The fake text message being sent to HSBC customers uses the sender ID as “PASSCODE” that Which? Warns could “easily” be seen as legitimate to customers. This is because the term “one time passcode” (OTP) is a common phrase used in the banking industry to describe a temporary code that banks send to customers to confirm their identity during a purchase.
The text message shared by Which? read: “HSBC: Your OTP is 429384 for a payment of 850.00 GDP to EXPEDIA – REF: HS9X.
“If this wasn’t you, call us immediately on 0330 828 1274.”
As part of its investigation into the scam, Which? called the number in the text message.
If called, people would hear an automated recorded message also known as an interactive voice response (IVR). The message welcomes the caller and claims to be HSBC.
READ MORE: Britons urged to consider ‘simple’ boiler hack that could cut energy bills by £112 a year
It then asks the person calling to input their branch sort code and 16-digit card number or customer identification number.
It then says: “If you are an HSBC customer but do not have this information, please find it and call us back.”
The caller is then told they are supposedly being put through to an advisor.
In its warning, Which? experts noted that the scam was “ultimately designed” to steal enough details to hack into HSBC bank accounts.
DON’T MISS
However, the consumer group did not receive a response from the phone company.
In response to the warning, David Callington, head of fraud at HSBC UK, said in a statement: “We have seen similar examples in recent times where fraudsters send SMS messages purporting to be from trusted organisations in the hope of getting as many personal details as possible.
“Be aware of requests for bank account details. Don’t give scammers the opportunity to turn you into a scam victim. More information and guidance can be found in our website’s security centre.
“What is clear is that we need a ‘whole-system’ approach to tackling fraud. It is the responsibility for all those who bring risk into the system to play a role in preventing fraud.
“This includes the wider payments industry, but also telcos who provide the numbers, internet service providers and social media firms, as well as consumers themselves.”
Earlier this year, the consumer group warned that there could be a rise in fake texts, calls and emails of scammers claiming to be from official banks using “strong customer authentication” (SCA) as a hook.
Strong customer authentication is a European regulatory requirement that aims to reduce fraud and make online and contactless offline payments more secure.
It requires banks to ask someone to verify their identity when making certain card payments and is more often done through sending text messages or emails to the person making the purchase.
Some scammers have ultimately clocked onto the bank’s requirements to do these checks and are now trying to steal people’s bank details through scams such as this one.