Electronic mail or "e-mail" has revolutionized how we communicate today, both personally and professionally. But as Internet hackers learn new ways to steal, guess, and intercept personal information, e-mail has become the main source to help perpetrate these crimes. Your best defense against these cyber-crimes is education and discipline to help keep your online experience secure:
Phishing (pronounced 'fishing') is a highly prevalent online scheme used by Internet cyber-criminals to 'lure' you into providing your personal and financial information online.
The fraudsters create e-mail masquerading as banks, credit card companies, online auctions, and department stores looking for you to update personal information. The e-mail may include a link to a fraudulent site known as a 'spoof' site, since it's crafted to look just like your bank, credit card company or other credible sources.
Some customers unknowingly fall into the trap and happily provide the requested information to what is believed to be a trusted site. As a result, the unsuspecting customer is 'phished' and at risk of account theft, identity theft and computer infection.
And what are the cyber-criminals after? Everything you protect online:
- Your Social Security number
- Credit Card and/or ATM/Debit card number
- Password or PIN
- Bank Account number
- Online Banking Log-In/Password information
If you're unsure about any unusual e-mail requests that appear to be from HSBC, just remember:
- You should contact HSBC immediately at 1-800-975-HSBC (1-800-975-4722) Option 4, if you receive suspicious e-mail.
- HSBC will use the secure Bankmail feature of Personal Internet Banking for online account correspondence, which you initiate.
- No one at HSBC will EVER ask you for your password.
- Only provide information that you initiate through an application, an online transaction or through the normal Log-in/Sign-Up process.
- If HSBC sends e-mail to your personal e-mail address, it will always include a personal or account identifier. Any links included will be to an HSBC web site information page, not directly to a page that requires log-in credentials or personal information.
HSBC will provide resources throughout this Security Site to help keep you protected online. Visit the Alerts! section of the site to view news about fraud attacks against HSBC. You should also review the Anti-Phishing Working Group site to read about other phishing and spoofing attacks reported in the industry. If you receive e-mail or a page link requesting confirmation of personal details, do not input any information, even if the page appears to be legitimate.
back to top
'Spoofing' or Spoof Sites
As part of a 'phishing' scam, Internet fraudsters create authentic-looking web sites to look like other sites. Financial institutions are the most targeted groups to be 'spoofed' (or have their sites copied). Through e-mail, the 'spoofed' or forged sites attempt to persuade readers to input personal and banking details by creating a sense of urgency around the request. Unfortunately, some readers react and respond quickly with the requested information trusting the request to be legitimate. They may not realize until it's too late that they had just been 'phished.'
Many spoofed sites look very legitimate and are sometimes difficult to detect as fraud. The scammers use company logos, impressive graphics, text and credible-looking links. But don't be fooled by the e-mail or the links, and don't provide any information without checking directly with the bank or company first. Visit the Alerts! section to learn about examples of current fraud reported against HSBC. Also, visit the Anti-Phishing Working Group site to read examples of spoofed e-mails and phishing scams.
back to top
How to Spot Online Fraud
HSBC's Security Site includes an Alerts! section designed to raise your awareness and keep you informed of phishing attacks against HSBC and other companies.
It will also provide links to the Anti-Phishing Working Group site so you can review other phishing and spoofing attacks reported. Review the site regularly so you'll know who is being targeted and the steps to take if you receive fraudulent e-mail or fall victim to an online scam. The following are examples of typical phishing attacks using spoofed sites to lure readers into the scam:
- Request for Updates
Some spoof sites request verification of personal information to update billing records or in a false attempt to protect and enhance the customer's online security.
Sample - Request for updated information
- Request for Updates to Avoid Account Termination
Some phishing schemes request that readers update their banking, password and other personal information by threatening account suspension, termination or closure unless the request is completed quickly. Remember, financial institutions and other reputable businesses understand the magnitude and the danger of Internet scams and would neither request personal information via e-mail, nor would they close or terminate an account as a result of your refusal to do so by e-mail.
Sample - Request for updates to avoid suspension/closure #1
Sample - Request for updates to avoid suspension/closure #2
- System Upgrades and Account Verification
From a spoofed site, some phishers will claim that new or updated system changes require identify verification to use the upgraded service.
