HSBC Impersonation Scams
Scammers impersonate HSBC with fake fraud-alert texts and spoofed banking login pages to steal credentials and one-time codes. The real HSBC will never ask you to move money to a 'safe account' or read out a security code.
Last reviewed: 1 June 2026
HSBC's presence across dozens of countries makes it one of the most widely impersonated banks globally. Fraudsters send SMS messages and emails claiming an account has been frozen or a large payment needs authorising, directing recipients to fake HSBC login pages hosted on lookalike domains.
In a common variation, a caller poses as HSBC's fraud team and warns of unauthorized access, then talks the victim through transferring money into a new account 'for their own protection' — a transfer that goes directly to the scammer.
HSBC is the victim of this impersonation. The bank publishes ongoing warnings about known scam campaigns, and its genuine fraud team never needs you to move your own money to keep it safe.
How scammers impersonate it
- Sending SMS or email alerts styled as HSBC notifications about a frozen account or pending payment
- Hosting fake HSBC login pages on domains that closely resemble the real site
- Spoofing HSBC's customer service number on caller ID
- Posing as HSBC fraud investigators and instructing victims to transfer funds to a new account
- Asking victims to read out a one-time passcode or security code sent to their phone
What the real organisation never does
- Ask you to transfer or move money to a different account to protect it
- Ask you to read out a one-time passcode, security code, or online banking password
- Send a text or email with a login link instead of directing you to the official app
- Ask for your full card number, PIN, or account password over the phone
- Pressure you to act within minutes without allowing you to verify independently
Common red flags
- Urgent message claiming your account is frozen or under attack
- Any instruction to move or transfer money to a 'safe' or new account
- A link used to log in rather than the official HSBC app
- Request for a one-time passcode, security code, or password
- Caller discourages you from hanging up to call the number on your card
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Email: 'HSBC Security Notice: Unusual activity detected on your account. Verify immediately at hsbc-bm-online[.]com.'
Call: 'This is HSBC fraud prevention — your account has been compromised. To protect your funds, please transfer them to the secure account we provide.'
How to verify
- Hang up and call the number on the back of your card or on hsbc.com
- Log in only through the official HSBC app or by typing the address directly into your browser
- Never transfer money anywhere at the instruction of an unsolicited caller or message
- Check your account activity directly in the app rather than trusting a text or email claim
What to do if you're targeted
- Do not click links, share codes, or move any money
- Contact HSBC directly through the number on your card or the official app
- Report the scam to Action Fraud (UK), the FTC (US), or your national fraud reporting service
Frequently asked questions
The email came from an address that looked like HSBC — is that proof it's genuine?
No. Sender addresses can be spoofed or closely mimicked with lookalike domains. Always check the actual domain carefully and verify by logging in directly through hsbc.com or the official app rather than any link in the email.
I transferred money to a 'safe account' after a call from someone claiming to be HSBC — can I get it back?
Contact HSBC's fraud team immediately to report it, but recovery is not guaranteed once funds have left your account and been moved on by the scammer. Report the incident to your national fraud reporting service as well.