Top of main content

Latest scam warnings

On this page we'll regularly keep you updated about the latest types of scam.

If someone contacts you out of the blue by phone, email or text message:

Stop – taking a moment to stop and think before parting with your money or information could keep you safe.
Challenge – could it be fake? It's OK to reject, refuse or ignore any requests. Only criminals will try to rush or panic you.
Protect – contact someone you trust, such as a friend or family member and contact the company directly.

We also regularly post warnings about common scams on our social media channels FacebookInstagram and Twitter.

April 2022: Ukraine crisis

If you want to help the humanitarian efforts in Ukraine, we encourage you to give to registered charities. Not all websites and fundraising pages will be genuine.

As always, you should remain vigilant and follow the advice in our fraud guide.

We’re supporting the registered appeals set up in the UK to respond to the crisis. Find out how you can donate.

April 2022: Funky Pigeon cyber-attack

The online greetings card business Funky Pigeon has stopped taking orders after being hit by a cyber-attack.

It says no payment data is at risk and it doesn’t believe account passwords have been affected.

Anyone who has bought something from Funky Pigeon or has an account with the retailer is advised to:

  • update their security credentials on the Funky Pigeon website

  • check their accounts for any suspicious activity

  • be alert to suspicious contacts reporting to be from the retailer or HSBC asking for personal or financial details

Check our security centre to get online guidance on how to report any suspicious activity.

March 2022: Tax year scams

Fraudsters see key times in the tax year as an opportunity to make 'social engineering' attacks.

These can be: 

  • scam emails

  • scam texts

  • bogus phone calls

Her Majesty's Revenue and Customs (HMRC) has warned people to be on their guard as the end of the tax year approaches.

Watch out also for messages pretending to be from HMRC saying you've received a tax rebate and asking for your account details.

To spot a scam, look for these tell-tale signs: 

  • poor spelling and grammar

  • requests for confidential information such as online banking details, passwords or PINs

  • offers of money or rewards, like lottery prizes

  • warnings your account may be shut down unless you take some type of action

Read more about tax phishing scams.

February 2022: Phone call scams

One ploy that criminals use to try to bypass our fraud checks is to make contact with you directly.

This is typically a phone call, but can also be done using instant messaging services like WhatsApp or Facebook Messenger. 

Fraudsters pretending to be family and asking for money on Whatsapp or by text is very common at the moment.

Fraudsters find it easier to talk their victims into bypassing our checks than trying to do it themselves.

They gather personal and financial details using phishing or other techniques. When they call, they use those details to convince you they're genuine. 

Once a fraudster has found out what they need to know, they'll tell you to take actions that will compromise your account. 

These include: 

  • sharing one-time codes with them

  • replying to text alerts incorrectly

  • deleting your mobile banking app

Be careful when replying to text alerts. If you do so incorrectly, it could inadvertently confirm a fraudulent transaction as genuine. 

If someone tries to convince you over the phone to ignore the instructions in a text alert, that’s a tell-tale sign it’s a fraudster. You can check genuine HSBC messages here.

If you get a phone call out of the blue claiming to be from HSBC or another company, hang up and call back on a number you know to be genuine.

February 2022: Remote access takeover

This type of fraud starts with an unexpected phone call from someone claiming to be from a well-known company. They may say:

  • there's been an issue with a refund

  • they're trying to solve technical problems with your computer or Wi-Fi

  • you've fallen victim to fraud

The criminal will then tell you to download software or a mobile application to fix things.

They'll ask you to log on to online or mobile banking and share your screen using the remote access software you've downloaded. The fraudster can then take full control of the online or mobile banking session and use your details to steal your money.

No genuine company will ever call you out of the blue to ask for remote access to your devices.

Never give out any the following over the phone:

  • your personal details

  • payment details

  • online or mobile banking credentials

If you're not sure, always call the company back on a trusted number that you know to be correct.

Find out more about remote access takeover scams.

February 2022: Payment scams

With this type of scam, you get a call, email or text message claiming to be from the HSBC fraud team or another bank department. Fraudsters might also pretend to be from other financial organisations, your telecoms or utility provider or even the police. 

They say there have been fraudulent transactions on your account and tell you to protect your money by transferring it to a safe account. In most cases the money goes to another bank and sometimes to different accounts. 

The criminals will often warn that bank employees are part of the fraud and coach you not to trust them.

Being asked to lie to the bank about the reason for making a payment is a clear warning sign of a scam.

HSBC will never ask you to move money. If somebody is asking you to move money, it's a scam.

January 2022: Romance scams

Take extra care at this time of year to guard against romance scams.

Fraudsters are known to target victims around Valentine's Day, setting up fake profiles on dating websites, apps and social media.

These criminals exploit the emotions of their victims. First they try to appeal to your compassionate side, then they start asking for money.

Typically, they might tell you they live outside the UK and claim they need money to pay for the cost of travelling to see you.

Never send money to someone you've only met online.

If you think you've fallen for a romance scam, you can call us using the number on the back of your credit or debit card or report it to Action Fraud.

