Online security

Cyber-attacks have increased steadily in recent years. With criminals constantly devising new ways to steal information and money, one of the newest emerging threats is business email compromise fraud.

What is business email compromise?

Business email compromise can happen when a fraudster sends an email to your company impersonating a contractor, supplier, creditor or even someone in your senior management. For example, the payments team may receive:

• An email appearing to be from the CEO asking that an urgent payment be made. This is often accompanied by a request for secrecy, directing the recipient not to discuss the matter with anyone else.
• An email from a supplier advising that their account numbers have changed and instructing all future payments be sent to the new account.

Since the sender's email may closely match a known address, this type of fraud often goes unnoticed until it’s too late. Cybercriminals may even hack into a real email account, making fraudulent requests hard to identify.
Also known as:

• CEO Fraud
• Chairman Fraud
• President Fraud
• Imposter email
• Payment redirection
• Whaling

How you can take action

Start by making your payments team and/or relevant staff aware of this type of fraud so they can be on the look out for it.
We also recommend that you:

• Implement a two-step payment verification process
  Before processing payment requests, conduct a non-email check with the person who has sent the payment request to verify that the request is genuine (e.g., phone, instant message).
• Always use verified contact details to follow-up
• Don’t reply directly to the email.
• Don’t use any phone numbers or other contact information included in the email.

Business Email Compromise in the real world

Actual business case: $400,000 loss

A company’s payment team received an email, claiming to be from the CEO, asking that payments be set up for new beneficiaries. A member of the team created and authorised the payments. By the time the team realised that the requester's email address did not exactly match the CEO's, it was two days later and the perpetrator had stolen nearly $400,000.

Your information is valuable

The scam can appear even more convincing if thieves obtain information about a company's leaders and finance team, for example from the firm's website.

Social media posts may also tell them when senior staff are away from the office at meetings or conferences. Fraudsters see that as an opportunity to send their emails because it's difficult for the recipient to check whether the request is genuine.

How to help keep your business safe:

• Make sure your employees are aware of this type of fraud.
• Implement an internal two-step payments verification process that includes a non-email check with the requester.
• Phone the requester using a verified phone number to follow up an email request.
• DON’T reply directly to the initial email.
• DON’T use any phone numbers or other contact information included in the email.
• Check email addresses match your internal records exactly.
• Be on guard for payment requests that are unexpected or irregular, whatever the amount involved. If in doubt, don't make the payment.
  

To learn more about business email compromise, watch the ‘Talking business email compromise’ video below.
If you suspect you’ve been a victim of a business email compromise fraud, please contact your local HSBCnet Support Centre immediately.

With cyber attacks against businesses steadily increasing, you should be wary of any requests from suppliers (via e-mail, phone, letter or otherwise) to change their bank details. While these requests may be genuine, they may also be an attempt to divert payment funds to a fraudulent account, sometimes through hacked or spoofed e-mails.

What you need to know

Increasingly, fraudsters are disguising themselves as legitimate suppliers and asking unsuspecting customers to change the bank account information they have on record.

As a precaution, if you get such a request, always take the extra step of checking directly with your suppliers.
You can do this by:

• Calling a trusted source in your supplier’s company on a known phone number (not one that’s listed in the document requesting the change of bank details)
• e-mailing your supplier on a known e-mail address; don’t respond to the e-mail address which sent you the bank details change

In some cases, the fraudulent request to change supplier information or make a payment to an unfamiliar account may appear to come from your own organisation’s CEO, president or other administrator, again through a hacked or spoofed e-mail.

When reviewing any type of payment instructions from an internal source, make sure the request uses your organisation’s official channels and follows authorised processes and procedures.

Find out more

For more information on this type of fraud, watch our ‘Learn about payment diversion fraud’ video below.
If you suspect you have been the victim of fraud, contact your HSBC representative immediately.

Social engineering

Do you know who you're actually talking to on the other end of the phone? Does an e-mail or text message look genuine? Be vigilant. Criminals now have various clever ways to steal information for fraudulent purposes. These tactics are known as social engineering, and it's on the rise.

What you need to know

Fraudsters use various techniques to get information, including:

Vishing (telephone scams)

Fraudsters will often create a sense of panic to get a quick response over the phone. They may pretend to be a colleague or a customer in a rush or requiring urgent assistance.

Fraudsters may call you pretending to be from HSBC. The number they’re calling from may even show up on call display as an HSBC number (this tactic is known as ‘caller ID spoofing’). They may try to direct you to take actions which would enable unauthorised payments to be sent to the fraudster. This could include providing security codes generated from your Security Device.

