HSBC Brunei has been good to me

Brunei HSBC SMS

In contrast to my Standard Chartered Brunei experience, HSBC has been pretty good. I received an SMS informing that my ATM card would be deactivated and that I would have to visit my nearest HSBC branch to apply for a Visa Debit Card. Sounds straight forward for anybody in Brunei but sadly I am not in Brunei and thus I decided to give them a call. After some verification questions, they arranged to send my card to the closest HSBC branch in Melbourne. A stark contrast to the SCB experience.

While it was all good and I managed to get my card, I have yet to receive my PIN number and thus I called HSBC today and hopefully that’s sorted it out. I did get more verification questions which I feel could be improved on. Two of the several verification questions asked were

  1. Who is your employer?

    Now, I can easily tell them my current employer but I honestly don’t remember who was my employer when I answered this verification question. The question wasn’t who was my first employer, just who is my employer. This vague question is dependent on when I first answered this question, or whenever I updated the question. I asked the lady when could I have answered this question so that I could trace back which employer I was with at the time but she couldn’t specify more information and that I had to give a single answer, so I just randomly gave an answer.

  2. What is the branch that you opened your account at?

    While this is much less vague that the previous question, it still depends on whether I remember the answer. I know I’ve done some banking in the Gadong branch and Bandar branch. I’ve probably opened at least one account at each branch and perhaps I just have a bad memory but I don’t think this question is a good verification question (at least not for me)

But all in all, HSBC has been good and managed to give me service while I’m overseas so kudos to them! Now I wonder how other Brunei banks deal with overseas customers.

Advertisements

HSBC Phishing Email

A few days ago I got an email from HSBC Bank regarding my online Internet Banking account, saying that it was locked and that I could go down to a branch to unlock it or fill in the online form to unlock it. Initially I didn’t think much of it until I was about to go to HSBC and I decided to check whether my Internet Banking account was locked. I logged in without issue and grew suspicious of the email I had received earlier. I re-read email I found that it was a phishing email trying to steal my login credentials via the online form that was attached to the email. Below I will detail a few things that help you identify phishing emails or forms

Below is the received phishing letter and the accompanying update form. Now email with an attached form is always suspicious because you can never really trust anything you receive.

HSBC Phishing Email
HSBC Phishing Email
HSBC Phishing Email's Update Form
HSBC Phishing Email's Update Form

Now to inspect any HTML file or even a website you should always view the source code of the file. Search through the menu items and look for the “View Source” menu item. Below shows how to view source in Google Chrome (For Firefox: View > Page Source)

HSBC Phishing Email - Update Form - View Source
HSBC Phishing Email - Update Form - View Source

Viewing the source code will show you what makes up the webpage you are viewing. For any form that you fill in you should look for the “FORM” tag and in particular the “action” attribute/value as the “action” attribute/value dictates where the data will be sent. The screenshot below shows the source of the ‘Update Form’ attached to the email and as you can see the website that the data is being sent to (yuvalla.com) doesn’t seem to be a website that has anything with HSBC. Another thing to take note of is that the url has no “https” in the address that it is sending the form. All banking sites should be sending data via https (e.g. https://hsbc.com.bn/ibanking/processing.php not http://hsbc.com.bn/ibanking/processing.php) as HTTPS connections are encrypted (HTTPS server certificates must also be originating from a trusted source, e.g. the bank itself, in order to ensure that the encryption is between a trusted source and not a random malicious hacker’s computer/server).

HSBC Phishing Email - Update Form Source - Action Field
HSBC Phishing Email - Update Form Source - Action Field

Some other notifications that the email was suspicious:

  1. The phishing email “from” field is different from the regular HSBC “from” field (correct: HSBC Brunei, fake: HSBC Bank)
    HSBC Phishing Email - Fake Name
    HSBC Phishing Email - Fake Name

  2. The email they used does not original from HSBC.com or HSBC.com.bn (and going to the website gives a non-existent website)
    HSBC Phishing Email - Fake Email
    HSBC Phishing Email - Fake Email

Note: these 2 notifications can actually be faked to look like the real thing and if they are correct they are not an indication that the email is authentic.

Ways to prevent being a victim of phishing emails

  1. Never blindly trust any emails you receive
  2. Do not fill in any forms without first checking it out properly (view source to make sure it is sending data to a trusted location, ensure https so the data is encrypted and cannot be sniffed)
  3. Do not click any links in an email as a link can display a URL direct you to another (e.g. http://google.com this link should go to Bing.com not Google.com)
  4. Manually type in the bank’s website to go to the Internet banking website (try using https in the address rather than http)

Now despite all this, there can always be security issues that enable hackers to exploit to make things even harder for us to identify fake websites / phishing emails. These tips are not a surefire way to ensure you do not get phished but hopefully the information I’ve shared will help you identify some characteristics of phishing emails so you can protect yourself and help inform others