Find out more about romance scams

How one woman was scammed out of £100,000

December 2021: WhatsApp scams

Several UK banks are warning of the risk of WhatsApp scams.

Criminals pose as loved ones and send messages out of the blue, often pretending to be children asking for money urgently.

Trading Standards officers say the messages can be very convincing and plausible. 

There have also been reports of people mistakenly sharing their WhatsApp verification code. This can lead to their account being taken over and misused.

Always remain vigilant when using online platforms to talk to family or friends. If you're not sure that someone is who they say they are, the best way to check is to call them using a phone number you know to be genuine. By speaking to them verbally, you'll know it's their voice. 

If you receive a message out of the blue, remember:

  • don't reply

  • delete the message

  • forward it to your mobile operator on 7726

  • never share one-time passcodes used to check your identity

November 2021: Invoice redirect scams

Fraudsters have a new way of carrying out invoice redirect scams.

According to UK Finance, they're still intercepting emails between solicitors and clients about house purchases. However, instead of changing the beneficiary details on the invoice, they're emailing the house buyer to tell them to expect a call with updated payment details.

They then spoof the solicitor’s phone number to call the buyer and give the fraudulent beneficiary details.

Never change payment details in this way without first contacting the payee using a phone number you know is genuine.

If you do get a suspicious phone call, make sure you hang up and wait 15 seconds so the line is fully disconnected. Then wait another 15 seconds before beginning a new call, or use another device.

Never give any information if you're contacted unexpectedly by email, phone or text.

October 2021: Money mules

If you're starting university or a new job, you could be targeted by criminals asking you to move money for them.

Students are often approached to act in this way as a 'money mule' as they might be strapped for cash.

Don't be tempted.

Allowing money to be transferred through your bank account in exchange for payment is a crime. It might seem a harmless way to earn easy money - but it's feeding larger organised crime.

The fraudsters can seem genuine and you may have first seen the opportunity on a legitimate job site.

But once you start, you may be threatened or forced to continue.

Remember, acting as a money mule can get you into serious trouble:

  • you'll have problems applying for credit in the future

  • your bank accounts will be closed

  • you could even go to prison for up to 14 years

Find out more in our fraud prevention guide.

September 2021: NHS COVID Pass scams

Criminals are using the NHS COVID Pass to try to convince people to hand over money, financial details and personal information.

They're getting in touch pretending to be from the NHS and are also offering fake passes.

The genuine pass shows your coronavirus vaccination details or test results. 

Here's how to get one from the NHS.

For the latest guidance on coronavirus please visit the official government website.

If you believe you've fallen victim to this scam, contact us using the number on the back of your card.

September 2021: Never share one-time passcodes

Beware of criminals trying to steal your money using a one-time passcode (OTP) scam.

A one-time passcode (OTP) is a string of random characters and letter that you can use for a single transaction or log on session.

Never share these codes with anyone.

Fraudsters might ask you to share these codes by pretending to be someone you trust like your bank or the police. 

If this happens, hang up.

Fraudsters may call you, using clever techniques to disguise themselves. They do this by calling from numbers which may seem genuine but aren't. This is known as number spoofing.

We'll sometimes send you one-time passcodes for things that you know about. These are to be used to check that it's really you. We will never ask you to share these codes.

Genuine passcodes

Here's when you'll use a one-time passcode for things you've authorised:

  • you generate a code using your Secure Key to log on to online banking, set up a new payment, authenticate yourself in online banking or switch to a new mobile device

  • you've received an expected text or email with a one-time passcode to validate genuine activity such as an online transaction or setting up your card in a digital wallet like Apple Pay

Passcode scams

Fraudsters will ask you to share a one-time passcode which will allow them to impersonate you and try to steal money from your account.

They may claim that:

  • you need to share a code using your Secure Key to stop a payment debiting your bank account

  • you need to share a code received in an unexpected text or email to prevent a suspicious transaction

In reality they will use these codes to validate their fraudulent activity.

If you suspect a scam, please call us using the number on the back of your card.

June 2021: 'New payee' scams

Some customers have received bogus text messages claiming a new payment has been made via the HSBC UK Mobile Banking app. They were then asked to validate their bank details by following a link to a fake website in the text message.

Do not access the site or provide any information. Always go to hsbc.co.uk to log on to online banking securely.

If you believe you've fallen victim to this scam, contact us using the number on the back of your card.

You can check whether a text message is from us by visiting our Received a text page.

June 2021: Mobile phone upgrade scams

The National Fraud Intelligence Bureau (NFIB) is warning of a cold-calling scam. The criminals impersonate employees of legitimate mobile network operators and suppliers.

Victims are offered early handset upgrades or new contracts at significant discounts. Once victims have been convinced that the deals are genuine, the fraudsters then ask for their online and mobile banking credentials, including their log on, address and bank account details.

