Online security

The internet has brought enormous benefits, from enabling individuals to communicate, shop and bank online to making it easier for businesses to trade across borders.

Unfortunately, however, it is also a breeding ground for criminals intent on making money. It provides opportunities for them to:

  • Infect your computer or mobile and tablet device with malware and steal your identity
  • Send you spam and scam emails
  • Trick you into visiting fake websites and handing over personal information
  • Hack into your wireless network and intercept your data, such as passwords and usernames
  • Take over your computer and use it to attack other people’s computers

Protect yourself online

There are a few simple steps you can take to protect yourself online, whether you are a business owner or a private individual. There is always more that you can do, but we suggest you follow the guidelines below as a minimum.

Password tips

When creating passwords, remember the following things:

  • Keep them to yourself. No one at HSBC will ever ask you for your internet banking password
  • Make them hard to guess
  • Vary them. Try to use different passwords for different services
  • Change your passwords regularly
  • Never write them down

From time to time, weaknesses are discovered in computer programs and applications, such as web browsers. These weaknesses can be exploited by virus writers and hackers to gain access to computers. To fix these weaknesses, software publishers regularly release ‘patches’.

To check for patches and updates you should visit the publisher’s website regularly, typically their ‘Download’ section. Generally, the latest versions of an operating system family (like Microsoft Windows) or browser (like Internet Explorer, Google Chrome, Apple Safari, etc) have the most up-to-date security features.

Microsoft users can update Windows by clicking ‘All Programs’ on the ‘Start’ menu on their computer and then selecting ‘Windows Update’.

Apple Mac users can check for software updates by clicking on Updates in the App Store toolbar, or by choosing Software Update from the Apple Menu. Alternatively, visit https://www.apple.com/downloads (opens in new window).

Be wary of fake emails about bogus updates. Use the update software that comes with your computer or via the software publisher’s own website – don't click on links in emails.

Anti-virus software protects you, your privacy and your money.

Viruses are bad news. They steal personal information, take over your PC, pop up unwanted adverts and can even use your computer to attack other peoples computers.

You may also hear them called malware, trojans, spyware or adware.

Anti-virus software protects you against all of them.

To work properly, anti-virus software has to download updates regularly over the internet. Out-of-date anti-virus software will have flaws.

Any file with no extension (eg just named ‘file’) or a double extension (eg file.wow.jpg) is almost certainly a virus and should never be opened. Also, never open an email attachment that is unknown to you and in particular contains a file ending with .exe, .pif and .vbs because these commonly contain viruses.

It is a good idea to install anti-virus software if you don’t have any already. There are many effective programs to choose from. But be sure to visit the software provider’s genuine site because there are many fake products claiming to protect your computer but which may actually infect it with viruses.

If a deal or offer sounds too good to be true, it probably is.

Criminals may contact you by email, through websites you use, via SMS or even by phone. It pays to be on your guard because they can be quite convincing.

Here are some warning signs:

  • Big promises. “You have won the lottery”
  • Big threats. “Your account has been hacked”
  • A false sense of urgency. “Act now or it'll be too late”
  • Unnecessary secrecy. “Dont tell anyone”
  • You can’t think of any reason why they’d need to contact you. Did you even buy a lottery ticket?
  • ‘‘Business opportunities’’ that involve holding or receiving money for strangers

If an attachment looks suspicious, dont open it. Don't install software unless it comes from a website you trust. If it doesnt feel right, take your time.

If you suspect that there is a problem with your personal or business internet banking, talk to us first.

Criminals use fake emails and fake websites.

They set them up to con people into giving away passwords and bank details. The technical word for this is ‘phishing’.

For example, they might send you an email that looks like it comes from us and it might contain a link to a website that looks like this one. When you try to log on, they can steal your password. They could also ask you to make a phone call or reply by email.

They are good at making their emails and websites look realistic. But the fake ones often share some common characteristics:

  • Strange looking email or web addresses
  • Poor design, typos or bad spelling
  • They ask you to do something unusual
  • A site that requires you to log in but doesn't display the padlock symbol in the address bar when you do so

HSBC never asks customers to update or verify their personal security details by email. If in doubt, stop. Don’t click on any links. Don’t open any attachments. Just forward the email to phishing@hsbc.com and we will investigate it. Alternatively refer to your local country page for appropriate ways to report.

Fraudsters use personal information from different sources to steal peoples identities.

Viruses are one way to do it. But they also use paper documents containing personal details, such as receipts and bank statements.

Fraudsters use many methods such as searching in dustbins to obtain these documents.

You should take simple precautions to keep your details safe. Store your bank documents in a safe place and always shred them when they are no longer required. You may also want to switch to online statements.

Meanwhile, you should review your bank and credit card statements for any unusual transactions or withdrawals and notify the bank immediately if you suspect any discrepancies. You should also tell us of any changes in your personal details (eg address change).

If you plan to cancel a bank/credit card (or it expires), immediately destroy the card by cutting it into small pieces to ensure it cannot be re-used.

Your HSBC internet banking password, together with your other internet banking credentials, permit access to your bank accounts.

