Top of main content

Online security

Smart tips to manage online threats.

Scam awareness videos

Beware of financial scams promising unrealistic high returns. If it sounds too good to be true, it probably is. Do not be a scam victim. When in doubt, please call BNMTELELINK at 1-300-88-5465.

Illegal forex scam
Your hard earned savings deserve better. Don't fall victim to illegal forex scams. Before engaging in any online trading, do your research and verify with the bank directly whenever in doubt.
Skim Cepat Kaya scam (BM)
Don't let scammers deceive you with outward appearances. Always check with the bank before investing any money in a scheme, no matter how attractive it may seem.
Money Game Scam (CHI)
Don't let scammers deceive you with outward appearances. Always check with the bank before investing any money in a scheme, no matter how attractive it may seem.
Safe online banking
Learn some security measures that are bound to make your online and mobile banking experience, even better!
Email scam
Phishing emails usually have telltale signs like poor grammar, unofficial links and typos. Be alert and avoid clicking on any questionable links, especially if it asks for your personal information.

Smart tips for online banking / mobile banking

Here's how to stay safe when using online banking and mobile banking:

  • Don't use a public computer to access your bank account
  • Never disclose your personal security details such as your account number, PIN or security code to others
  • Be wary of scams that involve receiving or holding money for strangers
  • Immediately report any unusual transactions that you see on your statement 
  • Always keep your electronic receipts for fund transfers and bill payment transactions
  • Memorise your PIN and do not write it down
  • Select PINs that cannot easily be guessed
  • Use different PINs for different websites
  • Never disclose your PIN to anyone, including the police or anyone claiming to be from HSBC 
  • Set transfer limits according to your banking needs, and avoid setting limits that are higher than what you'd usually transfer
  • Do not use a jailbroken or rooted mobile device, as this removes important security features from your device
  • Turn on push notifications to receive alerts from HSBC (find out more about push notifications here

To learn more about online security, please visit the HSBC Group online security page

HSBC will not display your personal information in emails or ask you to confirm any personal data in an email. The only exception is when our customer service staff are replying to your enquiry via email. If we need to do this, then we'll email you by using an encrypted form in our secured online banking platform. You'll need to log on using your username and password to access this.

What HSBC can do

Mobile Secure Key (MSK)/Security Device

HSBC is committed to protecting the security of our HSBC online banking customers. The Mobile Secure Key is a safe and convenient way to generate security codes on the HSBC Malaysia Mobile Banking app, so you can log on and approve transactions without needing your physical Security Device.

Similar to the physical Security Device, the Mobile Secure Key meets Bank Negara Malaysia's requirements for two-factor authentication, while providing the following benefits to our customers:

  •  Safe and secure -  you're the only person who can access your accounts and transactions, and there's an added layer of protection with biometric authentication and your 6-digit PIN
  • Always with you - your MSK is available on the HSBC Malaysia Mobile Banking app so long as you've got your mobile device with you
  • Fast and reliable - you can activate your MSK with a few taps of your mobile, rather than needing to wait for us to send you a physical Security Device
  • Environmentally friendly -  your MSK has a lower carbon footprint compared to the physical Security Device as it doesn't need to be manufactured, shipped, packaged, and disposed

There's also a 12-hour cooling-off period for MSK set-up. If you get an SMS from us saying your MSK has been set up, but you didn't authorise this, you can report this to us during this time period.

SMS notifications

You will receive an SMS notification for following transactions completed in online banking: Telegraphic Transfer, Credit Card payment and Transfer to 3rd Party with HSBC account.

SMS will be sent for transaction amount exceeding the minimum threshold limit.

To review and update your registered mobile phone number, please call our HSBC Contact Centre or visit our branches.

You should update your personal contact details on a timely basis.

Push notifications

You'll get push notifications on your mobile device for certain services. For example, if you're using the HSBC Malaysia Mobile Banking app and have enabled push notifications, then you'll receive a notification when your credit card eStatement is ready. 

You can find out more about push notifications here.

Secure sessions

When you log in to online banking you are said to be in a secure session. You know you are in a secure session if the URL address begins with https:// or a padlock symbol appears in the lower right hand corner of your browser.


Secure Sockets Layer (SSL) Encryption technology is used within your online banking session to encrypt your personal information before it leaves your computer in order to ensure no one else can read it. Depending on your browser setting, a pop-up window will appear to notify you that you will be entering a secured page.

At HSBC, we use 128-bit SSL Encryption, which is accepted as the industry standard level.

Any email service within online banking is similarly protected with encryption technology (unlike your regular email which is usually not secured).

Session time-out

If you forget to log-off after banking online, or your computer remains inactive for a period of time during a session, then our system will automatically log you off. Pages viewed during a secured session are not recorded in your PC's temporary files.

What you can do

There are many ways to enhance your protection on using online banking. HSBC would suggest you to follow the below. 

Get the latest security updates and patches

From time to time, vulnerabilities are discovered in operating systems and internet browsers. Before the publisher can release a security patch to correct these weaknesses, they can be exploited by virus writers and hackers to gain unauthorised access to those PCs that have not yet been patched.

To check for patches and updates you should visit the publisher's website, typically in their Download section.

Microsoft users can visit: which can automatically check what is required, and then suggest to download it

Use and update anti-virus software regularly

You may already be using anti-virus software but to be effective the software should be updated on a regular basis with the latest "virus definition" files. If you are unsure how to do this, you should refer to the program's own Help function.

It is a good idea to install anti-virus software if you don’t have any already. There are many effective programs to choose from. But be sure to visit the software provider’s genuine site because there are many fake products claiming to protect your computer but which may actually infect it with viruses.

