HSBC Application Email Scam

A scam email is doing the rounds claiming to be in response to your application to HBSC.

Do not open this email, as it will download malware to infect your computer.

At first glance it looks very convincing as it appears to come from a genuine HSBC email address (easily faked).   The professional wording and layout are designed to fool you into thinking it is genuine.

But there are some clues that this is a fake:

  1. The most obvious clue is the attachment – particularly the .doc extension on the attached file.  This indicates an older version of a Microsoft Word document, which can easily incorporate a virus or software components to access your computer’s data.
  2. A genuine message from your bank would involve logging onto your account via their official website.  No bank, public body, company or any other reputable organisation would ever send a secure message in an attachment – and certainly not in a Word document.
  3. The message is not personally addressed to you, opening with just “Good Morning”.  But even if an email is personally addressed, that is not necessarily a guarantee it is genuine.
  4. The recipient of this email had not applied for an HSBC account.  If you did not apply, then it will not be genuine.   N.B. if when you look at a message like this you are certain it genuinely comes from HSBC (or other bank), then it is worth contacting them via the contact details on their official website to check that you are not a victim of identity theft.
  5. Another clue in this particular instance is that it was received on an email address that had only ever been given to the Sunday Times Wine Club and had never been given to HSBC.  The recipient of the email gives each organisation they have dealings with separate email addresses in order to help identify where data breaches occur.

If you receive a suspicious email appearing to be from HSBC you can report it to them using the email address: phishing@hsbc.co.uk.  Other financial institutions will have an equivalent email address, typically phishing@ + their domain name.

You can also report this type of email to Action Fraud.