HSBC Fraud Guide

14 April 2020

HSBC takes fraud & other financial crimes very seriously. Even though we have market-leading fraud detection systems, we want you to be aware of the different ways criminals may try to steal not just your money but also your company's identity.

Read our guide to Fraud and Scams here(PDF,334KB)

Keep your finances and personal data safe

Much has been made in the news media recently about the hazards of online hacking and data breaches, but what is seldom reported is how much simpler it is to "hack" people than computers. This process is called social engineering, and is far easier to do than one might think.

Read our guide to Malware fraud here(PDF,315KB)

How social engineering works

Social engineering exploits aspects of human nature - behaviours that come naturally to us. Key to social engineering is the manipulation of trust - gaining a target's trust and thereby getting them to disclose information that should be kept secure.

Scammers contact their targets, usually via telephone (vishing), text or email (phishing), purporting to be individuals in positions of trust, such as bank staff, representatives of telecoms or utility companies, or even the police. Having gained their target's trust, they then request sensitive information or items which allow them access to their target's bank accounts - things your bank would never request themselves, such as:

  • Your 4-digit PIN
  • Credit or debit cards, chequebooks or cash
  • Online Banking codes or passwords
  • Transfer of funds to a different account for "safekeeping"

Read our guide to Social Engineering fraud here(PDF,228KB)

Business Email Compromise

The Business E-mail Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform payments using an email from a company owner (CEO or CFO) as the authority to carry out the payment. Little does the payment processor know that the email is not a genuine company request.

There are two variations of this fraud type, which are as follows – Email spoofing – This involves the manipulation of an email address to make the senders email address appear to have originated from someone or somewhere other than the actual source.

The fraudsters spoofs the vendors email to submit the modified invoice. It doesn't require compromising the vendor's email system, but instead sends the invoice from an email that is so close to the domain of the vendor that most people would miss the change, for example, @CompanyABC.com instead of @CompanyACB.com.

Compromised Email Account - This involves the compromise of an executives email account within the organisation, such as the CFO (Chief Financial Officer). The fraudster sends a request for a payment from the compromised email account to another, often junior employee to action.

Remember,

  • Make sure staff are aware to check the email address the payment request is sent from, and have suitable checks in place to verify any new payment request received by way of email.
  • Always regularly review your organisations controls to make sure that you have suitable payment controls in place to not fall victim to this type of fraud.

Read more about Business Email Compromise here (PDF,375KB)

Common Fraud Types

Contact us

Call us on:

+39 02 724371