Use personal firewalls

A firewall is another small program that helps to protect your computer and its contents from outsiders on the Internet. When properly installed, it stops unauthorised traffic to and from your PC.

Read our password advice

Keep your password secured - Passwords are the key to your online account information, to accounts at online stores and a host of other online activities. Your HSBC online banking password, together with your online banking ID, permits access to your bank accounts. For this reason your password should be unique and very well protected.

Keep them to yourself - Do not be tempted to share your passwords with anyone.

Be unique - Use passwords that are unique and not easy to guess.

Use letters, numbers and symbols - Passwords containing upper and lower case letters, numbers, and symbols are far harder to guess.

Be different - Avoid using the same password for different services.

Don't be personal - Do not be tempted to use passwords that can easily be guessed e.g. your name, your date of birth, telephone numbers, pet's name.

Never write them down - If you really need to record your password then use a code system or transpose some of the letters. No one at HSBC will ever ask you for your online banking password. If someone does ask you for it, they do not represent HSBC.

Change your passwords - Always change passwords that may have been compromised.


Contact the bank if you think someone else knows your online banking password.

Use an anti-spyware program

Spyware is the term used to describe programs that run on your computer for the purpose of monitoring and recording the way in which you browse the web and the internet sites you visit. For example, spyware can combine information about your online behaviour with that of many other users in order to generate market research data. This information can be bought and sold by companies interested in improving the way websites are designed and how the internet is used.

You may or may not wish for your internet usage to be monitored in this way. In addition, just as spyware can be used to improve the online experience it can also be used to extract personal information that you have entered, including passwords, telephone numbers, credit card numbers and identity card numbers.

Spyware is often loaded onto a PC as part of a free download of another service - for example a service that claims to improve the performance of your PC. Sometimes your agreement to the download is requested in the small print, but spyware may also be loaded onto your PC without your agreement or knowledge.

Spyware is not the same as a virus in that it only records what you do rather than altering how your machine works. Because of this, anti-virus software is not effective in identifying and removing spyware, you will need to download and run a specialised anti-spyware program.

Anti-spyware security software currently available include McAfee, Spybot Search and Destroy, AdAware, Spyware Eliminator, Spyware Doctor and Microsoft antispyware. We strongly recommend that you install and use a reputable anti-spyware product to protect yourself against spyware on your PC.

To learn more about online security, please visit the HSBC Group online security page.

What should I do if the security code on my Security Device is not accepted?

For security reasons, the security code is a unique number and is only valid for a certain period of time. If you input an expired security code when you logon to online banking, you will receive an error message. Please press the green button on the device to obtain a security code to enter. If the problem persists, please call our Call Centre 24-hour online banking hotline for assistance.

About fraud

Email scams and phishing

You may be aware after recent reports in media about emails that are sent which appear to be from the bank. These are known as 'phishing' scams, where the emails attempt to direct you to a fraudulent website with the intention to try and capture your login ID's, password and HSBC/HSBC Amanah's security device algorithm.

Here's how you can identify and avoid email scams:

  • Remember that HSBC/HSBC Amanah will never contact you via email to request confirmation of your personal information such as your username, passwords or account numbers. If you receive such an email, report it to us as it's fraudulent.
  • Don't open attachments or click on links in emails if you suspect they may be part of a scam attempt.
  • If you've received an email from HSBC you suspect isn't genuine, forward it immediately to, then delete the email and empty your deleted items folder.

These phishing emails will have an embedded hyperlink that redirects you to a fraudulent website.

This is an example of how the HSBC website looks under a secure connection, meaning that any information you enter will be kept safe.

What is phishing?

Phishing is an attempt by fraudsters to 'fish' for personal information such as the security details you use for banking. These emails may come from any source but is made to appear as if it came from your bank or an organisation you have registered with. The email will normally ask you to click on a link and/or to confirm your username or password - and through such responses they obtain your details. 

How do they know where I bank?

They don't. They send out as many emails as they can and hope that they reach some customers. 

What should I do if I believe someone might have obtained my security or personal details?

Call us immediately at anytime at our online banking helpdesk, HSBC at 1300 88 1388 or HSBC Amanah on 1300 88 2626. Customers outside of Malaysia can also contact us on 03 8321 5400

What makes my transactions on HSBC's online banking safe?

Each transaction on our online banking platform is protected by 'strong grade' encryption that keeps your information secure. On top of this, a Security Device that is provided to HSBC online banking users gives you a 2nd level of security. Apart from logging in with your online banking username and password, a unique once only time sensitive security code from the Security Device is needed when you perform an outward transfer Since the Security Device is to be kept by you at all times and the codes change constantly - only you will be able to access your account! 

Click here to learn more about online security.

Phishing, fraudulent and spoof websites

Phishing involves an email message being sent out randomly, claiming to come from a legitimate organisation such as a bank, online payment service, online retailer, etc.

The email will contain a link that takes you to a fraudulent & spoof website that looks identical, or at least very similar, to the organisation's genuine site.

You may be asked to provide personal security information eg. your account number, PIN, security code etc


A computer software program that gathers information about a computer user without the user's knowledge or informed consent. Transmits the collected information to an unauthorised organisation that expects to be able to profit from it in some way.

Trojan horse

A type of computer virus that is a computer program masquerading as another program. Appears innocent, but your files could be damaged or erased if you open the program.

Related services


Safeguard your online banking with a touch of a button using our latest technology, your HSBC Security Device.


Whether it's logging onto the system or paying a bill, learn how to navigate online banking using our tutorials.


Save paper and save money on fees by enroling in eStatements which are viewable via online banking and password protected.

Listening to what you have to say about services matters to us. It's easy to share your ideas, stay informed and join the conversation.