Online and fraud guidance

Be vigilant and do not fall victim to financial scams through phishing, smishing and vishing.

Phishing – email fraud

Phishing is an email sent by an irresponsible party to trick you into clicking on a link, opening an attachment or leaking information you shouldn't provide.

Be wary of unsolicited emails that appear to be from your bank or another trusted organisation (government tax institution). They may contain links to websites urging you to provide confidential, personal or financial information. The emails may appear to come from a legitimate source and they typically warn you of an urgent problem with your account to trick you into clicking on a link which takes you to a phoney website.

If you receive one of these emails, don't reply or click on a link that you're not sure is genuine. Instead, contact the company using a phone number you know is genuine.

Phishing emails typically:

• Warn you of some sudden change in an account which means you have to confirm you still use the service
• Sometimes have poor spelling and grammar
• Ask for confidential or security information such as your online banking details, passwords, account numbers or PINs
• Include instructions to reply, complete a form or document attached to the email or click through to a website to verify your account

Phishing emails may direct you to a bogus or spoof site that's often very convincing. Look closely for these telltale signs:

• The site threatens to shut down your account unless you verify your personal information
• The site returns an error message and asks you to log in
• The URL isn't quite right - for example, you see www.hbsc.com or www.hsb.com instead of www.hsbc.co.id
• The URL may also contain numbers (such as an IP address) or an '@' symbol
• The padlock icon is out of place, it should be in the browser status bar in the lower right and not within the web page.
• When you double-click on the lock icon you get a warning that the site address doesn't match the security certificate
• The logo is distorted or stretched which indicates it's been copied
• Spelling and grammar mistakes
• If there's a phone number on the fake website and it doesn't match the phone number on your account statement
• You can't link to a homepage from the fraudulent site

Other warning signs that an email is fraudulent:

• Generic salutation such as 'Dear user' or impersonalised information in the text of the email
• There's an attachment that may launch a virus or spyware on your computer

Don't open attachments or click on links if you suspect they may not be genuine.

If you're suspicious of an email claiming to be from HSBC, report it to us via the HSBC Contact Centre, delete it and empty your deleted items.

Smishing – SMS fraud

Smishing is sending an SMS that looks like it came from a trusted source with the aim of enticing us to provide personal information such as passwords or credit card numbers.

These may be sent by criminals trying to trick you into giving your personal and financial information (by calling a number or clicking a link). It's important to remember the following:

• Banks and other organisations such as the police or cellular service providers will never ask you for your full PIN, password or banking codes
• Fraudsters can mimic text headers so that their messages can join a conversation beneath ones you know are genuine

If you're unsure whether a text claiming to be from HSBC is genuine, report to us via the HSBC Contact Centre. Never share your security details with anyone else.

Vishing – telephone fraud

Be aware that currently there are many cybercrimes occurring. The target of criminals is to gain access to your personal or banking data. Beware of data theft under the guise of offering banking or investment products.

In practice they use social media communications and a name similar to an investment management company. They spread scams through websites and online accounts and usually offer high-yield investments. If you do not have an adequate understanding of investment offers and are tempted by high yields, you may become a victim of this kind of fraud.

Tips to avoid this scam:

• Do not be tempted by the lure of buying high-yield sharing products and investments that are offered by someone claiming to be an investment manager or from a bank
• If you get a product offering or investment message and you are interested, make sure you recognise the sender of the message (SMS, chat account, social media account), or check the message was sent by a trusted source
• Do not click on any links or attachments on an email, SMS, WhatsApp messages or other applications that you may receive from dubious or unknown sources
• Currently HSBC does not have an official telegram account and does not have a group with any applications to investment offers - if you find one or are invited to a group like this, you can report it by clicking Report (fake account) on the application
• Even if the person pretends to be an investment manager, a representative of a bank or other institution, never share data such as your name, bank, account number, mobile phone number, email address, correspondence or occupation
• If you have experienced fraud, immediately report it to the bank and block your account
• If you find an investment offer that is not licensed, illogical or is fraudulent, you can also contact OJK or the OJK Investment Alert Task Force on telephone number 157 or WhatsApp to number 0811 157 157

PLEASE BE AWARE:

SIM swap is the illegal mobile phone SIM card replacement through cellular operator by a fraudster. The aim is to get access to your banking transaction details such as an OTP (one-time password) from your online transactions.

