Security Alerts and Tips

Online criminals are always watching for an open door into your organisation. Fraudulent activity across electronic bank delivery channels such as HSBCnet can possibly increase at times when criminals believe that your organisation is operating on an unusual schedule due to holidays or attending large scale international events. During this time, please be extra vigilant when online to ensure that you remain protected. If you experience one or more of the following events and suspect that a fraudulent attack may be underway, please contact your local HSBCnet support team immediately via the Customer Support link in the HSBCnet logon box.

• When logging in to HSBCnet, you are presented with a message that says, HSBCnet is unavailable after you have entered your username and security credentials. Alternately, the error message might give a set time within which HSBCnet will return for, eg in 15 minutes.
• You are presented with a security check/verification screen that requires you to wait for 1-10 minutes.
• You are prompted repeatedly to re-enter your username, password or security code.
• You are asked to enter beneficiary account information that you don't recognise and does not relate back to an invoice.
• You are presented with an error message referring to a 'synchronisation' problem asking you to enter the code generated by your Security Device.
• You see any screens that you think are unusual or are missing information.

Please do not share your security device or password with your colleagues. Sharing your device puts you at risk since you are responsible for any activity completed under your Username. Lending out your security device can also result in locked passwords and lost devices causing you added delays. If you are a System Administrator and allow users to share devices, your system audit trail will also be inaccurate. To maintain the safest possible security, only sign on to HSBCnet using your own security device. Need more security devices? Please contact your local HSBCnet support team and they will be happy to assist with placing new orders.

Internet users should be wary of the dual threats of malware and online phishing scams. Both threats are frequently delivered using fraudulent e-mails that appear to come from trusted sources.

• Malware – e-mails entice users into clicking on links or accessing URLs which deliver malicious software such as Zeus and Spyeye onto the user's PC
• Phishing – e-mails encourage users to divulge personal information such as banking security credentials

Together, these threats can be used to defraud individuals and companies. These attacks tend to happen in 'waves' such as the 'Man in the Middle' (MitM) attacks that media outlets have been recently reporting on.

A MitM attack occurs when Malware is downloaded, hidden in your browser and then activated when you visit particular websites. While deception can take many forms, a current version of this Malware tricks account holders into clicking on counterfeit links after they have logged into their financial institution's online platform. This triggers the Malware and the malicious programme then gets between the account holder and the genuine website–altering what is seen or changing the details of what is being entered in order to conduct and hide fraudulent activity.

HSBC monitors this activity vigilantly to protect you, but you also play a big role in averting these attacks. The more you know, the more you can protect yourself.

What should I do if I receive a suspicious e-mail?

If in doubt, delete the e-mail without opening it. This caution should apply to all unexpected e-mails with links or attachments. If you are suspicious of an e-mail that claims to come from HSBC, please forward it to hsbcnet.phishing@hsbc.com. We take these matters very seriously and will investigate the e-mail in question.

How do I know that a fraud or phishing attempt is underway?

The following types of experiences should be taken seriously and reported to your local HSBCnet support team immediately:

• When logging in to HSBCnet, you are presented with a message saying that HSBCnet is unavailable AFTER you have entered your username and security credentials. Alternately, the error message might give a set time that HSBCnet will return, eg 15 minutes
• You are presented with a security check/verification screen that requires you to wait for 1-10 minutes
• You are prompted repeatedly to reenter your username, password or security code
• You are asked to enter beneficiary account information that you don't recognise and does not relate back to an invoice
• You are presented with an error message referring to a 'synchronisation' problem asking you to enter the code generated by your Security Device
• You see any screens that you think are unusual or are missing information

How can I protect myself further?

Installing a firewall and virus protection software on your computer or local area network (LAN) is the single most important thing you can do to protect yourself against malware and viruses. Firewall and virus protection software is available from providers such as Norton and McAfee. Reputable firewall and virus protection vendors will provide regular software updates to ensure that you are protected against new hacking attempts. You must be vigilant in keeping this protection up to date.

It is also important to download new browser security patches when they are available because they are designed to provide you with protection from known security problems. In addition, do not install pirated software or software from unknown providers.

