HSBC customers targeted in new smishing scam

HSBC customers in the UK should be on the alert for a malicious SMS phishing scam designed to trick its victims into parting with their online banking details, according to litigation specialist Griffin Law.

The text phishing, or smishing campaign begins with a text message purporting to come from HSBC, informing its target that “a new payment has been made” through the HSBC app on their smartphone device.

Targets are informed that if they were not responsible for this payment, they should visit a website to validate their bank account. To the untrained eye, the website link – security.hsbc.confirm-systems.com – could conceivably be legitimate, but obviously should on no account be opened.

Victims will then be directed to a fake landing page and asked to input their username and password, along with a series of verification steps, on a fraudulent website that uses HSBC branding. The site will also try to weed out specific account details and other personally identifiable financial information (PIFI) from its targets.

Griffin Law, which works with a number of accountancy groups and financial support teams in the London area, said it had seen a clear spike in reports of the scam, with almost 50 of its customers telling it they had received the smish so far. A number of them said they did not have any HSBC apps installed on their devices, which suggests the scam is quite indiscriminate in its targeting. Griffin Law added that there had been no reports of it succeeding so far.

“This is the latest in a long line of increasingly sophisticated phishing scams, designed to trick the victim into handing over their personal financial details,” said Chris Ross, senior vice-president at Barracuda Networks. “As so often with these schemes, the text message is designed to frighten the recipient into clicking on the link and entering their username and password without reviewing the legitimacy of the URL.”

Ross said he was increasingly seeing cyber criminals exploiting the branding of major financial institutions in order to build realistic-looking fake websites that are more likely to convince people to part with confidential information. Also, trying to catch the victim’s attention with an apparent warning about an unauthorised payment is an increasingly well-used tactic.

“Tackling this problem requires all companies and their employees to remain vigilant against such scams,” said Ross. “SMS messages are often used by criminals to catch workers off-guard, using their personal mobile number.

“Ensuring security awareness within the workforce is also critical, and it is important that all employees are trained about how these schemes operate, as well as how SMS messages can be exploited as part of a wider phishing scheme designed to steal company funds and data.”

Andy Harcup, vice-president at Absolute Software, said: “The Covid-19 outbreak has led to a sharp rise in phishing scams, with fraudsters impersonating banks in order to extract personal financial details of victims, many of whom are under extreme financial pressure.

“Failure to identify and block this kind of attack could lead to severe data breaches for businesses, particularly if the recipient of the request hands over usernames and passwords to the company account.”

Harcup added: “With millions of people now working from home for the foreseeable future, often using personal phones and newly purchased laptops, the threat posed by hackers is higher than ever.

“Addressing this issue requires a robust system in place to protect the endpoints in use across the company network, to ensure that the latest encryption and security updates are installed, and to track, freeze and wipe devices in the event of loss or theft, keeping hackers locked out.”