UK workers are being targeted by a new SMS phishing scam designed to trick victims into handing over details of their HSBC bank account.

The scheme, uncovered by litigation specialists Griffin Law, begins with a text message purporting to be from HSBC, telling the target that ‘a new payment has been made’ through the HSBC app on their phone. The message tells the victim that if they were not responsible for the payment, they should go to a site called Security.hsbc.confirm-systems.com to validate their bank account.

They are then directed to a fake landing page, which asks for their username and password, followed by a series of verification steps. The fraudulent site, which uses official HSBC branding, then asks for specific account details and personal data of the individual.

Griffin Law’s research team, which liaises with over a dozen accountancy groups and financial support teams across London, has seen a spike in reports of the scam, with an estimated 47 people coming forward to say they have received the text message so far.

Some workers have identified the scam due to the fact that they do not even have a HSBC app installed on their phone. There have been no current reports of the scam being successful.

HSBC UK responded to the findings by stating that it consistently monitors for unusual domain activity and is aware of this particular fake website, which has now been taken down.

"Scammers are unscrupulous criminals who use a range of sophisticated techniques to find and use information about their victims," read a statement from the bank. "We advise people to be wary of unexpected contact from their bank, and if they are in any doubt they should not click on links in unexpected text messages or e-mails and never reveal a secure key code to anyone."

HSBC added that it works alongside the industry and telecoms companies to identify and address the ever-changing techniques used by fraudsters, and has "implemented and continue to work on a number of new initiatives" like tackling COVID-19 text message scams.

Chris Ross, senior vice president at Barracuda Networks, explained that this is the latest in a long line of increasingly sophisticated phishing scams, designed to trick the victim into handing over their personal financial details.

"Increasingly, we are seeing examples of cyber criminals using the branding of major banks to create realistic-looking fake websites, in order to extract personal financial information, often catching the victim’s attention by warning them about unauthorised payments from their account.

"Tackling this problem requires all companies and their employees to remain vigilant against such scams," he continued, adding: "SMS messages are often used by criminals to catch workers off-guard, using their personal mobile number."

Andy Harcup, vice president at Absolute Software, pointed out that the COVID-19 outbreak has led to a sharp rise in phishing scams, with fraudsters impersonating banks in order to extract personal financial details of victims; many of whom are under extreme financial pressure.

"With millions of people now working from home for the foreseeable future, often using personal phones and newly purchased laptops, the threat posed by hackers is higher than ever.

"Addressing this issue requires a robust system in place to protect the end-points in use across the company network, to ensure that the latest encryption and security updates are installed and to track, freeze and wipe devices in the event of loss or theft, keeping hackers locked out," he added.

Share Story: