Helping you to protect your account against Cyber Crime

Common Cases

Here are a few common types of fraud and some security tips on how to avoid becoming a victim of a fraud incident.

Business Email Compromise (BEC) Fraud

The Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with multiple suppliers and/or businesses that regularly perform payments using an email from a company owner (CEO or CFO) as the authority to carry out the payment. It occurs when fraudsters impersonate contractors, suppliers, creditors or senior management to make changes to the payment account, resulting in legitimate payments being credited to the fraudster’s accounts.

Examples of BEC attack

  • Emails from new or existing vendors who claim that their account number has been changed and request payments now be sent to the new account.
  • Vendors claiming payments must now be directed to a parent company in a different country.
  • An email from CEO/CFO asking to make payments but it turns out that the CEO/CFO’s email has been compromised. In some cases, these fraudulent e-mails received may have coincided with their senior management’s business travel / annual leave dates.
  • Email comes from a domain that looks very similar to a legitimate source (e.g. instead of

How can you avoid becoming a victim?

  • Be vigilant of requests to change beneficiary account details – validate any change request using additional channels (i.e. call back with your contact number record and never use the contact number stated in the email).
  • Do not use the “Reply” option to respond to the e-mail sent you for change of beneficiary account details. Type the email address or select from your address book.
  • Establish internal control procedures for change requests on beneficiary details and do not amend payment information unless you are certain it is legitimate.
  • Do not access your company email via a public device or free Wi-Fi.
  • Review e-mail settings (i.e. use strong password combination and change it regularly).
  • Engage staff in fraud awareness and education.
  • Report the attempted fraud at (852) 2748 8288 or the police.


This is where people receive emails directing them to websites where they are asked to provide confidential personal or financial information. Whilst these emails may appear to come from a legitimate site, these emails are designed to steal your personal information and use it to access your accounts. This is known as Phishing.

How can you avoid becoming a victim?

  • If you receive a suspicious phishing email, do not reply the email / click on any embedded URLs / open an email attachment.
  • Delete the phishing email immediately.
  • Stay alert on SMS relating to online payments, report discrepancies immediately at (852) 2748 8288.
  • Download Webroot anti-virus software from our Business Internet Banking – Admin tools page. HSBC is offering this software for free (Valued at USD$49) to all Business Internet Banking users.
  • Set up dual authorisation control.


Vishing (aka Voice Phishing) is a technique of social enginnering which involves a fraudster making phone calls to a company, posing as bank staff, the Police, regular supplier / client or other officials in a position of trust in attempt to obtain sensitive personal/financial information. They may have some information before the call so as to convince you to provide information and direct you to perform actions which will enable unauthorized payments or disclose sensitive information (e.g BIB logon credentials, ATM/phone banking PIN, email addresses, phone numbers)

Example of Vishing

  • The callers might provide some name of your colleagues, and they are not someone you typically work with or know.
  • The callers claim to be “travelling”, or their “battery has died” and they cannot access company phone directory or read company emails.
  • When you offer to call them back on the number in phone directory, they claim they are not available on that number.
  • The callers ask for the sensitive information mentioned above and they may be: angry / overly nice / in a hurry or they threaten to “speak to your boss”.
  • The call may be made to coerce a company financial controller into:
  • Sending their money to another account often purportedly for ‘safe keeping’ or ‘holding’;
  • Withdrawing cash and handing it over to the fraudster for investigation.

How can you avoid becoming a victim?

  • If you are suspicious, you should ask for contact details and initiate a call back using the contact number from your own records or official listings or terminate the call. If the caller claims to be from HSBC, you could call back on our official commercial banking service hotline (852) 2748 8288 to validate the caller information.
  • HSBC will never call you to ask you to generate a Secure Key code by pressing the yellow button on your security device or ask for your PIN number.
  • Be mindful of information shared at social media / Do not disclose hierarchal information in the out-of-office details.
  • Verify all SMS notification from the Bank, and report discrepancies to the Bank immediately.
  • Set up dual authorisation control.
  • Engage staff in fraud awareness and education.
  • If you have disclosed any sensitive information to a suspicious caller, report to the Police; if you have disclosed internet banking credentials or phone banking PIN, call (852) 2748 8288 immediately.

Call us on

+852 2748 8288

Call us on

+852 2748 8288

You are leaving the HSBC Commercial Banking website.

Please be aware that other site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.

You are leaving the HSBC Commercial Banking website

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.