Double-check privacy settings on social networking sites.

Whats your mothers maiden name? Whats the name of the first school you went to? What was your favourite subject at school? What's your address? Birthday? Phone number?

All this information is useful to people who want to steal your identity or break into your personal internet banking. You wouldnt give this information away to a stranger in the street but if you use social networking sites, such as Facebook, Twitter or LinkedIn, you could be over-sharing personal data.

You may want to think carefully about the information you put into your profiles on sites like this. It is also a good idea that you check the privacy settings of your social media accounts, to make sure you only share personal information with people you trust.

Please also remember that you must take all reasonable precautions to keep your details safe and prevent any unauthorised use of any cards and security details. Do not disclose your security details to anyone else – see the terms and conditions that apply to your account(s) for more detail.

A wireless network allows you to connect your computer to the internet without having to use a cable. It typically contains a wireless router, which uses radio signals to transfer data to computers within the network. Some wireless routers are pre-set with very insecure settings to help users connect to them for the first time – but this also means that other people could access your internet account quite easily. For this reason, you should always consult your manual or online guide to find out how to connect more securely through your wireless network – usually by creating a password.

As the use of mobile phones and tablet devices has risen, they have become an increasingly attractive target for criminals.

For example, a criminal might send you an email that looks like it comes from us and it might contain a link to a website that looks like this one. When you try to log on, they can steal your password. They could also ask you to make a phone call or reply by email.

You may want to think about:

  • Setting and using a security PIN code. If you use a mobile device which supports biometrics such as fingerprint identification, ensure yours is the only fingerprint registered on the device
  • Not storing your home phone number and address under ‘home’ in the contact list (you wouldn’t want a thief to be able to know your address and be able to check if you’re at home)
  • Adjusting the phone settings so that it locks automatically if you don’t use it for a minute or two
  • Not storing passwords or other sensitive information on your phone in a way that can be understood by someone else. Your HSBC Online Banking username and password should not be stored on your mobile handset or tablet at all
  • Do not use a jailbroken Apple® iPhone®, rooted Android™ phone or any other mobile device that has been jailbroken or rooted. These are techniques which remove important security features that have been inbuilt on your device by the mobile operating system manufacturer
  • When using WiFi, only use trusted WiFi networks or service providers and enable security protection such as WiFi Protected Access (WPA), if possible
  • Disable Bluetooth if you are not using it, or set the smartphone or tablet to non-discovery mode. This will make it harder for people to find your device and send malicious data to it
  • Be wary of voicemail and text message scams, also known as ‘smishing’. Clicking on links in text messages can be risky – be careful

Criminals may also create fraudulent mobile applications that look like ours so when you try to log on, they can steal your password. Be sure that mobile applications – including virtual keyboards – are downloaded from trusted app stores, such as Apple’s App Store and Google Play, and understand what you are permitting mobile applications to do before you install them.

If you lose your phone, report it to your mobile phone provider immediately. Make a note of your phone’s IMEI number (dial *#06# to get it). This will make it easier for your phone company to disable a stolen phone.

We are constantly reviewing the ways we protect our customers online. Our proactive approach includes meeting some of the world’s leading security experts to discuss key issues and sponsoring joint initiatives to improve your online security.

We protect you by:

  1. Ensuring your online transactions are safe and secure. We use industry-standard security technology and practices to safeguard your account from any unauthorised access.
  2. Using logons and passwords to make sure were dealing with you. Online access to your account is only possible once you have authenticated yourself using the correct Internet Banking ID and security details.
  3. Using two-factor authentication to provide an extra layer of protection. The secure key or security device is a two-factor authentication device that will help protect you from internet banking fraud. It is designed to make sure only you can access your personal information. Two-factor authentication means you not only need a password or PIN but you also need a device unique to you to access your account.
  4. Creating secure online sessions. When you log in to internet banking you are said to be in a secure session. You know you are in a secure session if the URL address begins with https:// and a padlock symbol appears at the top of the page as part of the address bar.
  5. Using encryption. With certain browser settings, when you log in to internet banking a pop-up window will appear to notify you that you will be entering a secured page. We use industry-standard encryption to protect your data.
  6. Using session timeouts. If you forget to log off after banking online or your computer remains inactive for a period of time during a session, our systems automatically log you off.
  7. Having automatic lockouts. After a number of incorrect attempts to log in, we disable online access to your account. To re-activate your account, you should contact your usual helpdesk number.

More in this section

Types of attack

Find out about courier scams and other tactics used by criminals to steal personal information and defraud customers.

Secure email communications

Learn how to encrypt your email and ensure the security of your communications with the bank.

Did you find this page useful?

Why didn't you find this page useful?

Thank you. We appreciate you taking the time to give us feedback.

News and insight

A smashing end to badminton’s year

Top badminton players are battling it out at the first HSBC BWF World Tour Finals.

Businesses seek green gains

Businesses can benefit financially by encouraging their suppliers to be more sustainable.

The new space race

Satellites could help to connect 350 million people worldwide to the internet in the coming decade, says HSBC’s Davey Jose.