Top of main content

Online security and secure usage guidelines

Here's how we can help keep your online banking secure, together.

As a bank, we are used to thinking about security. The growth of the internet has offered greater flexibility for us all, but it also brings new risks that must be guarded against. At HSBC, we use industry standard security technology and practices, focusing on three key areas – privacy, technology and identification – to safeguard your account from any unauthorised access.

Type of fraud

There are many ways in which a fraudster may try to trick you into giving them your personal and security details. They then use these details to access your financial information with the bank, and set up payments from your account to theirs.

Here are some of the more common types of fraud you may encounter.

  • Credit / debit card skimming or cloning
    Fraudsters may steal information from the magnetic strip on your credit or debit card. They do this by concealing skimming devices in the card slot of an ATM or when you're not paying attention at merchant payment terminals. These devices scan and store your card details. To steal your PIN, fraudsters may place a camera in a discreet location on the ATM or at the merchant establishment.
  • Payment frauds via business emails and messaging apps
    Fraudsters may hack into your emails or chats, or intercept unencrypted messages to learn more about you. Once they know more about you, they may send messages from a hacked / compromised / spoofed ID, asking you to make urgent payments for seemingly legitimate purposes such as the hospitalisation of a loved one or an outstanding bill that needs to be paid into a new account. Victims might be tricked into making the payment because of the urgency of the request or because they thought they could trust the request. And since the victim themselves made the payment, they won't be alarmed by the transaction alerts that the bank sends them. That makes this type of fraud difficult to detect.
  • Phishing or spoofing emails

    Fraudsters may phish victims by sending an email to as many email addresses as they can. They often do this while pretending to be part of a legitimate organisation such as a bank, online payment service, retailer or other similar service. They may spoof their ID so the email looks like it's sent by someone other than fraudster themselves.

    You can safeguard yourself against phishing scams by not responding to emails asking for personal or financial information. You should also never select links in suspicious emails.

    HSBC will never ask you to disclose your personal or security details by email. If you receive such an email claiming to be from HSBC, do not respond to it. Delete the email immediately. And remember, never share your credentials – such as your username, password or other security details – with anyone.

  • Advance fee fraud ('419' scams)

    Fraudsters may send unsolicited letters or emails offering you a generous reward for helping them to move a staggeringly large amount of money, usually in US dollars. What these fraudsters are really after are your banking details. They usually ask you to pay a fee, some taxes or a bribe to complete the deal – this is the advance fee. Victims usually lose this to the fraudsters.

    If you suspect that someone has your online banking details, you should log on to online banking and change your password immediately. You should also call us as soon as possible to alert us. Our lines are open 24/7. You can find a list of our hotline numbers here.

  • Vishing calls
    Fraudsters may impersonate bank staff or a customer service executive and call potential victims to steal sensitive information such as their bank account details. To win the trust of a victim, criminals may provide the victim with bits of personal information that were stolen through social engineering. After they've established some trust, the fraudsters may offer some special service or product, in hopes that the will provide their confidential information such as their bank details and one-time passcodes (OTPs).
  • Scam or payment frauds in UPI apps
    Fraudsters may send you QR codes via messaging apps, asking you to scan the QR code or approve a 'Collect' request to transfer money into their account. They may try to trick you by telling you a fake story, such as saying that they want to buy a product that you're selling. They may also impersonate a bank or shopping company executive, offering to process refunds, unclaimed cashback offers or reward points for you. Unsuspecting victims might then scan the QR code or approve the 'Collect' request using their UPI PIN, transferring money into the fraudster's account.
  • Fake contact numbers

    Fraudsters may provide fake contact details for banks and service provider contact centres. Unsuspecting victims may look for contact details using a search engine and call the fake number. They'll then be taken through a "verification process" where they're tricked into sharing sensitive information about their debit/credit cards and bank accounts.

    You can protect yourself by making sure that you always visit the official website of a bank or service provider to look for the contact details you need. Stay vigilant and avoid calling numbers displayed in the search results without checking them first, especially if they might be a mobile number.

  • Money mule or additional income email scams

    In a money mule scam, fraudsters may ask you for help with a transfer. They may offer to transfer money into your account so you can help them transfer it to another account. In return, they say they'll give you a commission.

    You should ignore such requests as they often involve crimes such as money laundering. Anyone who participate knowingly may be considered an accomplice to the crime and may face prosecution. If it looks too good to be true, it's probably a con!

  • Social media hacks
    Fraudsters may impersonate a close friend or relative on social media platforms such as Facebook, WhatsApp or Instagram, asking you to transfer money to them urgently. You can check if the request is a legitimate one from someone you know by giving them a call or contacting them through other channels.
  • Trojan viruses
    Fraudsters may send you unsolicited emails that contain files, pages or attachments which you're asked to open. But opening them means will secretly install a programme on your computer that monitors your online activity, and even what you type on various websites. So when you enter your credit card details while shopping online, the fraudsters will be able to see the information you enter.

Your role in online security

Important - If you ever receive email from an untrusted source claiming to be HSBC, or an unsolicited email seeking personal information; report them to phishing@hsbc.com for us to investigate further. Please note that HSBC’s Phishing mailbox will forward information received to third party service providers for the takedown of such rogue website.

Steps HSBC has taken for online security

Multi-layer log on verification

Your financial information is protected by a sophisticated combination of a unique username and password, as well as a one-time security code generated by your physical Security Device or Digital Secure Key.

Transaction verification

3D secure transactions on cards help secure the transaction and the trust in the payment system. Never share the OTPs generated for transaction with anyone.

128-bit Secure Socket Layer (SSL) encryption

HSBC uses 128-bit Secure Socket Layer (SSL) encryption for information transmitted during an internet banking session, which is accepted as the industry standard for encryption.

Automatic 'Time-out' feature

As a security measure, your internet banking session will automatically shut-down or time-out out after a period of not being used. You should always close your internet banking session when you have finished.

Security Device / Digital Secure Key

Your physical Security Device/Digital Secure Key takes online security to higher levels. To log on to your account you need to enter your existing username and password as usual, followed by the unique security code generated by your physical Security Device or your Digital Secure Key. This 2-step authentication process provides you with an enhanced level of security when you access your internet banking.

Here's an easy way to share your thoughts, stay informed and join the conversation. Follow us: