Timely reporting will let us deter fraud and safeguard your account.
How to report phishing/vishing/smishing
To report phishing websites, smishing texts or suspicious emails that requested your personal banking information, send an email to email@example.com. You’ll receive an automatic response to let you know we've received your email.
- Copy the full email, smishing text or website address (URL) and paste it onto the body of the email.
- Do not include your personal information in the email. This mailbox is processed by a third party on behalf of HSBC Global Services (UK) Limited and by HSBC Group companies (this also means we won’t be able to give you personalised responses from it).
HSBC may send you emails from time to time but will never ask for your security information or send you a link directly asking you to log on to your online banking. HSBC will never attach a link to a web page that would ask for this information. If you receive an unsolicited email from HSBC encouraging you to do this, it will be a "Phishing" email. See 'How Social Engineering works' (below) for more information.
How social engineering works
Social engineering works by gaining someone's trust and getting them to give information that should be kept secure.
Scammers usually contact people by phone (vishing), SMS (smishing) or email (phishing). They'll claim to be someone in a position of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained the person's trust, they'll then ask for sensitive information or things which will give them access to the person's bank accounts.
There are things your bank would never ask for, such as:
- Card Verification Value, Card Expiry Date, Cash Advance PIN, or OTP (One-Time Password)
- Online banking codes such as Secure Key or password
Your bank would also never ask to:
- Collect your credit or debit cards, cheque books or cash
- Transfer funds to a different account for 'safekeeping'