Fraud prevention

Social engineering exploits aspects of human nature - behaviours that come naturally to us. Key to social engineering is the manipulation of trust - gaining a target's trust and thereby getting them to disclose information that should be kept secure. Scammers contact their targets, usually via telephone (vishing), text (smishing) or email (phishing).

Phishing emails aim to deceive recipients into clicking on malicious links or downloading attachments that can introduce malware, steal passwords, or extract sensitive financial information. Similarly, vishing (voice phishing) calls and smishing (SMS phishing) texts attempt to trick individuals into divulging personal or financial information or performing actions that lead to theft.

How do phishing, vishing, and smishing scams work?

Phishing emails often pose as legitimate messages from trusted organisation, urging recipients to take immediate action, such as "updating account details" or "verifying transactions," often leading to malicious websites designed to steal credentials or financial data.

On the other hand, vishing relies on high-volume phone campaigns using autodials or spoofed numbers to try to convince you they’re genuine. For example, a fraudster usually pretends to be from the ‘fraud team’ and telling you your account is at risk or will query a transaction on your account, however, the transaction doesn’t exist.

Smishing works similarly through SMS, enticing users to click malicious links or to reply with personal details. The widespread use of text messaging and the immediacy of SMS make smishing increasingly effective, often bypassing traditional email spam filters.

Attackers targeting organizations frequently impersonate senior employees, making urgent requests. They may act hurried or stressed to gain control of the conversation, manipulating victims into complying without verifying authenticity.

The risks to businesses

  • Data theft (or encryption for ransom)
  • Fraudulent internet banking redirection
  • Financial theft
  • Identity fraud

How can I defend my business against phishing, vishing, and smishing?

1. Train staff to recognize phishing emails, vishing calls, and smishing texts. Never :

  • Act on the urgency of a request without verification.
  • Share personal or financial details over email, phone, or text.
  • Click on links or download attachments from unknown sources.

2. Remember numbers or email address can be spoofed and never rely on the caller ID or sender name to know who’s it. 

3. Don’t share Online Banking usernames, passwords, or any codes such as one-time passcodes or online banking authorisation codes, with anyone; HSBC and other banks don’t need these to stop payments.

4. HSBC will never; ask you to participate in an ongoing investigation, advise you how to answer questions or ask you to send your money to a safe account.

Signs of potential phishing, vishing, or smishing attempts :

  • Emails or calls claim to be from your organization but contain errors or unexpected requests.
  • Messages ask for sensitive information using urgency or threats of account suspension.
  • Callers refer to your organization by name but make inconsistent or suspicious claims.
  • The call or email directs you to use unfamiliar or internal systems for verification.