HSBC App phishing scam targeting workers using SMS during Covid-19 outbreak

A new HSBC-branded phishing scam is doing the rounds, targetting workers with a fake text message and directing them to a scam website, cyber experts warn of the risks

by Patrick Sullivan, Political Editor on 9 July 2020 14:57


UK workers are being targeted by a new SMS phishing scam designed to trick victims into handing over details of their HSBC bank account. The scheme, uncovered by a leading law firm, begins with a text message purporting to be from HSBC, the multinational banking and financial services organisation, telling the target that ‘a new payment has been made’ through the HSBC app on their phone.

The message tells the victim that if they were not responsible for the payment, they should go to a site called “” to validate their bank account.

They are then directed to a fake landing page, which asks for their username and password, followed by a series of verification steps. The fraudulent site, which uses official HSBC branding, then asks for specific account details and personal data of the individual.

The law firm's research team, which liaises with over a dozen accountancy groups and financial support teams across London has seen a spike in reports of the scam, with an estimated 47 people coming forward to say they have received the text message so far.

Some workers have identified the scam due to the fact that they do not even have a HSBC app installed on their phone. There have been no current reports of the scam being successful.

Cyber expert Chris Ross, SVP, Barracuda Networks said, “This is the latest in a long line of increasingly sophisticated phishing scams, designed to trick the victim into handing over their personal financial details. As so often with these schemes, the text message is designed to frighten the recipient into clicking on the link and entering their username and password without reviewing the legitimacy of the URL. "Increasingly, we are seeing examples of cyber criminals using the branding of major banks to create realistic-looking fake websites, in order to extract personal financial information, often catching the victim’s attention by warning them about unauthorised payments from their account.

Ross continued, "Tackling this problem requires all companies and their employees to remain vigilant against such scams. SMS messages are often used by criminals to catch workers off-guard, using their personal mobile number. Ensuring security awareness within the workforce is also critical, and it’s important that all employees are trained about how these schemes operate as well as how SMS messages can be exploited as part of a wider phishing scheme designed to steal company funds and data.”

Meanwhile Andy Harcup, VP, Absolute Software comments: “The Covid-19 outbreak has led to a sharp rise in phishing scams, with fraudsters impersonating banks in order to extract personal financial details of victims, many of whom are under extreme financial pressure. Failure to identify and block these kinds of attacks could lead to severe data breaches for businesses, particularly if the recipient of the request hands over usernames and passwords to the company account. With millions of people now working from home for the foreseeable future, often using personal phones and newly purchased laptops, the threat posed by hackers is higher than ever.

Harcup continued, "Addressing this issue requires a robust system in place to protect the end-points in use across the company network, to ensure that the latest encryption and security updates are installed and to track, freeze and wipe devices in the event of loss or theft, keeping hackers locked out.”

A recent report from cyber security firm Centrify revealed that around half (48%) of UK businesses have admitted their cyber security polices are unfit for purpose. Andy Heather, VP at Centrify warned that remote workers are a 'desirable target' for fraudsters.

blog comments powered by Disqus

We are wholly dependent on the kindness of our readers for our continued work. We thank you in advance for any support you can offer.