Phishing (e-mail scams)

e-mails may create a sense of fear, urgency or opportunity to encourage recipients to click on a link or open an attachment that then infects their machine with a virus or malware. This then allows fraudsters to steal information or money and/or disrupt a computer system.

While many fraudsters act randomly, some target specific groups of employees or customers. This is called spear phishing. One example is CEO fraud, where criminals impersonate senior executives and instruct colleagues to transfer money to them.

Another tactic is payment diversion fraud. Frausters will send an e-mail claiming to be from a supplier. It says its bank details have changed so funds should be transferred to another account instead. Don't reply to these e-mails. Always take the extra step of verifying any requests through an alternative communication method.

Smishing (SMS text scams)

Text messages may claim that your bank suspects there has been fraudulent activity on your account, that you are in trouble with tax authorities, or have won some money.

Smishing texts typically request urgent action, which often means clicking on a malicious link that in turn enables data theft. Spam filters stop many phishing e-mails from reaching inboxes, but no mainstream solution yet exists to prevent texts from reaching their intended target.

Under no circumstances will HSBC ever ask you to divulge any of your security details over the phone, by text message or via e-mail.

What you can do

It is important that you raise awareness of the potential impact of social engineering within your organisation, and implement a policy for reporting suspected cases.

Top tips to help stay safe from social engineering

• Never share financial or company information with people you don't know
• Don't be rushed into making a quick decision
• Never click on links in text messages or e-mails, or open or download attachments, unless you are sure they are safe
• Be careful about the information you share on social media as this can provide fraudsters with many small pieces of information that make a bigger picture
• Always call phone numbers you know and have checked. If someone claims to be a colleague, check their name on your organisation’s staff directory and call them back on their internal number
• Forward any suspicious e-mails to hsbcnet.phishing@hsbc.com

Stay vigilant and report suspicious activity

If you’re ever doubtful about your HSBCnet activities or the authenticity of incoming telephone calls, texts or e-mails purporting to be from HSBC, contact your local HSBCnet Support Centre or HSBC representative immediately.

Malicious software (commonly known as ‘malware’) is coded with the intention of harming its target. Affecting private and corporate users alike, it can steal information, damage data, hijack website visits and spy on internet activity. Fraudulent redirection of internet banking users is an increasingly frequent form of attack.

It's important that you are aware of malware attacks and remain vigilant in knowing what these attacks may look like.

What is malware?

Malware describes any type of software that is created with the intention of harming its target. Malware can hide inside innocuous-looking software (trojans) or spread between machines without relying on user interaction (worms). It can be custom-designed to evade defences and execute specific tasks.

What do malware attacks look like?

With criminals constantly devising new ways to steal information and money, malware attacks also keep changing. We've put together a list of potential ways that you may experience a malware attack.

A fraud attack may be underway if you're:

• shown a pop-up window that asks you to enter your personal information - ie. your phone number, date of birth, etc.
• told that HSBCnet is unavailable AFTER you have entered your log on details.
• requested to use the yellow button on your security device during log on.
• shown a ‘Please wait’ screen when accessing HSBCnet.
• prompted repeatedly to re-enter your username, password or security code.
• presented with screens that look different from the screens you're familiar with.
• experiencing slower than normal response times when accessing HSBCnet.

What you need to know

It's important to be vigilant in your online activity to make sure that you remain protected. Malware is usually delivered via email 'phishing' or fraudulent links. Malicious apps and USB memory sticks can also compromise smartphones and computers respectively. Malware can stay hidden for months until activated.

Internet banking users might be redirected to fake sites which record their log on data to enable financial theft.

Types of malware:

• Spyware
• Ransomware
• Trojans
• Keyloggers

How to help keep your business safe:

• Put in place strong response, recovery and back-up processes.
• Run up-to-date anti-virus software on all machines in your organisation on a regular, scheduled basis. Frequent anti-virus scans can help minimize the risk of malware attacks.
• Keep your PCs, servers and associated hardware up to date, installing the latest security patches as they become available.
• Make sure that your staff avoid questionable websites, and know not to download free software / apps, run MS Office macros on email attachments, or use USB sticks, from unverified sources.
• Consider application whitelisting (blocking any software not already authorised).
• Use different passwords for different business applications.
  

If you suspect you have been the victim of fraud, contact your HSBC representative immediately.

Read our top 10 tips for staying safe online