Top of main content

Internet and online banking frauds

Protect your data

Fraudsters commonly target online banking customers. They might try to collect your personal data and use it or sell it. To protect you from this, HSBC set up an effective system for fighting fraud.

Common fraud

Phishing: fraudulent email

The aim with this approach is to collect your personal and confidential data by email, with a link to a fraudulent website:

  • fraudsters might pretend to be your bank, sending emails in order to collect confidential information, such as your card numbers, passwords or personal identification codes to access your online banking account
  • you’re often asked to enter your personal data into a fake website where it can be collected by the fraudster. Fake websites can look genuine. You might see the familiar logo and same design and this can increase your trust and lower your suspicions

Good to know. Phishing isn’t limited to emails. It can also be done via post or phone calls.

Vishing: voice phishing technique

The aim of vishing is to extort information from you during a phone call:

  • fraudsters use a voice server inviting you to call a number, often connecting you to an automated system. The system asks you for as much personal or confidential information as possible
  • fraudsters may call you directly, claiming to be acting as one of your bank’s partners and that there’s an issue with your bank account. They might tell you there’s been a fraudulent payment on your account, and then ask for your personal bank details or confidential codes, such as your 3D Secure code or temporary log on codes for your online banking services

Smishing: SMS phishing technique

Smishing is where a fraudster tricks you into clicking on a malicious link sent by SMS. By activating the link, viruses can access your information and steal passwords and other valuable data.

Malware: malicious software uploaded to your device

Malware is a type of virus developed with a malicious intent, often infecting a computer without your knowledge. It can be delivered through email with an attachment to download, or downloaded from a fraudulent website. It allows scammers to steal confidential data, such as log on credentials for online banking or your bank details.

Malware is also the generic name for a number of malicious programs, such as  Trojan horse, worm, keylogger and many others.


Ransomware is a virus derived from malware. It can block access to your electronic devices (computer, tablet, smartphone) and encrypts your files, in order to ask you for ransom money. It usually encrypts personal files, making it impossible to access your information. You’re then redirected to a screen asking for payment in exchange for a deciphering key or to avoid having the data deleted. Depending on your company, the virus can spread throughout the network.


The fraudster forces your computer to access a fraudulent website every time you enter a real website URL into your browser’s address bar. Fraudsters then collect all of the data, including passwords, that you have used on the fake website.

High risk investment scams

The fraudster forces your computer to access a fraudulent website every time you enter a real website URL into your browser’s address bar. Fraudsters then collect all of the data, including passwords, that you have used on the fake website. 

Fake investment scam losses can be significant.

When traditional investments don’t pay much, it’s tempting to look for other, more profitable solutions. Fraudsters exploit this situation by offering the following:

  • unrealistic promises of profitability
  • fake investments in new sectors (wine, cryptocurrencies, diamonds or animal stock)
  • fake financial advisors, using faked accounts, to offer fake savings accounts or debt consolidation loans

Fraudulent investments promising significant returns can relate to:

  • foreign exchange currency market (Forex), usually open 24/7
  • binary market: speculation on securities growth, over a short period of time
  • savings products paid at ‘inflated’ rates

From the first payment you make, the money is used to pay fake returns on investments to other savers. This scam is sometimes called ‘Ponzi scheme’. Each saver has to find new investors, and the new payments received are used to pay the others. When the fraudster can’t obtain new payments anymore, or is asked to repay funds back, they usually disappear with the money. 

Cheques fraud via social media

Fraudsters try to lure you on social media networks such as Instagram©, Facebook© or Snapchat©.

They’ll contact you and try to gain your trust, and then pretend they can’t use their bank accounts and ask you to pay cheques into your own account, in exchange for financial compensation.

After the cheque has cleared, they’ll ask you to transfer the money back to one of their accounts. Unfortunately, the cheque won’t clear and is returned by the bank. The money you sent to the fraudster’s account will be lost.

Warning: in addition to financial loss, you can be held responsible and sued in this type of fraud, due to your involvement in a fraudulent network.

Romance scams

Fraudsters usually contact you through dating websites, but also on social media.

They’ll work towards gaining your trust before asking you to send them money via bank transfer, a money transfer business or a prepaid card to top-up. It’s often done on a pretence of a personal or financial issue.

Additionally, so that they can reassure you, they may ask you to cash a cheque, but it come will be returned by the bank unpaid.

