Fake HSBC text directs customers to call fraudulent helpline

A new bank scam is circulating to trick HSBC customers into giving away sensitive details
Chiara CavaglieriSenior researcher & writer

Which? is warning HSBC customers to watch out for malicious text messages claiming to be from the bank. These texts display ‘PASSCODE’ as the sender and attempt to capitalise on security checks known as ‘strong customer authentication’ (SCA).

Back in March, we warned that there could be a spike in fake texts, calls and emails claiming to be from 'your bank' using SCA as the hook. SCA requires banks to ask you to verify your identity when making certain card payments online.

Sign up for free Which? scam alerts to find out about the latest news and advice

A closer look at the scam HSBC text

As the image below shows, this fake text is using the sender ID ‘PASSCODE’. This is one that could easily seem legitimate, as the phrase 'one time passcode' (OTP) is used in the banking industry to describe the temporary security codes that banks send to customers. 

The message reads: ‘HSBC: Your OTP is 429384 for a payment of 850.00 GDP to EXPEDIA - REF: HS9X. If this wasn’t you, call us immediately on 0330 828 1274’.


When you call the number in question, you'll hear an automated recorded message or interactive voice response (IVR). This asks you to input your branch sort code and 16-digit card number or customer identification number before being supposedly put through to an 'adviser'. You can listen to a clip below.

This scam is ultimately designed to steal enough details to hack into HSBC bank accounts or convince victims into transferring money to accounts controlled by criminals.

Blocking scam texts 

We reported this text to HSBC and the Mobile Ecosystem Forum (MEF), which runs the SMS SenderID Protection Registry, enabling banks and other businesses to block attempts to impersonate their brands via text. 

We also contacted the phone network that operates this number – a company called Voxbone SA – to warn it that criminals are using this number to commit fraud, but we did not receive a response.

David Callington, head of fraud at HSBC UK, said: ‘We have seen similar examples in recent times where fraudsters send SMS messages purporting to be from trusted organisations in the hope of getting as many personal details as possible.

'Be aware of requests for bank account details. Don’t give scammers the opportunity to turn you into a scam victim. More information and guidance can be found in our website’s security centre.

'What is clear is that we need a ‘whole-system’ approach to tackling fraud. It is the responsibility for all those who bring risk into the system to play a role in preventing fraud. This includes the wider payments industry, but also telcos who provide the numbers, internet service providers and social media firms, as well as consumers themselves.’

Staying safe from malicious texts

Don’t click on web links and don't call phone numbers shared in text messages. And never rely on the caller ID on your phone, as this can be spoofed

If you think a message is genuine, contact the company in question using a trusted method such as the number on an official bank statement, or on the back of your debit card. 

If it’s a fake message, forward it to 7726 and then block the phone number.

If you think you’ve fallen victim to a scam, contact your bank immediately and read our advice about how to get your money back after being scammed.

More on this

Related articles