avoid replying to text messages from people you don’t know or numbers you don’t recognise and don’t click on links you get on your phone unless you know the person they’re coming from.

Tips for you:

  • For safe and secured online banking, only access websites starting with www.hsbc.com.sg, or enter the URL in the browser address bar directly
  • Do not respond to any actions required from an unsolicited email
  • Be aware that HSBC will never ask customers for such confidential banking data in their emails
  • Do not respond to any emails that request such information or click on an embedded hyperlink
  • Update your anti-virus software and use email client with two-factor authentication
  • At logon, do not enter any numbers generated from the internet into your Security Device. HSBC will never provide you with any numbers or beneficiary-related information onscreen to input into your Security Device to generate a security code

Fraudulent and spoof websites

Fraudsters use fake emails and websites to get you to unknowingly give away your passwords or bank details. Look out for these warning signs to spot them.

  • Poor design, typos or bad grammar
  • The sender's email address doesn't match the name of the company domain it's meant to be coming from
  • Asking you to do something unusual
  • Asking for personal information
  • An email link that says it's going somewhere that it isn't (tip: hover over a link in an email to see its real destination)
  • A website that doesn't display the padlock symbol in their address bar when you log in

Tips to stay safe:

  • Don't download any free software on your computer unless you're certain it's safe
  • Use anti-virus software, and make sure it's up-to-date 
  • Change your passwords regularly
  • Don't respond to unsolicited emails requesting information, and don't follow any links in them either
  • Make sure you're on a secure website before submitting banking or other sensitive information. Secure websites begin with 'https://' instead of 'http://' They'll also contain a padlock icon on the address bar

Malware

Malware, or malicious software, is any program or file that infiltrates and causes damage to the device, server, user or network. Malware can take the forms of computer viruses, spyware and Trojan Horse. 

Spyware

Spyware is a computer software program that gathers information about a computer user, in most cases without the user's knowledge or informed consent. It transmits the collected information to an organisation/person who potentially can manipulate the information.

Such software program may claim to be able to speed up your internet connections, but in fact redirects your internet session through their own servers. This could mean that the Spyware has the ability to gain access to your passwords, PINs, credit card numbers and other personal transactional details.

Spyware is not the same as a virus in that it only records what you do rather than altering how your machine works. Because of this anti-virus software is not effective in identifying and removing spyware. In order to find out if spyware is present on your device, it is necessary to download and run specific anti-spyware programs.

Examples of anti-spyware security software products available at present are eTrustTM PestPatrol@, Anti-Spyware, McAfee, Spybot Search and Destroy, AdAware, Spyware Eliminator, Spyware Doctor and Microsoft antispyware. We strongly recommend that you install and use a reputable product to protect against the possible security threats of spyware on your devices.

Tips for you:

  • To prevent the spyware installation without your consent, remember not to download any freeware onto the computer that you access internet banking with
  • Change your Password regularly, keep it private and do not share with anyone
  • Always run an anti-virus software program and anti-spyware software before you download other programs or open e-mails
  • If you think that you have installed such software in your device, you may wish to seek professional IT advice on steps to be taken to uninstall the software from your PC
  • Avoid using “Public” Computer to access your Online Banking 
  • Do not download or open any attachments in suspicious emails

Trojan horse

Trojan Horse is a type of virus that is a computer program masquerading as another program. While it appears innocent, your files could be damaged or erased if you open the program.

Tips for you:

  • Install anti-virus software, personal firewall and security patches
  • Always run an anti-virus software program before you download other programs or open emails
  • Update your anti-virus software and also change your Password regularly

Malware advisory

'DYRE' and 'Tinba v3 malware' are two examples of malware targeting internet banking customers. They can be distributed through phishing emails via malicious file attachments or hyperlinks and a device can be infected with the malware when the malicious attachment or hyperlink is opened.

Such malware is capable of obtaining a customer's internet banking credentials (Username, Password and Security Code) once it resides in the device that is used to access the Online Banking services.

You may experience the following if you have accessed your internet banking from an infected computer:

  • See a screen with a 'Please wait....' message
  • Prompted repeatedly to enter your username, password or security code
  • "Slowness" in your computer while accessing internet banking
  • Prompted to input the number provided onscreen into your Security Device to generate a Security Code
  • Irregularities during your internet banking session (e.g. banking website redirecting to 3rd party website offering hotline number, altered login flow and unsolicited requests for tokens).

If you notice anything suspicious, terminate your internet banking session immediately and inform us at 1800-HSBC NOW (4722 669). Do not proceed with the transaction and have your computer scanned immediately for malware. 

Protecting yourself

There are things you can do to keep your accounts and money safe. Learn about precautionary measures and other common scams so you can protect yourself online. 

Online banking security tips

  • HSBC will never ask for your logon details and personal information for internet banking, phone banking or ATM services. These include your Username, Password, PIN, security code, One Time Password (OTP), account number, identification/passport number, address, phone number, etc
  • When you call us, you may be asked to input your Password or PIN for authentication. Do not speak out the Password, PIN, One Time Password (OTP) or security code during the call, as no call centre representative will ever ask for this over the phone. If you have forgotten your Password or PIN, a few questions relating to your personal information, NOT your Passwords, One Time Password (OTP) or PIN, will be asked for authentication
  • Keep your account details secure
  • Never write down your HSBC Online Banking security credentials or reveal it to anyone
  • Do not access your account online in public places e.g. internet cafes
  • Change your Password on a regular basis
  • Log off properly using the "Logoff" button, when you have finished an internet banking session
  • Always disconnect from the Internet when finished; never leave a connection on when not using the service
  • Install a personal firewall and virus detection software on personal computers, and update them regularly to ensure protection
  • Do not select the browser option for storing or retaining user name and password
  • Delete junk or chain emails
  • Set up notification alerts (e.g. SMS notifications for inward and outward transfers) on your account transactions to monitor your account activities

