As the Christmas vacation season begins, a new phishing attack shows that scammers are not the kind to take days off. The latest campaign targets holders of accounts with the United States subsidiary of Britain's HSBC bank, and pushes them to call fraudulent phone numbers or visit a website that aims to take all of their credit-card information.
Customers are coerced into handing over their card information by messages that claim the customers' accounts have been suspended and that they need to verify their identities online. Security firm Malwarebytes presumes that the campaign is based on email attacks, but other reports indicate that similar scam attempts are arriving via text message.
Users who visit the fraudulent website, which uses the domain hsbc-message.com instead of the legitimate us.hsbc.com, are told that they "didn't complete our security online form for the year 2015." After the user clicks a Continue button, he or she is then asked to fill in the relevant credit- or debit-card number, expiration date, card verification code and ATM PIN, all of which hands complete control of the card to whomever runs this page.
Recipients of similar phishing attacks have taken to Twitter to show examples of phony messages. One user received a text message that referenced the scams taking place and read: "Due to the recent phishing activity H.S.B.C decided to temporarily block cards starting with 544368XX and 532561XX. For reactivation CALL NOW," and then lists a number with a 646 area code.
A Tom's Guide staffer without an HSBC account received a similar text message, which claimed to be providing a security alert from HSBC that pointed the recipient to automatizarx4duros[.]com.
HSBC is warning customers who log into the company's website, or call its customer-service line, of the phishing texts.
Our advice to HSBC customers — and to all bank customers, since such attacks aren't unique to HSBC — is to never follow any links, and to never call phone numbers, that purport to be from a bank but are sent via unsolicited email or text messages. Instead, you should call only the phone number on the back of your banking card.