Tips to avoid SIM swap:

WhatsApp account

Never give any personal information or debit / credit card data such as card numbers, CVV, PIN numbers, expiry card information or OTP codes, to parties on behalf of PT Bank HSBC Indonesia, especially using WhatsApp.

To prevent this, you can provide a 'report' to WhatsApp on the account by clicking the 'Report business' button on the account's profile.

Social media account

Inform the bank of any changes to your (or your attorney's) personal data, together with the relevant supporting documents. Such data includes, but is not limited to, the following:

Personal customers:

1. Full name
2. Job title or line of business
3. Residential / office address
4. Email address
5. Home, office or mobile phone number
6. ID (KTP, passport, staying permit) number and expiry date
7. NPWP number (mandatory for existing and prospective securities account holders)
8. Type of transactions which will be frequently performed
9. Purpose of account opening
10. Nationality
11. Marital status
12. Source of funds and income

Corporate customers

1. Business licence (nature of business activities)
2. Articles of association (including subsequent amendment if any)
3. Address and contact details
4. Source of funds and purpose of account opening
5. Taxpayer registration number (NPWP)
6. Composition of board of directors and commissioners (along with their ID card: KTP, passport, staying permit)
7. Company's shareholding structure up to the ultimate beneficial owner*

• Never tell your debit card PIN to other people, not even someone claiming to be from the bank or the police
• Immediately change your debit card PIN after receiving the first PIN from HSBC
• Memorise your PIN and never write it down
• Change your debit card PIN regularly
• When doing debit card transactions at an ATM, ensure nobody can see you typing in your PIN
• Select PINs that can't easily be guessed by anyone, such as your date of birth, phone number, etc
• Use different PINs for different channels (online banking, ATM and phone banking)
• Ensure no one is looking whenever you are keying in your PIN

• Try to keep your credit card in sight when using it for a transaction
• Ensure that your card is returned after each transaction
• Do not sign credit card slips without an amount
• Keep all credit card receipts / statements in a safe place, or destroy them
• Do not disclose your credit card number over the phone, unless you are dealing with a reputable company
• Avoid entering credit card information when using public computers, such as those in internet cafes, or when using websites that are not secure
• Do not respond to emails that ask you to provide credit card information
• Shut off paper statements, opt to use online statements instead
• Check receipts against your online monthly billing or account statements to verify all of your transactions - report any unauthorised transactions immediately and once you've reconciled your billing statements, shred up all receipts and discard them at home
• Check your statements and watch your charges - view your statements to verify that they properly reflect the amounts you have authorised and watch for multiple charges

HSBC credit cards offer you even more protection when shopping online. 3D Secure authentication provides additional authentication through a one-time password (OTP). The OTP will be sent to your mobile phone each time you do an online transaction at 3D Secure participating merchants.

OTP for your online purchases

You're required to key in an OTP whenever you make an online purchase at participating 3D Secure merchants using your HSBC credit card. A pop-up screen will appear, prompting you to key in the OTP which will be sent to your mobile phone number registered in our system.

What is one-time password (OTP)?

An OTP is a randomly generated six digit password sent via SMS to your mobile device, which provides a stronger method for authenticating your online transactions so you feel comfortable when shopping online. (The success of OTP SMS delivery depends on the availability of the telecom network.)

Beware of credit card skimming. This is an illegal act to replicate data from the credit card's magnetic stripe. Skimming could occur anywhere you do transactions including restaurants, gas stations and other retail locations. Be aware of these:

• Merchants processing your credit card twice, once dipping your credit card into the EDC machine for your purchase and a second time through a skimming device (as general rule, don't let your card out of your sight) - if you spot your credit card is processed inappropriately, call HSBC phone banking services immediately
• Someone looking over your shoulder at the register to spot your credit card PIN - protect your PIN
• If receipts and carbon copies are not immediately given to you, ask for them and file them in a safe place or destroy them before you put in a bin

How to keep your computer secure

1. Make sure you have the latest security updates and patches

To check for patches and updates you should visit the publisher's website, typically in their 'Download' section. 

