Online Security & secure usage tips

HSBC IN
Help
Security Centre
Online Security

As a bank, we are used to thinking about security. The growth of the internet has offered greater flexibility for us all, but it also brings new risks that must be guarded against. At HSBC, we use industry standard security technology and practices, focusing on three key areas – privacy, technology and identification – to safeguard your account from any unauthorised access.

Type of fraud

There are many ways in which a fraudster may try to trick you into giving them your personal and security details. They then use these details to access your financial information with the bank, and set up payments from your account to theirs.

Here are some of the more common types of fraud you may encounter.

More Information

Credit / debit card skimming or cloning

Fraudsters may steal information from the magnetic strip on your credit or debit card. They do this by concealing skimming devices in the card slot of an ATM or when you're not paying attention at merchant payment terminals. These devices scan and store your card details. To steal your PIN, fraudsters may place a camera in a discreet location on the ATM or at the merchant establishment.
Payment frauds via business emails and messaging apps

Fraudsters may hack into your emails or chats, or intercept unencrypted messages to learn more about you. Once they know more about you, they may send messages from a hacked / compromised / spoofed ID, asking you to make urgent payments for seemingly legitimate purposes such as the hospitalisation of a loved one or an outstanding bill that needs to be paid into a new account. Victims might be tricked into making the payment because of the urgency of the request or because they thought they could trust the request. And since the victim themselves made the payment, they won't be alarmed by the transaction alerts that the bank sends them. That makes this type of fraud difficult to detect.
Phishing or spoofing emails

Fraudsters may phish victims by sending an email to as many email addresses as they can. They often do this while pretending to be part of a legitimate organisation such as a bank, online payment service, retailer or other similar service. They may spoof their ID so the email looks like it's sent by someone other than fraudster themselves.

You can safeguard yourself against phishing scams by not responding to emails asking for personal or financial information. You should also never select links in suspicious emails.

HSBC will never ask you to disclose your personal or security details by email. If you receive such an email claiming to be from HSBC, do not respond to it. Delete the email immediately. And remember, never share your credentials – such as your username, password or other security details – with anyone.
Advance fee fraud ('419' scams)

Fraudsters may send unsolicited letters or emails offering you a generous reward for helping them to move a staggeringly large amount of money, usually in US dollars. What these fraudsters are really after are your banking details. They usually ask you to pay a fee, some taxes or a bribe to complete the deal – this is the advance fee. Victims usually lose this to the fraudsters.

If you suspect that someone has your online banking details, you should log on to online banking and change your password immediately. You should also call us as soon as possible to alert us. Our lines are open 24/7. You can find a list of our hotline numbers here.
Vishing calls

Fraudsters may impersonate bank staff or a customer service executive and call potential victims to steal sensitive information such as their bank account details. To win the trust of a victim, criminals may provide the victim with bits of personal information that were stolen through social engineering. After they've established some trust, the fraudsters may offer some special service or product, in hopes that the will provide their confidential information such as their bank details and one-time passcodes (OTPs).

Scam or payment frauds in UPI apps

Fraudsters may send you QR codes via messaging apps, asking you to scan the QR code or approve a 'Collect' request to transfer money into their account. They may try to trick you by telling you a fake story, such as saying that they want to buy a product that you're selling. They may also impersonate a bank or shopping company executive, offering to process refunds, unclaimed cashback offers or reward points for you. Unsuspecting victims might then scan the QR code or approve the 'Collect' request using their UPI PIN, transferring money into the fraudster's account.
Fake contact numbers

Fraudsters may provide fake contact details for banks and service provider contact centres. Unsuspecting victims may look for contact details using a search engine and call the fake number. They'll then be taken through a "verification process" where they're tricked into sharing sensitive information about their debit/credit cards and bank accounts.

You can protect yourself by making sure that you always visit the official website of a bank or service provider to look for the contact details you need. Stay vigilant and avoid calling numbers displayed in the search results without checking them first, especially if they might be a mobile number.
Money mule or additional income email scams

In a money mule scam, fraudsters may ask you for help with a transfer. They may offer to transfer money into your account so you can help them transfer it to another account. In return, they say they'll give you a commission.

