Stay away from phishing | Cybersecurity and fraud

What is phishing?

Phishing is when a criminal sends you an email / SMS or calls you and try to get you to give them your passwords and bank details or clicks the embedded links, QR code or file attachment to implant malware to the victim's device.

The email / SMS will say it is from a legitimate organisation like a bank, online payment service or online retailer. It often looks very similar to an actual email / SMS sent by those companies, and it will contain a link or QR code that takes you to a website that also looks very similar to the organisation's genuine site.

Once you arrive at the fake site, it will usually prompt you to enter personal security information, such as your account number, PIN, security code or one time passwords (OTPs). The phishing site records everything you enter, and then uses your information to steal your money.

What are the types of phishing?

Criminals call out of the blue and may claim to be your bank, the police or another trusted organisation like your network provider. To make the call seem more convincing, they may already have some information about you, such as your account number, address and account details. They can also make the call seem authentic by making their phone number look like a number you know and trust. This is known as 'number spoofing'.

The caller will then try to persuade you to:

transfer money to another account for 'safekeeping' or 'holding'
withdraw cash and hand it over 'for investigation'
give private information, which can then be used to gain access to your finances

If you're suspicious or feel vulnerable, immediately end the call and disregard messages from unregistered numbers asking for your CVV, Card Expiry Date, Credit Card PIN, or OTP. In case you've given them your banking details, call us immediately at +6328858-0000 or +6327976-8000 or +800-100-85-800 from overseas.

The caller will then try to persuade you to:

transfer money to another account for 'safekeeping' or 'holding'
withdraw cash and hand it over 'for investigation'
give private information, which can then be used to gain access to your finances

Be wary of unsolicited emails that appear to be from your bank or another trusted organisation (like government agencies) and contain links to websites asking you for confidential, personal or financial information. The emails may appear to come from a legitimate source and often warn your account may be shut down unless you take some action or they may say you're owed money.
If you receive one of these emails, don't reply or click on a link that you're not sure is genuine. Instead, contact the company using a phone number you know is genuine.

Phishing emails typically:

warn you of some sudden change in an account which means you have to confirm you still use the service
sometimes have poor spelling and grammar
ask for confidential or security information such as your online banking details, passwords, account numbers or PINs
include instructions to reply, complete a form or document attached to the email or click through to a website to verify your account

Don't open attachments or click on links if you suspect they may not be genuine.

If you're suspicious of an email claiming to be from HSBC, forward it to phishing@hsbc.com, delete it and empty your deleted items.

Another thing to watch out for is suspicious text messages that look like they're from HSBC or another trusted organisation. These may be sent by criminals trying to trick you into giving your personal and financial information (by calling a number or clicking a link).

It's important to remember:

Banks and other organisations such as the police or service providers will never ask you for your full PIN, OTP, password or banking codes.
Some sophisticated fraudsters can send text messages that show "HSBC" as the sender, to look genuine. This is why you should always be wary of what each SMS you receive contains and asks of you.

If you're unsure whether a text claiming to be from HSBC is genuine, forward it to phishing@hsbc.com and we'll investigate it. Never share your security details with anyone else.

For inquiries or complaints, please call HSBC's Customer Service at (02) 8858-0000 or (02)7976-8000 from Metro Manila,
+1-800-1-888-8555 PLDT domestic toll-free, (International Access Code) + 800-100-85-800 international toll-free for selected countries/regions, or send an email to hsbc@hsbc.com.ph to submit an inquiry or complaint. If you want to find out more about HSBC's customer feedback procedures, please visit hsbc.com.ph/feedback to learn more about feedback and complaints.

The Hongkong and Shanghai Banking Corporation Limited is an entity regulated by the Bangko Sentral ng Pilipinas (Bangko Sentral) https://www.bsp.gov. You may get in touch with the Bangko Sentral Consumer Protection and Market Conduct Office through their Email: consumeraffairs@bsp.gov.ph; Webchat: http://www.bsp.gov.ph; Facebook: https://www.facebook.com/BangkoSentralngPilipinas or SMS: 021582277 (for Globe subscribers only).

Deposits are insured by PDIC up to PHP500,000 per depositor.

Note: Do not provide your account or credit card numbers or disclose any other confidential information or banking instructions through email.

To spot a phishing email / SMS, ask yourself the following questions:

Smart Tips

Does it request personal information, like a credit card number or account password?
Were you expecting this message?
Does it have an attachment?
Does it ask you to do something unusual, like transfer money to an unknown source, or email / SMS your account details to someone?
Does the sender's email address or phone number match the name of the company that it claims to be from?
Is your email address or phone number different from the one that you gave that company?
Was it sent or cc'd to more than just you?

How can I tell if I'm being phished?

Fake websites:

won't show the padlock symbol in the address bar when you log on
are poorly designed, with typos or bad spelling and grammar
have a different look and feel than the company's regular website

Phishing SMSes/emails:

make false claims pretending to be from the bank – e.g. fake incentives/rewards, and notifications of new payee/recipient or payments when you haven't done so
include a hyperlink requesting you to log on or enter sensitive personal information
could make use of spoofing tactics that mimic the bank as the sender of the message

Protect yourself from Phishing

What is phishing?

What are the types of phishing?

Vishing (Phone)

Phishing (Email)

Smishing (SMS)

To spot a phishing email / SMS, ask yourself the following questions:

How can I tell if I'm being phished?

Fake websites:

Phishing SMSes/emails:

Connect with us