Top of main content

Security reminders

Table of contents

Online and Mobile Banking Security Tips

How you can keep your mobile safe

1. Browse smartly

  • Download your applications from official app stores and check ratings to verify.
  • Be wary of dubious third party aggregators. Do not disclose any information like your online banking credentials to third parties.
  • Look for the padlock in the address bar when using your browser. This indicates that the browser is secure.
  • Only use trusted Wi-Fi networks or service providers, not free public WiFi.
  • Use security protection, at minimum, such as Wi-Fi Protected Access (WPA), if possible.
  • Disable Bluetooth if you are not using it.

2. Be cautious of using any free VPN

A "Virtual Private Network", or VPN, is a software that allows you to mask your computer's location or log on to sites as if your computer is based in another country or region. Be wary of security issues you might encounter when using free VPN.

Free VPNs have hidden dangers

  • Malware hidden inside VPNs can steal your data, which can then be used to hijack your online accounts, steal your money (bank and credit card details), steal your digital goods or products, or lock or encrypt your devices in exchange for a payout (e.g. ransomware), and more.
  • VPNs can also hijack your browser, redirecting it to other sites without your permission, which can further lead to fraud risk.

If you really want to use VPN, it's important to use a reputable VPN made by well-known providers or antivirus-software makers. Paid doesn't guarantee security but more often, the reputable VPN providers are more protective of your data. Check their ratings in terms of security and privacy.

3. Be vigilant if your mobile is suddenly out of signal

With more people using mobile devices to do banking, fraudsters have begun to use a technique known as a "SIM-swap".

The fraudster will call your mobile service provider claiming to be you, and ask for a replacement SIM card, saying that they lost your SIM or phone. If they are convincing, the mobile service provider will deactivate your SIM and will issue a new one to the fraudster, who then executes transactions that require OTP authorisations. 

Things to look out for:

  • Be alert and talk to your mobile provider immediately if you suddenly find you don't have network connectivity and are not receiving calls or text messages for unusually long periods.
  • Be cautious of receiving unsolicited network services and don't surrender your SIM card to third parties claiming to be from your service provider. Contact your mobile network provider immediately for these attempts.
  • It's also recommended that you don't switch off your phone if you're receiving numerous unknown calls. This could just be a ploy to make you turn off your phone so you don't notice a tampered network connection.

4. Maintain your device

  • Install the latest anti-virus and anti-spyware software on your phones and tablets, and keep it updated. Even trusted phone brands that are known for having strong built-in protection against malware threats, can be at risk. When installing protection, always use a reputable brand from a mainstream supplier.
  • Install updates and patches to your smartphone and tablet regularly, including upgrades/updates to your operating system (OS) and other mobile applications.
  • Set up auto-lock and passcode lock to prevent unauthorised access to your phones and tablets and enable remote wiping.
  • Don't use security loopholes to log on to Personal Internet Banking on jail-broken/rooted handsets or tablets. HSBC mobile apps do not run on jail-broken/rooted devices for your security.
  • Install apps on your phones or tablets from trusted sources only. Understand the permissions of mobile apps before you accept and install them.

5. Be vigilant

  • Don't store your username and password for HSBC Mobile Banking and other private services on your mobile handset or tablet.
  • Avoid sharing your device with others and don't use other people's devices to log on to your private accounts.
  • Some online services might request you to upload a scanned copy of your valid ID via their mobile apps. Protect your ID copy and treat it with the same caution as your physical ID card. Don't store your ID copy on your mobile device and don't share it with people you don't trust or know well. Don't scan your ID copy to any untrusted apps.
  • If you have access to SMS service providers' app or portal, make sure to use complex passwords and change your password regularly to avoid fraudsters from intercepting your access and obtaining further sensitive details.

How to keep your internet banking safe

1. Accessing your account

  • Avoid using public computers and public networks to do online banking.
  • Never share your personal security details (password or security code/OTP) with anyone, especially if they claim to be from HSBC.
  • If you find any unusual pop-ups or your computer starts running unusually slow, please don't input your personal details and/or credit card information.
  • Watch out for money-laundering scams. Be wary of any "business opportunity" that involves receiving or holding money for strangers.
  • Only use secure and trusted wireless networks. Add a password and regularly change this password for your own home Wi-Fi network.

2. If you receive any email or SMS claiming to be from HSBC, remember that:

  • We will never ask you to confirm or provide us with any personal data by replying to an email.
  • We will not ask you for your PIN or password.
  • We will not ask you to provide your CVV/CVC or OTP.

3. Monitoring your account

  • Check statements, emails and SMS notifications as soon as you receive them. If you spot any unusual transactions, report them to the bank immediately. Use HSBC Online Banking or the HSBC Mobile Banking app to check transactions on your account more frequently.
  • Always keep the electronic receipt for fund transfers and bill payment transactions to help you verify transactions.

4. Protecting your pin/password

  • Never share your password with anyone, even if they claim to be from the bank or a regulator.
  • Memorise your password and never write it down.
  • Choose a password that's hard to guess and is not easily relatable to you or your family.
  • Use different PINs/passwords for different websites and channels (ATM, Phone Banking, Online and Mobile Banking).
  • Remember that our representatives will never ask for your PIN/password.

ATM security reminders

Put our safety tips into action to reduce your risk of fraud when using an ATM.

Stay vigilant

  • Be aware of your surroundings when using an ATM. If there's someone or something suspicious, quickly cancel your transaction.
  • Refuse help from strangers when using an ATM.
  • Inspect the ATM. If there are signs of tampering, DO NOT proceed with your transaction.
  • When using an ATM, choose well-lit and/or well-guarded areas.
  • If your card is captured and you suspect possible fraud, please report it to us immediately.

