UK HSBC Customers Targeted In New Smishing Scam

HSBC customers in the UK are reportedly being targeted through an SMS phishing scam. Referred to as “smishing”, the scam involves tricking customers to share bank account details and other identifying personal information.

How the scam works
  1. The scam starts with a text message seemingly from HSBC alerting the customer of a new payment through the HSBC app on their phone. 
  2. The customer is told to visit the HSBC website to validate their bank account if they are not responsible for the payment. 
  3. Victims are then redirected to a fake landing page (security.hsbc.confirm-systems.com) where they input their bank username, password and other identifying information followed by verification steps.

The smishing scam was discovered by the research team at Griffin Law and around 47 people have reportedly received the text message so far.

A rise in sophisticated phishing scams

Sophisticated phishing scams like these have become popular of late. They involve using social engineering to manipulate people into sharing confidential information. In HSBC’s example, exploiting people’s inclination to prevent a fraudulent payment. These tactics are about engineering emotions to influence your decision making to force you to take action. 

At the onset of COVID-19, many people received emails purportedly from the government to input their details to receive COVID-19 relief. Similar to HSBC, the website looked real enough to deceive some people in to share their bank account details.

Here are some tips to stay safe:
1. Slow down 

Hackers want you to act immediately. Hence they create situations with urgency or high-pressure. The phishing message could be similar to HSBC’s or an email urging you to log in to account before it expires. In general, it’s important for you to slow down to carefully assess the information you’re given. 

2. Double-check information 

A common technique by hackers is to send emails to you and your colleagues which appear to be from a legitimate source. For example, cyber-criminals have posed as the World Health Organisation to get people to click on malicious links. In some instances, they’ve even posed as well-know charities. Ensure to double-check information and be particularly wary of shortened web addresses. Hover your mouse over links to reveal the true address. 

3. Verify ‘trusted’ sources 

Remember the aim is to target you using sources you usually trust. The email or text could be from a friend, colleague or institution you interact with frequently. The link you are directed to may even look authentic. Phishing scams are becoming increasingly harder to spot which is why it’s crucial that you slow down and take your time to verify information particularly if it relates to sharing personal information or financial information.  

4. Beware of downloads

Another goal for hackers is to infect your computer with malware. The primary way this is done is through attachments or downloads in the form of files or links. Strong anti-virus software should signal if attachments or files are dangerous to download. It’s important for you to adhere to these warnings. 

5. If it doesn’t make sense, ignore and delete

Some people were able to spot the HSBC text as a scam immediately because they didn’t have the HSBC app on their phone. In some cases, there will be easy telltale signs to indicate it’s a scam. Ignore and delete the message without clicking on any links. 

We strongly recommend you adhere to these guidelines. Aside from the prospect of a personal breach involving your own personal information, a breach on your work phone or other electronic devices could jeopardise your company’s sensitive data.

According to Verizon’s annual Data Breach investigations report, social engineering attacks are responsible for 93% of successful data breaches.

As phishing scams become more sophisticated, it is equally important to invest in training and educating your staff to be aware of things to look out for. Contact us at Kazient Privacy Experts to discuss our array of bespoke training options for small, medium and large organisations. 

Kazient Privacy Experts offer bespoke Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.