Mortgage fraud

After an enquiry on a credit comparison platform, you’re contacted again by email or by phone by a representative pretending to be an HSBC employee, with the intent of: 

  • gaining your trust to collect and use your personal data
  • confirming information about the credit you applied for (amount of deposit, duration of credit repayment, etc) and offer an attractive rate meeting your needs
  • requesting all the necessary documents (copy of your national ID card or passport, payslips, proof of address)
  • asking you to a transfer money for administrative fees or a deposit

It should be noted that fraudsters won’t suggest a branch appointment. Instead, they’ll ask you to send confidential documents or to make a payment for fees or a deposit.

Good to know: after an enquiry on the comparison platform, HSBC will only call you back to confirm the information you gave on the website and book an appointment at a branch. You’ll then receive a confirmation email for the appointment with a list of the paperwork you need to bring. HSBC will only contact you from an email address finishing with and will never ask you to make a transfer for possible administrative fees or a downpayment.


With the high returns of cryptocurrencies and the surge of bitcoin popularity, it’s important to be aware of several key points that were subjected to a warning by the Financial Markets Authority:

  • high volatility of cryptocurrencies/Bitcoins can lead to a significant drop in value. As a result, investors put themselves at risk for very significant loss risks should there be a downward correction and have no guarantee or protection of the invested capital
  • to this day, the purchase/selling and investment in cryptocurrencies/Bitcoins is made outside of any regulated market. They can’t be described as currency, nor be considered as ways of payment in the legal sense of the term. As a result, the cryptocurrencies/Bitcoins investors don’t benefit from the protective legal framework and security, especially applicable to means of payment
  • cryptocurrencies are stored in electronic portfolios. This retention mode is open to the risks of hacking, often with little recourse against hackers

The good habits

Be cautious when you receive an email

  • never open the link included in an email asking you to connect to a merchant’s website to make a payment. You should manually enter the merchant’s website address instead
  • don’t reply to questionable emails using the details or identity of HSBC. Never give information to the sender such messages. Quickly alert your account executive or your HSBC Customer Relationship service (see useful contacts)

Protect your devices

To keep your payments safe, it’s important to secure your devices (computer, mobile, tablets).

  • always update your device and use the latest operating system
  • install anti-virus and firewall software
  • don’t make any payments if you think you have a virus on your device
  • only download programs and content from reliable sources
  • install Trusteer Rapport for free (online banking and Elys PC customers) or Webroot (HSBCnet customers) for specialist software in the fight against banking malware and fraudulent websites
  • choose a trusted internet provider and follow their security advice

Online banking: Secure your network

  • make sure the website is secure (https in front of the website address, or a closed padlock, a key icon in the browser)
  • protect your log on credentials and never tell or show them to anyone. Regularly change your memorable questions 
  • don’t lend your digipass or Secure Key
  • regularly log on to your online banking account to keep up with your debits and credits and look out for any fraudulent transactions
  • click on the ‘log out’ button to securely log out of online banking button

Beware of some phone calls

  • never give your bank details, your confidential data (log on credentials or passwords) or any personal information by phone
  • don’t call a number that a stranger gave you
  • if in doubt, quickly contact your bank and block your card if needed (see useful contacts)

Beware of calls

  • contact your branch or call our customer relationship service to confirm the offer is genuinely from HSBC France
  • never provide any document or confidential information by email, phone or post
  • don’t agree to a bank transfer

High risk investments fraud

How to spot unrealistic promises and suspicious behaviours

  • the investment is perfect and reserved to a few privileged persons
  • the relationship manager is often persistent and is neither interested by the savings needs, or by the victim’s financial situation
  • they insist you quickly make the first payment
  • always be suspicious of offers that sound too good to be true


No evidence of fraud?

Before investing, it’s important to conduct some basic checks - is this website known and genuine? Is this relationship manager registered with the authorities? It’s important to have a thorough knowledge of the investment product before you invest your money. You can find a black list of the fraudulent websites on the Autorité des Marchés Financiers’ website

If you’re contacted by someone pretending to act in the name of a well-known financial institution, check if the offer is real by visiting a branch or by calling an official phone number. Don’t call the number appearing on the fraudulent offer. 

Be cautious with websites that could tempt you with a bogus portfolio growth.

Some websites can give you a lot of information, including details about invested amounts. Be wary of high profitability forecasts, presented with graphs and financial dashboards as well as the use of fake certifications and reassuring messages such as references and comments.

Learn more by visiting the AMF (Autorité des Marchés Financiers) website. The AMF issued some advice to prevent this type of fraud

Cryptocurrency: focal point

If you have questions or doubts, contact the AMF or the ACPR (French Prudential Supervision and Resolution Authority) in accordance with the provisions of the AMF
press release available for consultation on the link below:

To get updates and share your ideas, join us.