Types of attack

Find out about common scams being carried out around the world and how to protect yourself against them.

Payment diversion and business email compromise

Businesses should be wary of any notifications from suppliers (via email, phone, letter or otherwise) that their bank details have changed. While these may be genuine, they may also be an attempt to divert payment funds to a fraudulent account, sometimes through hacked or spoofed emails.

Increasingly fraudsters are disguising themselves as legitimate suppliers and asking unsuspecting customers to change the bank account information you have on record. As a precaution, if you get such a request, always take the extra step of checking directly with your suppliers.

You can do this by:

  • Calling a trusted source in your supplier’s company on a known phone number (not one listed on the document requesting the change of bank details)
  • Emailing your supplier on a known email address; do not respond to the email address which sent you the change of bank details

In some cases, the fraudulent request to change supplier information or make a payment to an unfamiliar account may appear to come from your own organisation’s CEO, president or other administrator, again through a hacked or spoofed email. When reviewing any type of payment instructions from an internal source, ensure the request uses your organisation’s official channels and follows authorised processes and procedures.

If in doubt, do not make the payment.

24 Oct 2018

Staying ahead of the financial crime threat

As the threat from financial crime evolves, it is vital for banks to stay one step ahead, says Ralph Nash.

Courier scams

Fraudsters purporting to be from a customer's bank, or a courier working on behalf of the bank, are calling customers to say their account has been compromised and that their bank card needs to be collected from their home. They may also ask the customer to key in their PIN or write it down and hand it over along with the card. To add credibility, the fraudster may even advise the customer to cut the card in half. Please note that:

  • We will never ask for your card and PIN to be returned via courier
  • You should never divulge your PIN to anyone, even someone claiming to work for the bank
  • HSBC’s fraud detection teams will only ask for partial information, so for example, they will never ask for full address or full date of birth

To ensure that we can make prompt contact should anything look untoward on your account, please provide HSBC with up-to-date contact details, including a mobile telephone number.


Call spoofing is a technique whereby the fraudster fakes the phone number on caller ID to give the impression that you are being contacted by a genuine HSBC number. The phone number showing on your mobile/call ID screen will look very similar to a bank phone number but may have extra zeros at the front, eg 00345 70 70 70 rather than 0345 70 70 70.

Customers who may be wary of unsolicited calls are told by the fraudster to check the caller ID screen for reassurance that the call is genuine. The fraudster then advises the customer that their account has been compromised, often claiming that payments have already been debited or that funds are at risk. The fraudster then instructs the customer to transfer money into a “safe” account to protect their funds from further attack. The fraudster may allege bank staff are involved or that the customer will lose their money if they do not do exactly as instructed.

As with all unsolicited phone calls we advise customers to terminate the call and contact the bank either on a different phone line or after waiting 10 minutes to ensure the line is properly disconnected. Alternatively, visit a branch to discuss your concerns and confirm if the call was genuine.

Security tip

Never open or click on any links on the email if you do not recognise the sender or have any doubts that the email is from HSBC.


This involves a fraudster making phone calls purporting to be from a reputable organisation, such as a bank, the fraud investigation team or police. The call is made to obtain personal financial information, which often includes credit/debit card details (including PIN), bank account details and personal information such as full name, date of birth and/or address, passwords and security codes. This information is then used to gain access to their victim’s finances.

Investment or share sale (boiler room) fraud

Boiler room fraud is the common name for illegal and/or aggressive mis-selling of worthless, bogus or vastly overpriced stocks and shares or those traded in very limited volumes/markets. The sole purpose of the exercise is to defraud unwitting investors. If the victim does decide to deal with a share sale fraudster, they will almost certainly lose any money invested and will not be entitled to compensation.

These scams can come in many forms. However, there are a number of common factors you should look out for. These include:

  • Unsolicited approaches
  • Unrealistically high returns offered for ‘low risk” investments
  • No independent evidence of the validity of the scheme
  • Pressure to make quick decisions
  • Instructions to keep the approach confidential
  • Telephone numbers quoted are often untraceable mobiles

If it sounds too good to be true – it usually is.

Advance fee or “419 fraud”

This involves unsolicited letters and emails offering the recipient a generous reward for helping to move large sums of money, usually in US dollars. These funds are said to be anything from corporate profits, accumulated bribes or unspent government funds to unclaimed money belonging to a deceased person. The fraudsters are trying to obtain your banking details. The transactions typically require the recipient of the letter or email to pay something like a fee/tax/bribe to complete the deal – this is the advance fee. However, any fees paid will be lost.

Lottery fraud

This involves letters or emails which advise the recipient that they have won a prize in a lottery. To obtain the funds, they are asked to respond to the letter or email. A request will then be made for the recipient to provide his bank account details to allow for funds to be transferred. The recipient may also be asked to pay a handling/processing fee. If paid, this fee will be lost. Also, any details given will probably be used to commit further fraud.

Keystroke capturing/logging

Anything you type on a computer can be captured and stored. This can be done using a hardware device attached to your computer or by software running almost invisibly on the machine. Keystroke logging is often used by fraudsters to capture personal details including passwords. Some recent viruses are even capable of installing such software without the user's knowledge.

The risk of encountering keystroke logging is greater on computers shared by a number of users, such as those in internet cafes. An up-to-date anti-virus software program and firewall will help remove the harmful software before it can be used.


Pharming is when a fraudster creates false websites in the hope that people will visit them by mistake. People can sometimes do this by mistyping a website address – or a fraudster may redirect traffic from a genuine website to their own. The 'pharmer' will then try to obtain your personal details when you enter them into the false website. Double checking that you recognise the website’s URL and looking out for the padlock sign can help you avoid falling victim to pharming.