What is phishing?

Online criminals are after your money. Here are some ways to help protect yourself.

Phishing is when a criminal sends you an email that tries to entice you sharing your passwords and bank details by clicking into the embedded links, QR code or file attachment which will result in malware implanted to your device. The email will claim that it is from a legitimate organisation like a bank, online payment service or online retailer. It often looks very similar to an actual email sent by those companies, and it will contain a link or QR code that takes you to a website that also looks very similar to the organisation's genuine site.

Once you arrive at the fake site, it will usually prompt you to enter personal security information, such as your account number, PIN or security code. The phishing site records everything you enter, and then uses your information to transfer out your money.

How can I tell if I’m being phished?

To spot a phishing email, ask yourself the following questions:

  • Does it request personal information, such as a credit card number or account password?
  • Were you expecting this message?
  • Does it have an attachment?
  • Does it ask you to do something unusual, like transfer money to an unknown source, or email your account details to someone?
  • Does the sender’s email address or phone number match the name of the company that it claims to be from?
  • Is your email address or phone number different from the one that you give to that company?
  • Was it sent or cc’d to more than just you?

Fake websites:

  • Don't show the padlock symbol in the address bar when you log on
  • Are poorly designed, with typos or bad spelling and grammar
  • Have a different look and feel than the company’s regular website

If an email looks suspicious, don’t reply to it. Don't click on any links. Don't open any attachments. If you receive an email/SMS from HSBC that asks you to provide personal information, report it to us via our customer service hotlines immediately.