You should ignore such requests as they often involve crimes such as money laundering. Anyone who participate knowingly may be considered an accomplice to the crime and may face prosecution. If it looks too good to be true, it's probably a con!
Social media hacks

Fraudsters may impersonate a close friend or relative on social media platforms such as Facebook, WhatsApp or Instagram, asking you to transfer money to them urgently. You can check if the request is a legitimate one from someone you know by giving them a call or contacting them through other channels.
Trojan viruses

Fraudsters may send you unsolicited emails that contain files, pages or attachments which you're asked to open. But opening them means will secretly install a programme on your computer that monitors your online activity, and even what you type on various websites. So when you enter your credit card details while shopping online, the fraudsters will be able to see the information you enter.

Your role in online security

Important - If you ever receive email from an untrusted source claiming to be HSBC, or an unsolicited email seeking personal information; report them to phishing@hsbc.com for us to investigate further. Please note that HSBC’s Phishing mailbox will forward information received to third party service providers for the takedown of such rogue website.

Ensure your computer is protected with the latest anti-virus and firewall protection software at all times. Download updates regularly to ensure you have the latest protection
Choose a password that is memorable to you but not easy to guess by someone else. Passwords that contain combinations of alpha and numeric characters are generally harder to guess (e.g. a7g3cy91)
Change your internet banking password on a regular basis.
Beware of phishing emails. Always read the entire email address carefully, including all letters and characters.
Phishing is done very similar looking email addresses. e.g. hsdc.co.in or hsbcbank.com. Roll your mouse pointer over the URL to reveal its true destination; this is displayed at the bottom left corner of your browser. If there is a mismatch don't click on the link. Watch out for signs like spelling mistakes, bad grammar or jumbled letters in the URL
Delete added beneficiaries from your account if it is no longer required
Disable functionality on your computer or browsers that remembers log on details
Keep your system and web browser updated. Manufacturers regularly release security patches when weaknesses are discovered in their systems and browsers. Check with your software provider for these updates on a regular basis.
Always type our URL in the browser to reach the HSBC website.
Check the padlock symbol and site certificate. Double-click the padlock symbol at the bottom of your browser when you log-in to HSBC Online Banking to ensure the site certificate belongs to HSBC. This will ensure you're not being duped into entering your details on a 'fake' site.
Check your accounts regularly. If in doubt about any transactions, note the details and call us.
Always log-out after using online banking. Just select the log out button and never leave your PC unattended while you're logged in to the service.
Search wisely on internet if you're looking for customer care numbers of banks, online shopping websites etc. Fraudster manipulate searches to return results with mobile numbers operated that they operate. You may be tricked into calling the fraudster instead of bank's customer care number or the e-commerce website.
Store your bank's contact center number on your devices or refer to the number written on the back of your credit/ debit card.
Be cautious of screen sharing applications on your personal computer or mobile devices. Fraudsters might trick you into downloading such applications and gain access by seeking the code from you. Once access is permitted, they can view and control your device remotely, and even execute payments from your accounts.
Secure your internet connection. Always protect your home wireless network with a password.
Be cautious about schemes/ offers that need you to collect money in your account even for a commission or help. They fraudsters could send proceeds of crime into your account and ask to you to transfer the money or provide cash to them. Fraudster do not want themselves in the money trail and may use you as money mule.
Contact the bank immediately to report a fraud.
Keep your mobile banking application updated. To download it and to do any updates on it, visit the official app store of your device.