Here's what you should do to protect yourself:

  • if you receive a cold call about handset upgrades and contracts – hang up and do not reveal any personal information

  • you should only contact your mobile network provider on a phone number that you know to be correct

  • if you receive a device that you didn't order or expect - look for the genuine sender's details, which will be within the parcel, and call them immediately

  • never post a device directly to a given address – genuine mobile network operators would send you a jiffy bag so you can return it without your incurring additional costs

June 2021: Safe account scams

Beware of criminals phoning and asking you to move money. If someone calls you and asks you to move money, don't. Even if it's to another account you already hold.

Remember: we'll never ask you to send money to a 'safe account' or to another bank.

If you get a call like this, even if they say they're from HSBC, don't make the payment. Call us using the number on the back of your card.

We'll never ask you to send money to a 'safe account', or to another bank. Criminals will.

Find out more about Authorised Push Payment scams.

May 2021: Delivery scams

Criminals are sending fake text messages and emails claiming to be from a delivery company.

They say they tried to deliver a parcel to you and ask you to click on a link to find out more or rearrange delivery.

Don't click on any links or give any information, especially personal or financial details.

If you think the message may be genuine, open a separate window and visit the company's website using an address that you know is safe. Once there, you can enter your tracking number to see if the message was genuine.

If you think the message isn't genuine, delete it.

Never give any information if you're contacted unexpectedly by email, phone or text. Contact the company separately using a phone number you trust.

Customers should also be aware that a malicious piece of spyware – known as FluBot – is affecting Android phones and devices across the UK.

The spyware is installed when a victim receives a text message, asking them to install a tracking app due to a 'missed package delivery'. The tracking app is in fact spyware that steals passwords and other sensitive data. For more on FluBot visit the National Cyber Security Centre website.

Contact us using the number on the back of your card if you've fallen victim to this scam.

May 2021: Secure Key scam

Bogus emails are being sent which claim to be from a HSBC and include a link to 'improve online services' of our Secure Key.

Don't click on any links or give any information, especially personal or financial details.

Forward the email to us at phishing@hsbc.co.uk and then delete the email.

You can find out more about how our Secure Key works.

If you've fallen victim to this scam, contact us using the number on the back of your card. 

March 2021: Police impersonations

There's been a steep rise in criminals impersonating police officers to commit fraud. 

They're spoofing genuine numbers and claiming to be local police. The criminals then usually use a safe account scam where they ask victims to make bank transfers.

Police forces in Leicestershire, Hertfordshire, Kent and Nottinghamshire have already reported this kind of activity.

If someone calls you and asks you to move money, don't, even if it's to another account you already hold.

The police and other trusted organisations will never ask you to send money to a 'safe account' or to another bank. Criminals will.

March 2021: Cryptocurrency scams

Fraudsters may tempt you with investment opportunities in cryptocurrencies. Before you invest, conduct your own research to make sure you understand the offer and how the investment works.

Some scams claim to be investing in cryptocurrency, but they're not paying a wallet provider. If they are paying a wallet provider, check the following:

  • how do you know the wallet is in your name and only you have access to it?

  • if the payment does go to a wallet you control, why are you being asked to move your currency to another wallet?

  • how can you keep the contents of your wallet secure and never share access details with anyone else?

Find out more about cryptocurrency scams from the national cybercrime reporting centre ActionFraud.

February 2021: Impersonation scams

We're seeing an increase in impersonation scams, where criminals pretend to be from trusted organisations.

They will contact you out of the blue via phone calls, emails or text messages. Common reasons given are:

  • you're eligible for a coronavirus vaccine

  • your National Insurance number has been compromised

  • you've received a tax rebate from HMRC there's been a suspicious transaction on your card or bank account

  • your account with a retailer has been compromised

If you think a phone call might be a scam (sometimes known as vishing), just hang up. Beware also of automated phone calls asking you to press 1 to speak to an adviser or manager. Generally these put you though to the criminals, but sometimes they just switch you to a premium rate call.

Email scams (also known as phishing) are unexpected messages that appear to come from a trusted organisation. If you receive an email you believe is suspicious, don't click on any links or open any attachments.

You should also watch out for fake text messages that look like they've come from your bank (sometimes called smishing). Delete any suspicious text messages and contact the organisation using a phone number you know is genuine.

If you think you've shared your HSBC security details, please call us on 03457 404 404. If it was a phone call, make sure you've fully disconnected first. You can send any scam emails or screenshots of suspicious text messages to us at phishing@hsbc.co.uk.

Find out more about impersonation scams by downloading our scams leaflet (PDF, 1MB).

January 2021: Vaccine scam

Throughout the pandemic, some fraudsters have been trying to exploit coronavirus as an opportunity for financial crime.

Now that vaccines are available, they're sending bogus messages claiming to offer the chance to apply for a coronavirus jab.

These are usually text messages which ask you to confirm your personal and financial details through a website given in a link. Some fraudsters are also trying the same scam with automated phone calls.

The NHS will never ask you to press a button on your keypad or send a text asking you to confirm you want the vaccine. It will also never ask for payment or for your bank details.

Do not visit any of these sites or give any information. Please continue to follow official government advice. 

If you've fallen victim to this scam, contact us using the number on the back of your card.

Read more about how to spot a vaccine scam.

Find out more about other coronavirus scams we're hearing about.