Sample - Confirm details to use upgraded system
- Promotional or Lottery Fraud
Some fraudsters use exciting news within the fraudulent e-mail to get readers to respond quickly. Some promise money, trips, gifts and lost funds with the caveat that the reader respond with personal 'verification' details, or worse yet, with an advance fee to become eligible for the false winning.
Remember, if it sounds too good to be true, it probably is. Do not provide any personal or banking information online without checking the reliability of the offer through the company or financial institution first. If you did qualify for a legitimate prize, you'd most likely be notified by official postal mail and by phone.
Sample - verification needed for winning
- Advance Fee or "419 Fraud"
This creative and dangerous scheme was developed in Nigeria called "Advance Fee Fraud" or "419" which is named after a section in the Nigerian criminal code covering such activity. The fraud begins with unsolicited letters and e-mails offering the recipient a generous reward for helping to transfer large amounts of money from another country. To the unsuspecting victim, it may seem like an easy, get-rich-quick scheme. But the fraud goes beyond an identity theft con and becomes more involved and dangerous when additional funds are requested by the scammers.
Advance Fee or 419 Fraud
- Virus Hoax E-mails
While many virus notices should be taken seriously, some are sent purely to cause concern for readers and to disrupt businesses. While virus warnings should be taken seriously, check with other sites to confirm before sending the message to colleagues.
back to top
How to Avoid Getting Phished Online
Your best defense against online fraud and computer viruses is education and discipline. Never input personal information on any web site until you have followed these guidelines:
Install and run updated anti-virus software
Verify the validity of the sender and legitimacy of the request
Do not input any information online until you verify the credibility of the e-mail and the company from which the e-mail has been sent. No reputable company would request password or other personal information to update records through e-mail and you should immediately contact the company in question if you suspect fraud. Only provide information that you initiate through an application, an online transaction or through the normal Log-in/Sign-Up process.
Never input personal or banking information online without checking that the web site is in a 'secured' environment.
Look for an "https://" in the web site address line (URL) at the top of your browser. The 's' in "https://" denotes that the Internet session is secured by encryption to keep the information you transmit online protected from
unauthorized users. Secured sessions are used when you apply for credit, purchase items online or use online banking. For example, the following is the secured URL or web address for the Personal Internet Banking Log-In service:
In addition, a locked padlock symbol in the bottom right corner of your Internet browser window also indicates that an Internet session is 'secured' through encryption. But be aware that even secure sites can be spoofed to include the "https://" prefix and locked padlock. Only provide information that you initiate through an application, an online transaction or through the normal Log-in/Sign-Up process.
Typical phishing requests are not personalized to the reader.
Unlike your own bank or credit card company that may include your name, an account identifier or type, scammers keep the salutation and information about you generic. These could be telltale signs of a potential fraud.
Sample - generic e-mail request for account updates
Remember: Credit card issuers and financial institutions would not ask you to send or verify your password, Social Security number, or PIN within an e-mail message.
Only provide information that you initiate through an application, an online transaction or through the normal Log-in/Sign-Up process.
If you receive a suspicious e-mail requesting your personal or financial information, contact the company by phone to question the validity of the e-mail received.
Be suspicious of numerical web addresses or URL.
Anytime you visit a web site, you'll see the URL or the 'web address' for that company or business within the top bar of your Internet browser. Typically, a company's web address includes part or a portion of the company name followed by .com, .org, or .net.
For example, the web address for HSBC Bank USA, N.A. is:
A spoof site that uses a numerical web address (or an IP address) or includes an "@" sign within the address could be a tip off that the site has been spoofed and is fraudulent. Even if a site has a portion of the company name, you can't be sure it's legitimate based on the web naming. Contact the bank/company of the spoofed site immediately.
Sample - Numeric web address/URL
Become familiar with the Web sites you frequently visit
Bookmark the sites you know and trust to be credible. You'll then be better prepared to spot sites that look suspicious. HSBC's United States web site is:
Bookmark HSBC's site for future reference. To do this, simply click on the link which will take you to HSBC's homepage then bookmark or add the web site address as follows:
- Internet Explorer and AOL users, select "Favorites" from the top navigation, then "Add to Favorites."
- Netscape users, select "Communicator" from the top navigation, then "Bookmarks" then "Add Bookmark."
Learn about other online attacks.
