This type of fraud happens when a fraudster gains access to your bank account and resets your passwords and any security numbers so you cannot access your account. They may change the phone number, address and email address connected to the account; this enables them to use the account as if they were a legitimate customer.
How it happens
Fraudsters gain access to your account by tricking you into divulging information, or by using malware attached to malicious links, text messages and emails to infect your device and over time, steal credentials that help them to gain access. Once they’ve accessed your account, they may change details, such as your address, phone number or email address to ‘lock you out’ and to use the account as if they were a legitimate customer. Fraudsters may attempt to order a new card and make fraudulent card payments, or they may try to transfer money out of your account. By reading through this guide, you will learn the tactics fraudsters use and know what you need to do to stop yourself and your business falling victim. We’ve included three main tactics used by fraudsters below:
Number spoofing
This is where fraudsters change the caller ID (the number they’re calling from), to clone or nearly clone an official number that may belong to your bank. The number may appear exactly the same or might be different by just one digit. Alternatively, they may call you from a withheld number.
Malware and Phishing
Fraudsters will use malicious software and links to steal personal information. This information will be used to trick you into thinking a call may be genuine, or, used to hack into your bank account.
Authorisation codes
No-one, including your bank, will ever instruct you how to use your physical or digital security device (also known as your secure key) or ask you for online banking authorisation codes.
How to protect yourself
Follow the advice below to help protect yourself and your business against Account Takeover fraud:
- If you receive information from your bank, about changes to your account that you haven’t made, contact them immediately to report it.
- Never give out your Online Banking usernames, passwords, Online Banking Authorisation Codes, or any One Time Passcodes (OTPs).
- Remember numbers can be spoofed and never rely on the caller ID to know who’s calling.
- For unexpected calls, don’t be afraid to return the call using an independently verified number, such as one from the caller’s official website. Use a different phone or call a known contact first to be sure the line is ‘clear’.
- Be wary of suspicious emails and text messages. Especially those which contain links and ask for information or contain attached files. Always validate these requests with the company directly, using the contact guidance above.
- Use multi-factor authentication where possible to ensure a fraudster can’t hack into your account with just your password. An example can be a security code which is sent to your mobile or email account every time you log-in to your email account.
- Keep your operating systems up to date and ensure you have a robust Internet Security programme which detects malware and enforces a firewall.
- Never download software from unofficial app stores e.g. websites and browser pop-ups.
- HSBC will never ask you to send back your card for a new card to be issued.
How to report it
If you believe you have been a victim of this type of fraud, please report it to us or your bank.
You should also report it to Action Fraud on 0300 123 2040 or via the Action Fraud website. If you are in Scotland, please report to Police Scotland directly by calling 101.