Top of main content

Token activation fraud

With online banking becoming more secure, fraudsters may target you directly to try to steal your money.

Token activation fraud is where fraudsters trick you into handing over your Secure Key activation code.

HSBC will never ask you for the token generated from your Secure Key or mobile phone. These are only used to give you access to online banking and move money out of your account. They're not used to stop or block payments. Our fraud teams don't need them either - so you’ll never need to reveal the token to anyone.

How does token activation fraud typically work?

Over the phone

The fraudster will call and pretend to be from your bank. They may tell you a large amount of money is due to come out of your account, for example. They’ll then ask if you authorised this payment.

When you say you haven’t, the fraudster will be very understanding and offer to stop the payment for you. They’ll ask what type of Secure Key you have – a physical Secure Key (a device like a small calculator) or a Digital Secure Key (part of the HSBC UK Mobile Banking app).

Once they know this, the fraudster will then emphasise they’ll never ask you for the PIN or password for that device. 

In order to 'stop the payment', the fraudster will ask you to generate a code from your Secure Key. They may again emphasise that they don’t want the PIN or password for the device.

They’ll ask you for the activation code. If you hand over that code, they’ll be able to authorise transactions from your account or completely take over your online banking. 

Via text

Fraudsters might also contact you by text, claiming to be from your bank. They may ask you to give them a call so they can take you through the same scenario as described in the 'Over the phone' section of this page. They may also ask you to respond to the text with your activation code.

Find out more about the genuine texts that HSBC might send you.

How to prevent token activation fraud

HSBC will never ask for your:

  • generated codes

  • PINs

  • passwords

  • activation codes

If anyone does contact you and ask you for your Secure Key activation code or any other log on details, don’t give it to them. Hang up the phone and never respond to the text.

If you’re ever unsure about a phone call from someone claiming to be your bank, you can hang up the phone and call back on a number you know is genuine. Find out more about how to protect yourself against fraud.