You can rest assured that HSBCnet is a secure channel that is rigorously monitored to protect our customers. You can help us keep fraud out of business by being cautious when conducting transactions online and protecting yourself with the latest anti-virus software.

HSBC and other companies abiding by industry standards will not send e-mails requesting or containing your security or confidential details, such as ID numbers, account log-on details or memorable word information. We will never ask you to enter or confirm your security details through an e-mail. By contrast, this is typically what a phishing e-mail does when it tries to obtain your security details.

At HSBC, security is a top priority. We are constantly reviewing and upgrading our systems to ensure that your accounts are secure, but there are actions that you need to take as well.

However, security is a joint effort, therefore we strongly recommend that you install firewall and virus protection software on your computer or LAN, and most importantly, be vigilant in keeping it up to date. Firewall and virus protection software is available from providers such as Norton and McAfee. Reputable firewall and virus protection vendors will provide regular software updates to ensure that you are protected against new hacking attempts.

Other tips to increase your security protection include:

• Always download new browser security patches whenever they are available. They are designed to provide you with protection from known security problems
• To prevent viruses or other unwanted problems, do not open e-mail attachments unless you know they are from a safe and reputable source
• Do not install pirated software or software from unknown providers
• Where possible, have dedicated terminals that are only used for accessing HSBCnet in order to reduce the likelihood of malicious code being loaded onto a device. This device should not be used for general web browsing, e-mailing, or social networking

For additional information, read the Online Security on our HSBC Group website.

Make sure to take a closer look.

It's a good idea to be wary of any requests from your beneficiaries (via e-mail, phone or otherwise) to change their banking details. The request may be an attempt to divert payment funds to a fraudulent account.

Fraudulent requests may be disguised as originating from a supplier and ask that you change the supplier's bank account information. As a precaution, always take the extra step of checking directly with your suppliers, either through an original e-mail address or a phone call to a trusted source in their company, to confirm that the change request is genuine.

In some cases, the fraudulent request to change supplier information or make a payment to an unfamiliar account supposedly comes from your organisation's CEO, President or other administrator. When reviewing any type of payment instructions from an internal source, ensure the request uses your organisation's official channels and follows authorised processes and procedures.

Anyone using the internet should be wary of online phishing scams. Phishing is an attempt by criminals to 'fish' for personal information such as the security credentials you use for banking.

What is phishing?

Phishing is an attempt by fraudsters to 'fish' for personal information such as the security credentials you use for banking. Someone can send you an e-mail which appears to come from your bank or an organisation you have registered with, such as PayPal. The e-mail asks you to click on a link and/or to confirm your username or password and in this way they obtain your details.

How do fraudsters get my e-mail address?

These lists are never provided by us. Lists of e-mail addresses are bought or traded between unscrupulous parties.

How do they know where I bank?

They probably don't know where you bank, but if they send enough e-mails they are likely to reach some customers.

The e-mail says it's from HSBC – is it?

HSBC will not send e-mails to customers requesting or containing security or confidential details, such as ID numbers, account log-on details or memorable word information. We will never ask you to enter or confirm your security details. By contrast, this is typically what a phishing e-mail does when it tries to obtain your security details.

We will, however, send you e-mails with important service information such as planned outages and enhancements. Any links within these e-mails will only take you to product and service information pages and not to any page where you will be asked to log in and provide personal information.

What should I do if I get a suspicious-looking e-mail?

If in doubt, delete the e-mail without opening it. This caution should apply to all unexpected e-mails with links or attachments.

If you are suspicious of an e-mail that claims to come from HSBC, please forward it to hsbcnet.phishing@hsbc.com. We take these matters very seriously and will investigate the e-mail in question.

Our goal is to keep HSBC systems secure and safe, but we do need your help. It is important that you never share confidential information on HSBC security that has been provided to you as a customer. Sharing information on our security practices, policies and current security activities is illegal and could provide valuable information to tip off potential fraudsters. Public internet sites, blogs and chat rooms in particular could provide unscrupulous individuals with a wealth of information if it falls into the wrong hands. This is a secret worth keeping.