Mobile Banking Security Tips

  • Do not store your Online/Mobile Banking username and password on your mobile handsets and tablets
  • Install and update the latest anti-virus and anti-spyware software regularly on your mobile handsets and tablets, whenever they are available
  • Avoid sharing your mobile handsets and tablets with others and use your own handset or tablet to log on
  • Do not leave your handset or tablet unattended after logon to Mobile Banking. Always log off properly when you are finished with it
  • Remove all data on your old phone or tablet before donation, reselling or recycling
  • If you lose your mobile phone or tablet, you should review your account transaction history through Online Banking. If there are any suspicious transactions, please report to us immediately
  • Set up auto-lock and enable passcode lock to prevent unauthorized access of your handsets and tablets
  • When using Wi-Fi connection, use trusted Wi-Fi networks or service providers
  • Disable Bluetooth if you are not using or set the smartphone or tablet to non-discovery mode
  • Use default browsers originally provided by mobile handsets and tablets rather than newly installed browsers downloaded from other sources
  • Don't use any jail broken or rooted handset or tablet which may have security loopholes to log on to Mobile Banking
  • Don't install applications on your mobile handsets or tablets from mistrusted sources. Understand the permissions of mobile application before installation. Don't use untrusted custom virtual keyboards
  • Install updates and patches to your smartphone and tablet timely, covering upgrade/update of OS and other mobile applications. Enable data encryption in handset or tablet if feasible
  • Always download our mobile application from the official application store only to avoid going to fraudulent websites
  • Disable screen mirroring on your mobile device when accessing Mobile Banking

Secure Sockets Layer (SSL)

An SSL Certificate enables encryption of sensitive information during online transactions. Each SSL Certificate contains unique, authenticated information about the certificate owner. A Certificate Authority verifies the identity of the certificate owner when it is issued.

Tips for you:

  • Always ensure that you are on a secure website before submitting credit card or other sensitive information via your Web browser. To make sure you are on a secure website, first check the beginning of the Web address in your browser’s address field - it will be "https://" rather than "http://".
  • Secure websites will also contain a padlock icon on the status bar at the bottom of the browser.
  • Double click on the padlock icon and you will see the details of the security certificate, which says that it is issued to HSBC. To verify that the website is authentic, check that the certificate is issued to www.hsbc.com.sg, is issued by DigiCert, and has a valid date.
  • If you receive SSL certificate warning messages (e.g. invalid date, entrusted certifying authority, name mismatch, failed to retrieve revocation list, etc), please do not continue with the application. If you suspect a website is fraudulent, leave the site and do not follow any of the instruction it may present to you.
  • If you continue receiving the same message, please call us on 1800-HSBC NOW (4722 669) in Singapore or (65) 6-HSBC NOW (4722 669) from overseas for further assistance.

Keeping your software up-to-date

It's harder for viruses to infect updated software. The criminals who create viruses take advantage of software bugs to infect computers. Software companies fix bugs with free, downloadable updates. So it's a good idea to install updates for your software as soon as they become available.

Just be wary of fake emails about bogus updates. Only use the update software that comes with your computer – don't click on links in emails. 

You'll also want to make sure you're always using the most up-to-date web browser. Modern browser software adds a layer of protection against fake websites. So when you're looking at websites, your browser can warn you if you're visiting a fake or suspicious website.

Tips for you:

  • Update the device's browser to the latest version available
  • Patch the device's operating systems with regular security updates provided by the operating system provider

Privacy settings

If you use social-networking websites, double-check your privacy settings to make sure you only share personal information with people you trust.

On these sites, you tend to share personal things about yourself. Anything from your mother's maiden name to the name of the first school you went to, your address, birthday and telephone number can be found on social media. And all this information is useful to people who want to steal your identity or break into your accounts.

Other common scams

Phone scams

Fraudsters can use a simple phone call to carry out a scam. In a phone scam, the following situations are typically used:

  • Lottery scam - The caller tells you that you have won a lottery or lucky draw and you need to pay a processing fee to collect the winnings.
  • Kidnap scam - The caller tells you they've kidnapped a loved one and demands a ransom for their release.
  • Impersonation scam - The caller claims to be from the court or police (or other government agencies) and tells you that you need to pay a fine.

If you receive suspicious calls:

  • Don't pay any money in advance to collect a prize.
  • Don't reveal your identity, bank account number or other personal information over the phone.
  • Don't engage in prolonged conversations with the caller.

The police, Supreme Court or any government agency would never ask anyone, especially those in connection to a criminal case, to transfer money to a bank account. If any payment is to be made, an official written notice and an official receipt would be issued.

Alert the police if you receive such calls. More details of these scams can be found in the Singapore Police Force website.

Card fraud alert

Card fraud is a commonly known issue and has been on the rise. The industry has reported a number of cards and PINs being compromised, resulting in unauthorised cash withdrawals on customers' debit and credit cards.

Fraudsters are able to acquire PINs and electronic data from the black strip of the bank card, possibly during cash withdrawals at ATMs. Afterwards, they fashion counterfeit cards that are used to withdraw money from customers' accounts. To safeguard yourself against card fraud, refrain from using cards with magnetic strip authentication. This is especially so for standalone ATMs at remote locations.

You might be interested in

 

Learn more about our initiative to safeguard your hard-earned money from financial crime.

 

Stay safe when you do your banking online with the HSBC Security Device. 

 

If you suspect there's been fraud on your account, find out your next steps.