Top of main content

What is "phishing"?

Online criminals are after your money. Here are some ways to help protect yourself

What is phishing?

Phishing is when a criminal sends you an email / SMS that tries to get you to give them your passwords and bank details or clicks the embedded links, QR code or file attachment to implant malware to the victim’s device. The email / SMS will say it is from a legitimate organisation like a bank, online payment service or online retailer. It often looks very similar to an actual email / SMS sent by those companies, and it will contain a link or QR code that takes you to a website that also looks very similar to the organisation's genuine site.

Once you arrive at the fake site, it will usually prompt you to enter personal security information, such as your account number, PIN, security code or one time passwords (OTPs). The phishing site records everything you enter, and then uses your information to steal your money.

To spot a phishing email / SMS, ask yourself the following questions:

Smart Tips
  • Does it request personal information, like a credit card number or account password?
  • Were you expecting this message?
  • Does it have an attachment?
  • Does it ask you to do something unusual, like transfer money to an unknown source, or email / SMS your account details to someone?
  • Does the sender’s email address or phone number match the name of the company that it claims to be from?
  • Is your email address or phone number different from the one that you gave that company?
  • Was it sent or cc’d to more than just you? 

How can I tell if I'm being phished?

Fake websites:

  • won't show the padlock symbol in the address bar when you log on
  • are poorly designed, with typos or bad spelling and grammar
  • have a different look and feel than the company’s regular website

Phishing SMSes/emails:

  • make false claims pretending to be from the bank – e.g. fake incentives/rewards, and notifications of new payee/recipient or payments when you haven't done so
  • include a hyperlink requesting you to log on or enter sensitive personal information
  • could make use of spoofing tactics that mimic the bank as the sender of the message

What should I do if I'm being phished?

If an email / SMS looks suspicious, don’t reply to it. Don't click on any links. Don't open any attachments. We would never send you any messages with a link requesting that you log on to online banking or provide your usernames and passwords. And if you do receive a message claiming to be from HSBC and asking you to provide your account credentials or sensitive personal information, report it to us via our customer service hotlines immediately.

HSBC Jade customers: (852) 2233 3033

HSBC Premier customers: (852) 2233 3322

Other customers: (852) 2233 3000

Alternatively, send us an email at to report a problem. Just forward us the email, smishing text or website address (URL) you received. You'll receive an automated response from us when we've received your email.

Security tips from HKMA

Protect your Personal Digital Keys; Beware of Fraudulent Links!

In this digital age, it is important to keep your Personal Digital Keys safe. They are your account credentials (eg online banking username and password, one-time passcode, and credit card credentials) and other sensitive personal information (eg your HKID number and date of birth). Please keep them well-protected as you would do with the keys to your home.  If fraudsters manage to steal such information, it could result in financial loss. Remember to keep your Personal Digital Keys safe!

Learn more about other security tips on HKMA website.

This link will open in a new window
A banner with protect your Personal Digital Keys Beware of Fraudulent Links;