Protect your PIN

  • Memorize your PIN and do not write it down.
  • Choose a PIN that's hard to guess.
  • Cover the numeric keypad and make sure no one is looking while you are entering your PIN.
  • Never disclose your PIN to anyone.
  • Use different PINs for different channels (ATM, Phone Banking, etc.).

Monitor your account

  • Always check your statements.
  • Switch to electronic statements and get your statements faster.
  • Immediately report unusual transactions to us.
  • Sign-up to instant SMS notification so you get updates on movement within your accounts.
  • Register through HSBC Online Banking so you can monitor your accounts anytime.

If you lose your card, call HSBC's Customer Service immediately at (02)8858-0000 or (02)7976-8000 from Metro Manila, +1-800-1-888-8555 PLDT domestic toll-free, (country code) +800-100-85-800 international toll-free for selected countries/regions. 

Reporting of Phishing and Smishing

To report phishing websites, smishing texts or suspicious emails that requested your personal banking information, send an email to phishing@hsbc.com. You’ll receive an automatic response to let you know we've received your email.

  • Copy the full email, smishing text or website address (URL) and paste it onto the body of the email.
  • Do not include your personal information in the email. This mailbox is processed by a third party on behalf of HSBC Global Services (UK) Limited and by HSBC Group companies (this also means we won’t be able to give you personalised responses from it).

If you believe you've shared your confidential information either online, by telephone or any other means, call us immediately at +6328858-0000 or +6327976-8000 or +800-100-85-800 from overseas.

HSBC may send you emails from time to time but will never ask for your security information or send you a link directly asking you to log on to your online banking. HSBC will never attach a link to a web page that would ask for this information. If you receive an unsolicited email from HSBC encouraging you to do this, it will be a "Phishing" email. See 'How Social Engineering works' (below) for more information.

How social engineering works

Social engineering works by gaining someone's trust and getting them to give information that should be kept secure.

Scammers usually contact people by phone (vishing), SMS (smishing) or email (phishing). They'll claim to be someone in a position of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained the person's trust, they'll then ask for sensitive information or things which will give them access to the person's bank accounts.

There are things your bank would never ask for, such as:

  • CVV, Card Expiry Date, Cash Advance PIN, or OTP (One-Time Password)
  • Online banking codes such as Secure Key or password

Your bank would also never ask to

  • collect your credit or debit cards, cheque books or cash
  • transfer funds to a different account for 'safekeeping'

1. Vishing (Phone)

Criminals call out of the blue and may claim to be your bank, the police or another trusted organisation like your network provider. To make the call seem more convincing, they may already have some information about you, such as your account number, address and account details. They can also make the call seem authentic by making their phone number look like a number you know and trust. This is known as 'number spoofing'. The caller will then try to persuade you to:

  • transfer money to another account for 'safekeeping' or 'holding'
  • withdraw cash and hand it over 'for investigation'
  • give private information, which can then be used to gain access to your finances

If you're suspicious or feel vulnerable, immediately end the call and disregard messages from unregistered numbers asking for your CVV, Card Expiry Date, Cash Advance PIN, or OTP. In case you've given them your banking details, call us immediately at +6328858-0000 or +6327976-8000 or +800-100-85-800 from overseas.

2. Phishing (Email)

Be wary of unsolicited emails that appear to be from your bank or another trusted organisation (like government agencies) and contain links to websites asking you for confidential, personal or financial information. The emails may appear to come from a legitimate source and often warn your account may be shut down unless you take some action or they may say you're owed money.

If you receive one of these emails, don't reply or click on a link that you're not sure is genuine. Instead, contact the company using a phone number you know is genuine.

Phishing emails typically:

  • warn you of some sudden change in an account which means you have to confirm you still use the service
  • sometimes have poor spelling and grammar
  • ask for confidential or security information such as your online banking details, passwords, account numbers or PINs
  • include instructions to reply, complete a form or document attached to the email or click through to a website to verify your account

Don't open attachments or click on links if you suspect they may not be genuine.

If you're suspicious of an email claiming to be from HSBC, forward it to phishing@hsbc.com, delete it and empty your deleted items.

3. Smishing (SMS)

Another thing to watch out for is suspicious text messages that look like they're from HSBC or another trusted organisation. These may be sent by criminals trying to trick you into giving your personal and financial information (by calling a number or clicking a link).

It's important to remember:

  • Banks and other organisations such as the police or service providers will never ask you for your full PIN, OTP, password or banking codes.
  • Some sophisticated fraudsters can send text messages that show "HSBC" as the sender, to look genuine. This is why you should always be wary of what each SMS you receive contains and asks of you.

If you're unsure whether a text claiming to be from HSBC is genuine, forward it to phishing@hsbc.com and we'll investigate it.

Never share your security details with anyone else.

For inquiries, please call HSBC's Customer Service at (02) 8858-0000 or (02)7976-8000 from Metro Manila, +1-800-1-888-8555 PLDT domestic toll-free, (International Access Code) 800-100-85-800 international toll-free for selected countries/regions, or send an inquiry via email to hsbc@hsbc.com.ph. Note: Do not provide your account or credit card numbers or disclose any other confidential information or banking instructions through email.

For complaints and feedback, you can call the abovementioned numbers or visit hsbc.com.ph/help/feedback-and-complaints/

The Hongkong and Shanghai Banking Corporation Limited is an entity regulated by the Bangko Sentral ng Pilipinas (Bangko Sentral) https://www.bsp.gov.ph. You may get in touch with the Bangko Sentral Consumer Protection and Market Conduct Office through their Email: consumeraffairs@bsp.gov.ph; Webchat: http://www.bsp.gov.ph; Facebook: https://www.facebook.com/BangkoSentralngPilipinas or SMS: 021582277 (for Globe subscribers only).

Deposits are insured by PDIC up to PHP500,000 per depositor.