One of the most common cyber-attacks, phishing operates through emails which are often convincing and appear to come from legitimate senders. These messages entice their targets to click on links or attachments which, in turn, facilitate theft or fraud.

What is phishing?

Phishing uses scam emails to convince users to click on a malicious attachment or link. These can infect the victim's computer with malware which gleans private information, allowing an attacker to steal money, disrupt business operations, or destroy data.

Phishing attachments often bypass security and anti-virus programmes by using Microsoft Office 'macros' which download malware if run. Links may connect to seemingly legitimate websites, which exploit vulnerabilities in the victim's computer to install malicious code. Alternatively, these webpages may simply trick the user into entering personal information.

Sophisticated attackers aim convincing 'spear' phishing emails at carefully selected groups, researching recipients through social media, website information or public facts about their organisation.

High-volume phishing, on the other hand, targets as many recipients as possible - of whom only a tiny percentage have to be caught for possible success. Fake invoices, delivery notifications, receipts and banking updates can all be used as lures in these attempts.

The risks to business

  • Data theft (or encryption for ransom)
  • Hardware damage
  • Fraudulent internet banking redirection
  • Financial theft

How can I defend my business against phishing?

  • Install and update reputable anti-virus software, and keep systems up to date with new releases and security patches.
  • Never open attachments, click links or download software from unknown sources or questionable websites.
  • Put in place protective policies and training to ensure that staff have the knowledge to conduct business safely online.
  • Limit access to systems and information based on job duties, and split financial responsibilities between employees.
  • Restrict internet access to trusted websites, and limit the use of external media devices.
  • Be aware of what information is available about you and your organisation on social media and the wider internet. If you know what can be found, you can be more alert to its use in an innocuous-looking email.

Most importantly, learn to spot a suspicious email!

There are several tell-tale signs: An unexpected email, such as confirmation for a form you haven’t submitted or an order you haven’t made. A new e-mail address from a sender you know. An unusual greeting or title in the subject box. A strange tone, or odd language. An unusual attachment, or a request to enable ‘macros’. A link to a strange URL domain. Any mail or link asking you to enter a password

Contact us

Please contact your Relationship Manager or visit our Contact us page here.

Find out more about HSBC Cybercrime

Malicious software is coded with the intention of harming its target. Affecting private and corporate users alike, it can steal information, damage data, hijack website visits and spy on internet activity. Fraudulent redirection of internet banking users is an increasingly frequent form of attack.

Cyber-attacks on SMEs have increased steadily in recent years. With criminals constantly devising new ways to steal information and money, one of the newest emerging threats is Business Email Compromise, also known as CEO or Chairman Fraud. The most frequent targets of this scam, small and medium-sized businesses, can lose huge sums because of one spurious email.

Texts and phone calls can be used maliciously to facilitate theft and fraud. 'Vishing' calls try to alarm recipients into making payments or providing important financial information. 'Smishing' texts may additionally try to entice their target to click on malicious links, activating trojan viruses which can steal passwords and other high-value data.

Need help?

Get in touch to learn more about our banking solutions and how we can help you drive your business forward.