2. Use and regularly update anti-virus software

There are many effective programs to choose from, but the most common commercial products are from McAfee, Symantec (Norton) and Sophos. It's also possible to obtain free anti-virus protection. A search for 'free anti-virus' on Google will provide a list of the most popular. Always update your anti-virus software with the latest 'virus definition' files. If you're unsure how to do this, you should refer to the program's own help function.

3. Use personal firewalls

Firewall is another small program that helps protect your computer and its contents from outsiders on the internet. When properly installed, it stops unauthorised traffic to and from your PC. There are many effective programs to choose from. Common commercial examples are from Zone Alarm, Symantec (Norton), McAfee and Computer Associates.

4. Read our password advice

• Memorise your password and do not write it down
• Select passwords that can't easily be guessed by anyone, such as date of birth, phone number, etc
• Never disclose your password to anyone, not even someone claiming to be from the bank or the police
• Change your password regularly
• Ensure no one is looking when you are keying in your password

5. Use an anti-spyware program

Spyware is often loaded onto a PC as part of a free download of another service. Spyware is not the same as a virus in that it only records what you do rather than altering how your machine works. Because of this, anti-virus software is not effective in identifying and removing spyware, you will need to download and run a specialised anti-spyware program.

Anti-spyware security software currently available include McAfee, Spybot Search and Destroy, AdAware, Spyware Eliminator, Spyware Doctor and Microsoft anti-spyware. We strongly recommend that you install and use a reputable anti-spyware product to protect yourself against spyware on your PC.

Tips

Don't share computers

Disable your computer's 'File and Printer Sharing' capabilities to help prevent unauthorised access. Use your computer's help function for instructions.

Filename extensions

Most operating systems use filename extensions. For example, a word document ends with .doc and a photo image may end with .jpg.

By default some operating systems don't show these extensions. Whilst this presents cleaner looking file names, it also provides viruses with a means to hide. Use your computer's help function (index and then 'display') for steps needed to display file extensions. Any file with what appears to be a double extension - like wow.jpg.pif - is almost certainly a virus and should never be opened.

Be wary of opening any unexpected email messages with attachments

A common way for a virus to spread is via email. Some viruses send copies of themselves to everyone in the infected PC's address book. This means it could appear to come from someone you know. Never open an email attachment that contains a file ending with .exe, .pif, .vbs as these are commonly used with viruses.

How to keep your online banking session secure

1. Logging on

Ensure you enter your correct passwords without the details being inadvertently disclosed to someone who may be looking over your shoulder.

2. Logging off

Always remember to log off from the online banking session and close your browser when you have finished your online banking. This will clear all traces of your visit from the PC's memory.

Tips

Memorise the keys to your access

Your online banking ID and password are your keys to accessing our online services. Only the right combination of these allows you access.

Don't use links to access our site

Always enter the web address or use a favourite. Don't use a link as this may take you to a phoney website that may look exactly like ours.

Avoid using shared computers for online banking

Try to avoid using shared public PCs, such as those in internet cafes, to access online banking.

How to keep your email secure

Generally, emails that are sent or received through a regular email address (eg yourname@hotmail.com) are not secure or encrypted to protect the content. Therefore, any personal information you include in an email is at risk of being intercepted by unauthorised individuals. Do not send your online banking ID or passwords by email to anyone ever.

Tips

General points to remember

1. Check your statements immediately upon receipt
2. If you spot any unusual transactions, report them to the bank immediately
3. Consider using online banking to check the transactions on your account more frequently

We recommend frequently reviewing your account activity online because:

1. Over 50% of all identity fraud is first discovered by the victim
2. The sooner fraud is detected, the lower the financial impact
3. Customers who access their accounts online detect identity crime earlier than those who rely on mailed statements
4. Customers who choose to receive electronic statements instead of mailed statements reduce their risk of mail fraud