Don'ts

Do not choose a password that you use for other services. Your password should be unique to internet banking
Do not disclose details like your UserID, password, card number, expiry date CVV, etc. on webpages which open up when links in the email/ SMS are clicked inadvertently.
Do not respond to messages asking for such details even if they are claiming to be from bank employees or from government bodies like I.T. Dept., RBI etc. No staff of HSBC will ever call and ask you for these details.
Do not write your internet banking username together with your password. Do not write your password in a recognizable format and never leave your log on details with your physical Security Device/Digital Secure Key.
Never download mobile banking/ payment applications from the links in emails from untrusted sources.
Be cautious of storing your card number and expiry dates on online websites. Do not store these details on untrusted websites of rarely used websites.
Never share your PIN with anyone. Use it yourself. In case you suspect that your PIN is compromised, change it immediately.
If you're asked for a UPI PIN, remember, you are making a payment. You do not need a UPI PIN to receive a payment.

Always

Log out if you leave the computer, even if it is just for a moment. If possible, do not leave the computer unattended while you are still logged in.
Delete your browsing history before you log out of the computer: Internet browsers store information about your passwords and the pages that you visit. Go to the tools menu of the internet browser and select options or internet options. Make sure that the browser has any auto complete function turned off, delete any cookies, and clear the history.
Try to avoid using public computers to do your banking if you can help it, including those at libraries, internet cafes and schools.
Avoid typing in sensitive information. Even if you follow all the precautions, a public computer may have malicious software called a keystroke logger installed on it. These programs can steal your password, credit card number and bank details. Avoid doing any financial transactions that could reveal sensitive information.

If you are a victim of any fraud on your bank account / card, you should report it to the bank immediately to protect your account from further loss Contact US.

After reporting the fraud with bank, we urge you report it to police immediately. If you are a victim of Cyber Fraud, report it to Citizen Financial Cyber Frauds Reporting and Management System (www.cybercrime.gov.in).

This portal is an initiative of Government of India to facilitate victims/complainants to report cyber-crime complaints online. This portal caters to complaints pertaining to cyber-crimes. Complaints reported on this portal are dealt by law enforcement agencies/ police based on the information available in the complaints. It is imperative to provide correct and accurate details while filing complaint for prompt action. Please contact local police in case of an emergency or for reporting crimes other than cyber-crimes.

To report via telephone call, dial 1930 for cybercrime helpline.

For convenience and security of your card, use our card control feature in the mobile bank to enable / disable transaction types such as POS/ ATM/ Online/ Contactless across domestic and international usage. You can also set your own preferred per transaction limits across these types if you prefer you keep this on. The changes are applied instantly.

Debit card: in your mobile app, select account, select ‘Manage cards’ > click ‘Transaction and limits’ > use the features across domestic and international usage.

Credit card: in your mobile app, select credit card > click on ‘View more’ > click ‘Manage cards’ > click ‘Transaction and limits’ > use the features across domestic and international usage

Steps to set card transaction limits

Video transcript Download video transcript for "Card Control Demo video" This link will open in a new window

Steps HSBC has taken for online security

Multi-layer log on verification

Your financial information is protected by a sophisticated combination of a unique username and password, as well as a one-time security code generated by your physical Security Device or Digital Secure Key.

Transaction verification

3D secure transactions on cards help secure the transaction and the trust in the payment system. Never share the OTPs generated for transaction with anyone.

128-bit Secure Socket Layer (SSL) encryption

HSBC uses 128-bit Secure Socket Layer (SSL) encryption for information transmitted during an internet banking session, which is accepted as the industry standard for encryption.

Automatic 'Time-out' feature

As a security measure, your internet banking session will automatically shut-down or time-out out after a period of not being used. You should always close your internet banking session when you have finished.

Security Device / Digital Secure Key

Your physical Security Device/Digital Secure Key takes online security to higher levels. To log on to your account you need to enter your existing username and password as usual, followed by the unique security code generated by your physical Security Device or your Digital Secure Key. This 2-step authentication process provides you with an enhanced level of security when you access your internet banking.

Online security and secure usage guidelines

Type of fraud

More Information

Your role in online security

Practice these Dos & Don'ts to ensure internet banking security

Be alert while using public computers

Online security and secure usage guidelines in other languages

Fraud Awareness messages and tips from Reserve Bank of India

Are you a victim of Cyber Fraud ? Report it immediately

Card control feature in the Mobile app for security and convenience: