Spot fake HSBC fraud-alert, mobile-banking and security-check texts targeting UK customers
Last reviewed: 11 May 2026 · ScamSupport research
The HSBC impersonation playbook in 2026
HSBC is the UK’s largest retail bank by customer count and one of the three most-impersonated banks in UK smishing campaigns. UK Finance puts bank-impersonation losses above £460m in 2024, with HSBC, Lloyds and Barclays customers receiving the bulk of attacks. The mechanic is consistent: a spoofed SMS appears in the same message thread as your genuine HSBC alerts, paints a false emergency, and steers you onto a phone call where a “fraud agent” manipulates you into transferring savings to a criminal-controlled “safe account”.
Three HSBC scam-text variants in active circulation
From: HSBC (spoofed sender ID; lands in the same SMS thread as real HSBC alerts)
Body: “HSBC: A transaction of £1,287.50 to AMAZON UK has been authorised on your debit card. If this was not you, call 020 XXXX XXXX now to dispute.”
Red flags:
Phone number embedded in the text. Real HSBC fraud alerts direct you to call the number on the back of your card or use the in-app chat — never a number provided in the message.
When you call, a “fraud agent” will confirm the transaction was fraudulent and tell you that to protect your remaining balance you must move it to a “safe holding account in your name”. That holding account is the criminal’s.
Spoofed sender ID. SMS sender IDs in the UK are not authenticated. A scam message can land in the exact same thread as a genuine OTP from HSBC. Thread continuity is not proof of authenticity.
The transaction amount is specific. Criminals harvest card data from prior breaches; the “£1,287.50” figure is plausible enough to alarm but not so specific you can verify.
From: HSBC (spoofed)
Body: “HSBC: Your account has been temporarily limited following a failed login attempt. Verify your identity to restore access: hsbc-secure-login[dot]uk”
Red flags:
HSBC never sends customers to third-party verification pages. Real account-limit notifications direct you to the HSBC UK app or to hsbc.co.uk. Any domain that’s “hsbc-something” or “something-hsbc” is a clone.
The verification page asks for full Internet Banking ID, password, memorable answer, and a Secure Key code. The Secure Key code is a one-time number that lets the criminal authorise transfers from your account in real time.
Two-factor doesn’t save you. The page asks for the OTP HSBC delivers in real time; the criminal enters it into the genuine HSBC site within seconds.
From: HSBC (spoofed) followed by a phone call within 10 minutes
Body: “HSBC Fraud: Suspicious transfer of £5,000 to BITCOIN GBP. We will call you to verify.”
Then a phone call from a number that appears to be HSBC’s real fraud line. The caller knows your full name, sort code, account number and recent transactions. They tell you the transfer is in progress and you need to immediately move your savings to a “protected internal HSBC account”.
Red flags:
SMS + call combination is the hallmark of organised APP fraud. The text primes you to expect the call so the “fraud agent” feels credible.
Caller-ID spoofing is trivial. The number on your phone screen can be made to display “HSBC Fraud” or 03457 404404 (the real number). This is not authentication.
They will know personal details about you. Address, sort code, recent retailer transactions. All sourced from data-breach markets. None of it proves they’re from HSBC.
The instruction is always “move money to a safe account”. Banks never ask customers to move money for their own safety. If you hear this phrase, hang up immediately.
How to verify an HSBC text is genuine
Three rules. Apply all three before responding:
Never call a number from the text. Hang up if the SMS gives you a number to call. Real HSBC fraud alerts always direct you to call the number on the back of your card, or use the HSBC UK app secure messaging.
Open the HSBC UK app to verify. Genuine alerts are also visible in the app’s message centre and recent-activity feed. If the alert doesn’t appear in the app, the SMS is a scam.
Never read your Secure Key code, OTP, or memorable answer to anyone on a phone call. HSBC has other ways to verify your identity. Anyone asking for an OTP over the phone is the criminal.
If you’ve already transferred money
Act within hours:
Call HSBC’s real fraud line on 0800 028 9595 (or the number on the back of your card). Use the phrase: “This was an authorised push payment scam. Please log it under the PSR reimbursement scheme.”
The PSR Mandatory Reimbursement Scheme requires HSBC to reimburse APP fraud victims up to £85,000 for transfers made after 7 October 2024 unless the bank can prove gross negligence on the customer’s part. Make the claim in writing within 13 months of the loss.
Report to Report Fraud at reportfraud.police.uk. You’ll need a crime reference number for any subsequent Financial Ombudsman complaint.
Read our UK Recovery Guide for the full first-60-minutes playbook including the PSR “gross negligence” defence strategy when banks initially refuse to reimburse.