Build a cyber-aware business

Common threats

Common types of online fraud

Business Email Compromise (BEC) fraud

A fraudster impersonates a contractor, supplier, creditor or senior manager and asks to make changes to a payment account. If the details are changed, payments are then made into the fraudster’s account.

Phishing

A fraudster directs users to malicious websites that aim to steal their confidential personal or financial information so the fraudster can use it to access accounts.

Vishing

Also known as voice phishing, a fraudster posing as a trusted person phones a company to ask them to take action that would enable unauthorised payments or reveal sensitive information.


Check out the FAQs below to learn more about these threats and how to prevent them.

Business Email Compromise (BEC) fraud

What is Business Email Compromise fraud?

  • Business Email Compromise (BEC) is a sophisticated scam that targets businesses working with multiple suppliers and businesses that regularly make payments authorised by email by a company owner (CEO or CFO). It happens when fraudsters impersonate contractors, suppliers, creditors or senior managers to ask the company to make changes to a payment account, so that legitimate payments will be credited to the fraudster’s accounts instead of the intended beneficiary.

What should I look out for?

  • Emails from new or existing vendors who claim that their account number has been changed and ask for payments to be sent to the new account.
  • Emails from vendors claiming that payments must now be directed to a parent company in a different country.
  • Emails from a compromised email account held by the CEO/CFO that ask for payments to be made. (These fraudulent e-mails may coincide with their senior manager’s business travel or annual leave.)
  • Emails that come from a domain that looks similar to a legitimate source (e.g. @CompanyABC.com instead of @CompanyACB.com).

How can I avoid becoming a victim?

  • Be vigilant when dealing with requests to change the details of beneficiary accounts. Validate all requests by using other channels (e.g. call the person the request appears to come from on the contact number in your records, never on the contact number shown in the email).
  • Do not click “Reply” to respond to the email. Type the email address in or select it from your address book.
  • Establish internal control procedures for dealing with requests to change beneficiary details, and never amend payment information unless you are sure it is legitimate.
  • Never access your company email on a public device or using free Wi-Fi.
  • Review your email security settings. Use a strong password and change it regularly.
  • Educate your staff about fraud awareness.
  • Report any attempted fraud to the police or to our Commercial Banking Service Hotline: +852 2748 8288.

Phishing

What is phishing?

  • Phishing is where fraudsters send emails with malicious attachments, embedded links or URLs directing the recipient to websites that ask them to provide confidential personal or financial information. These emails may appear to come from a legitimate address, but they are designed to steal your personal information and then use it to access your accounts.

How can I avoid becoming a victim?

  • If you suspect that an email may be a phishing attempt, do not reply to the email and never click on any embedded links or URLs or open any attachments.
  • Delete the phishing email immediately.
  • Stay alert to SMS notifications about online payments and report any discrepancies immediately to our Commercial Banking Service Hotline: +852 2748 8288.
  • Download the Webroot anti-virus software from the Admin tools page on Business Internet Banking. This software (valued at USD49) is free for all Business Internet Banking users.
  • Set up dual authorisation controls for transactions.

Vishing

What is vishing?

  • Vishing (also known as voice phishing) is when a fraudster, posing as someone in a position of trust (e.g. bank staff, the police, or a regular supplier or client) makes phone calls to a company to try to obtain sensitive personal or financial information. They may have some information before the call, which they will use to convince you to give them the information and direct you to take actions that will enable unauthorised payments or disclose sensitive information (e.g. BIB logon credentials, ATM or phone banking PIN, email addresses, phone numbers).

What should I look out for?

  • Callers who mention your colleagues' names, but these colleagues are not people you typically work with or know.
  • Callers who claim to be "travelling" or say that their "battery has died" so they cannot access the company's phone directory or read company emails.
  • Callers who claim they are not available on the number you have on your records when you offer to call them back.
  • Callers who seem angry, overly nice or hurried when asking for sensitive information, or who threaten to "speak to your boss" if you don't give them the information.
  • Callers who try to coerce a company financial controller into:
    • sending money to another account (often for "safe keeping" or "holding")
    • withdrawing cash and handing it over to the fraudster for "investment".

How can I avoid becoming a victim?

  • If you suspect that a caller is vishing, ask for the caller's contact details and end the call. Then call them back using the contact number in your own records or official listings. If the caller claims to be from HSBC, validate the caller's information by calling our Commercial Banking Service Hotline: +852 2748 8288.
  • HSBC will never call you to ask for your PIN or to ask you to generate a Secure Key code by pressing the yellow button on your HSBC Security Device.
  • Be mindful about the information you share on social media.
  • Do not disclose hierarchal information in your out-of-office email responses.
  • Verify all SMS notifications from HSBC, and report any discrepancies to us immediately.
  • Set up dual authorisation controls for transactions.
  • Educate staff about fraud awareness.
  • If you have disclosed sensitive information to a suspicious caller, report it to the police. If you have disclosed internet banking credentials or a phone banking PIN, call our Commercial Banking Service Hotline (+852 2748 8288) immediately.

Call us on

+852 2748 8288

Any questions…

about commercial banking?


Ask Amy

Call us on

+852 2748 8288

Any questions…

about commercial banking?


Ask Amy

You are leaving the HSBC Commercial Banking website.

Please be aware that other site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.

You are leaving the HSBC Commercial Banking website.

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.