In recent times, there has been an increase in sophisticated phishing scams designed to trick victims into handing over their personal financial details. A similar SMS phishing (SMShing) attack has been observed targeting HSBC UK customers recently.

What happened

In the latest scam, cybercriminals used the branding of a major British bank, HSBC UK, to create authentic-looking phishing websites, in order to extract personal financial information during the COVID-19 pandemic.
  • In July 2020, litigation specialists Griffin Law discovered the scam campaign, which starts with a text message purporting to be from HSBC, informing the receiver that a new payment has been done through the HSBC app on their phone.
  • Then the targets are informed that if they have not made the payment, they should visit the (malicious) website (Security[.]hsbc[.]confirm-systems[.]com) to validate their bank account.
  • Upon clicking, victims are directed to a fake landing page that asks for their login credentials, followed by a series of verification steps, on a fraud website that uses the official HSBC branding. It also asks for specific account details and other financial information from its targets.

Recent attacks on HSBC UK bank

The combined growth of banking and digital technologies in the COVID-19 era has served cybercriminals with an ever-expanding attack surface. HSBC UK has also suffered several attacks by cybercriminals in the past few months.
  • In May 2020, a new variant of Grandoreiro malware was seen targeting multinational banking and financial services organizations such as HSBC UK, etc.
  • In April 2020, new versions of Android malware EventBot targeted several banks, including Barclays, Santander UK, HSBC UK, and others.

Security tips

Users should enable two-factor authentication on all business and personal email and bank accounts to prevent phishing campaigns, including business email compromise (BEC). Organizations should educate employees on how these malicious scams operate as well as how SMS messages can be exploited as part of a wider phishing scheme.

Cyware Publisher