Visit the Alerts! section of the Security Site to become familiar with current and new fraud and identity theft schemes reported against HSBC and other companies. Also visit the Anti-Phishing Working Group site to read about other phishing and spoofing attacks reported. Staying abreast of current fraud reported, trends and sample fraudulent e-mail will help reduce the likelihood of becoming a victim.
Visit other sites for information on critical updates, virus alerts, anti-spyware programs and new technology being developed to help combat online fraud:
- Trend Micro
- PC World
- Computer Associates®
Never double-click on an e-mail attachment that contains an executable file (such as '.exe' '.com' or '.vbs', etc.) unless you have run anti-virus software first. If a file is infected and opened, the virus can damage your hard drive, program files, and e-mail files. Virus software can scan your incoming and outgoing e-mail attachments for computer infections like worms, viruses, Trojan Horses and other malicious code that can affect your computer files and operation. Run your Anti-Virus Software to detect infections before any file is opened. Three popular sources for anti-virus and firewall protection software are
Symantec, McAfee and Computer Associates®.
Install Firewall software
Install firewall software on your computer to prevent unauthorized individuals or information from entering your computer system. This is especially important on computers that use a broadband connection to access the Internet (Cable modems or DSL). Since the Internet connection is on when your computer is on, the risk for malicious activity to your computer increases.
Update your Internet Browser
Download the latest security patches, operating system updates, and virus definitions to your Internet browser as well as the latest anti-spam software. Internet Explorer users should immediately link to Microsoft updates to download the latest security upgrades and patches relating to phishing schemes.
Check your accounts, online and offline
Regularly check your bank account statements as well as debit and credit card statements to be sure all transactions are legitimate. Consider enrolling in the Equifax credit monitoring program that can keep you aware of any changes to your credit. You can receive alerts for any changes to your credit or for credit inquiries from financial sources as well as other sources of which you may not be aware. If you suspect fraud or identity theft, contact one of the three nationwide credit bureaus for more information:
- Experian™ 1-888-397-3742
- Trans Unionsm 1-800-680-7289
To report suspicious e-mail or online fraud
HSBC Bank USA, N.A. is committed to the security of your personal and financial information and will provide the tools and resources to secure your online experience.
If you receive any suspicious e-mail that appears to come from HSBC, contact us immediately at 1-800-975-HSBC (1-800-975-4722) Option 4. Or you can send a secure Bankmail through Personal Internet Banking. Our representatives are available 24 hours a day, 7 days a week to assist and take immediate action.
If the fraudulent e-mail is purported to be from another company, contact the company by phone to notify them of the suspicious e-mail, then forward the fraudulent e-mail message including the web address header.
In addition to the company that was spoofed, forward the entire fraudulent e-mail message, including the web address header to:
back to top
Computer Viruses and Infections:
Whether through e-mail, file sharing and downloaded programs, computer viruses can be hidden within files. A virus is a small program that piggybacks on e-mail and program files. For example, a virus might attach itself to a program or a game. Each time the program is opened, the virus runs and can infect other programs or damage your computer. Some viruses move around through e-mail then replicate by automatically mailing to the victim's entire e-mail address book.
A worm virus is a small program that searches through networks to find security holes to replicate itself from machine to machine. Worms use up computer time, space, and speed when replicating, with a malicious intent to slow or bring down entire servers to halt Internet use.
A Trojan Horse is the name of another type of computer virus, which is simply a computer program that masks as another program. For example, you may download a simple computer game not suspecting any harm. But if the game contains a Trojan Horse and is opened, it can cause damage to your computer, from erasing files to changing your desktop. Trojan Horse programs can be attached to several types of applications, from screen savers to downloaded programs. To reduce your risk of computer infection, it's important to run anti-virus software before programs are downloaded or opened.
Adware and Spyware
Adware is any software application in which advertising banners or 'pop ups' are displayed on your computer screen while the program is running. Software that also includes codes to track a user's personal information, which may be passed on to third parties without the user's knowledge, is called Spyware.
In addition to being annoying, popups caused by adware and spyware slow system performance, using memory and system resources that can lead to system crashes and instability. Adware and Spyware programs are simply other forms of identity theft and may have the ability to monitor keystrokes, scan files on your hard drive, change your default homepage on your browser, and relay information about your web visits for marketing purposes.
Several companies offer software to detect and delete anti-adware or anti-spyware programs or can provide more information on the topic:
back to top