HSBC App phishing scam using SMS during COVID-19

The scheme, uncovered by litigation specialists Griffin Law, begins with a text message purporting to be from HSBC, the multinational banking and financial services organisation, telling the target that ‘a new payment has been made’ through the HSBC app on their phone. The message tells the victim that if they were not responsible for the payment, they should go to a site called “Security.hsbc.confirm-systems.com” to validate their bank account.

They are then directed to a fake landing page, which asks for their username and password, followed by a series of verification steps. The fraudulent site, which uses official HSBC branding, then asks for specific account details and personal data of the individual.

Griffin Law’s research team, which liaises with over a dozen accountancy groups and financial support teams across London has seen a spike in reports of the scam, with an estimated 47 people coming forward to say they have received the text message so far. Some workers have identified the scam due to the fact that they do not even have a HSBC app installed on their phone.

There have been no current reports of the scam being successful.

Chris Ross, SVP, Barracuda Networks added: “This is the latest in a long line of increasingly sophisticated phishing scams, designed to trick the victim into handing over their personal financial details. As so often with these schemes, the text message is designed to frighten the recipient into clicking on the link and entering their username and password without reviewing the legitimacy of the URL.

"Increasingly, we are seeing examples of cyber criminals using the branding of major banks to create realistic-looking fake websites, in order to extract personal financial information, often catching the victim’s attention by warning them about unauthorised payments from their account. 

"Tackling this problem requires all companies and their employees to remain vigilant against such scams. SMS messages are often used by criminals to catch workers off-guard, using their personal mobile number. Ensuring security awareness within the workforce is also critical, and it’s important that all employees are trained about how these schemes operate as well as how SMS messages can be exploited as part of a wider phishing scheme designed to steal company funds and data.”

Andy Harcup, VP, Absolute Software commented: “The Covid-19 outbreak has led to a sharp rise in phishing scams, with fraudsters impersonating banks in order to extract personal financial details of victims, many of whom are under extreme financial pressure. Failure to identify and block these kinds of attacks could lead to severe data breaches for businesses, particularly if the recipient of the request hands over usernames and passwords to the company account.

“With millions of people now working from home for the foreseeable future, often using personal phones and newly purchased laptops, the threat posed by hackers is higher than ever. Addressing this issue requires a robust system in place to protect the end-points in use across the company network, to ensure that the latest encryption and security updates are installed and to track, freeze and wipe devices in the event of loss or theft, keeping hackers locked out.”