Top of main content

Common online threats

The best way to protect yourself from fraud is to be aware of the different types of fraud out there today. Here are some of the most common fraud types and how to protect yourself.

Table of content

ATM scams

ATM skimming

Fraudsters may instal equipment, such as card readers and pinhole cameras, in ATM’s that allow them to copy cards used on that ATM.

PIN shields may be loosened or removed to allow hidden cameras to capture the ATM PIN entered.

Other ATM frauds

Fraudsters may attempt to distract you while you use the ATM through various techniques. The fraudster may tell you that you have dropped money or personal belongings on the floor. When you are distracted, the fraudster may try to swap your ATM / credit card and obtain the PIN as you enter it.

With the card details and the PIN, the fraudster can transact on the account.

What you can do:

  • Don’t allow yourself to be distracted when you use the ATM
  • Refuse all offers of help from strangers when you are performing ATM transactions
  • Cover the PIN pad and make sure no one is looking over your shoulder when you enter your PIN
  • When in doubt, stop transacting immediately, take your card back and report your suspicions to us immediately

Viruses, trojans and spyware

Viruses are computer programmes that steal personal information, take over your PC, pop up unwanted adverts and they can even use your computer to attack other people's computers.

A Trojan horse is a type of virus that is a computer programme masquerading as another programme. The programme appears innocent, but your files could be damaged or erased if you open the programme.

Spyware is software that monitors and records your internet behaviour without your knowledge or informed consent. For example, it may gather information on how you browse the web and websites you have visited. The programme transmits the collected information to an unauthorised organisation that expects to be able to profit from it in some way. Some spyware may even redirect your internet session through its own server. This allows criminals to analyse your internet activities (potentially your activities at HSBC Internet Banking), and extract your personal credentials such as your username, password and credit card numbers.

What you can do:

  • Don’t download any file without an extension (eg just named ‘file’) or those double extension (eg Such files are almost certainly a virus.
  • Never open an e-mail attachment that is unknown to you and in particular contains a file ending with .exe, .pif and .vbs because these are commonly used with viruses.


Criminals use fake e-mails and fake websites and set them up to con people into giving away passwords and bank details. The technical word for this is 'phishing'.

Phishing involves an email message being sent out randomly, claiming to come from a legitimate organisation such as a bank, online payment service, online retailer, etc. The email will contain a link that takes you to a fraudulent & spoof website that looks identical, or at least very similar, to the organisation's genuine site.

You may be asked to provide personal security information eg your account number, PIN, security code etc. When you try to log on, they can steal your account information and use the information to transact fraudulently.

What you can do:

  • Learn to spot the fake emails and websites. Look for these signs:
    • Strange looking e-mail or web addresses
    • Poor design, typos or bad spelling
    • They ask you to do something unusual
    • A site doesn't display the padlock symbol in the address bar when you log on
  • Do not forward or reply directly to any emails / SMS that ask you to provide personal information. Report such emails to us immediately. If in doubt, stop. Don't click on any links. Don't open any attachments. Forward the e-mail to and we will investigate it.



During product application, we may send e-mail with Terms and Conditions for customers to read and accept via email is issued by the HongKong Shanghai Banking Corporation Limited, and powered by Adobe Sign. Please be reminded no personal data or other sensitive information such as username, account number or password is required to be provided.


Bogus calls

You may receive calls from callers claiming to be from a well-known financial institution asking for sensitive personal information (eg internet banking user ID, ATM/ phone banking/ internet banking password) or selling credit products or services over the phone. The caller may also claim to be from HSBC or other financial institutions inviting applications for personal loan/tax loan/credit card.

You should know that HSBC has not authorised or appointed any intermediaries to conduct telesales marketing activities for promotion of unsecured personal loans such as personal loans, tax loans and credit cards.

Look for these signs to help you identify if a call is fraudulent:

  • The call is a pre-recorded messages notifying you of irregularities with your bank or card account
  • Pay attention when the caller:
    • refuses to provide, or provides a fake department name
    • is unwilling to provide a call back number
    • voice quality is relatively bad as if it is a long distance call
    • tries to build trust by providing account information proactively, eg by claiming irregularities with your bank or credit card account
    • focuses on products such as credit products or services with a low interest rate, such as personal loan, add on mortgage, re-mortgage
    • tries to close the sale as quick as possible
    • is impatient to discuss the product or service in detail
    • expresses annoyance or loses temper if you ask questions about the product or service
    • terminates the call by hanging up without any signal


What you can do:

  • Be calm and seek assistance immediately
  • Review and try to recall the personal information disclosed, including personal password or user ID
  • If you have shared your password, you should change it immediately
  • If you have disclosed your personal details to the suspicious caller, please contact and report the call to HSBC and the Police for investigation immediately
  • When you make a report, you should provide the caller's phone number, the personal information you’ve shared
  • Review your bank and credit card statements and advices for the following two to three months and report any irregularities to HSBC immediately
  • Change your password periodically to protect your personal information


Regulators and financial instructions frequently share warnings about the latest information in fraud. You should read and follow the advice shared in these warnings.


Online frauds and scams

When it comes to protecting yourself and your money on the internet be wary of ridiculous deals. Criminals may contact you by e-mail, through websites you use, via SMS or even by phone. It pays to be on your guard because they can be quite convincing.

Here are some warning signs:

  • Big promises. “You have won the lottery”
  • Big threats. “Your account has been hacked”
  • A false sense of urgency. “Act now or it'll be too late”
  • Unnecessary secrecy. “Don't tell anyone”
  • There is no reason for them to contact you. Did you even buy a lottery ticket?
  • ‘’Business opportunities’’ that involve holding or receiving money for strangers


What you can do:

  • If an attachment looks suspicious, don't open it
  • Don't instal software unless it comes from a website you trust. If it doesn't feel right, take your time
  • If you suspect that there is a problem with your personal or business internet banking, contact us immediately