15 September 2021

HSBC UK customer warning: one time passcode fraud increases

When a HSBC UK customer uses their card online sometimes they may be prompted for a One Time Passcode (OTP) to authenticate the transaction. This is sent via SMS to the customer’s mobile number and must be entered on the merchant site to authenticate the transaction.

However, fraudsters are calling customers pretending to be from the bank or a trusted organisation and requesting an OTP, which they can then use to make a fraudulent transaction.

Around a third (37%) of total successful fraud attempts involved possible disclosure of OTPs last month (August) with a total of £363,300 at risk of getting into the hands of fraudsters.

June saw the highest number of suspected OTP scams with over £411,408 total attempted fraud. Just over 3,000 cases of successful OTP fraud have been reported in the last six months.

David Callington, Head of Fraud at HSBC UK, said: “We’re aware that fraudsters are impersonating banks and trusted organisations and contacting customers regarding potential fraudulent transactions. Whilst we have an experienced team looking for signs of fraud, customers can help themselves by being aware of the tactics fraudsters use.

“HSBC UK or any other bank will never ask you to divulge any of your banking passwords. If someone calls you out of the blue and asks for your One Time Passcode, hang up straightaway, it’s a scam.”

HSBC UK customers will receive a warning in the SMS message containing their OTP instructing them to never share the code, even with bank staff or police.

Customers can also choose to verifiy transactions in their HSBC UK app, instead of receiving an OTP via SMS.

Scams involving OTPs usually start out with a ‘smishing’ text from what appears to be a legitimate organisation, requesting the recipient to input their personal details online.

One customer (Ms S) received a text that appeared to be from DPD who advised they were trying to deliver a package. Ms S clicked on the link within the text and was sent to a page that she felt looked legitimate. Within the page she was asked to input her card number, sort code and account number. In order to redeliver the package, she was asked to pay a small fee which she accepted as she was expecting a delivery from overseas. Ms S then received a call from who she thought was HSBC UK advising the bank were aware of a suspected fraud and how she could get the money back. During the call with “HSBC UK” she was asked to disclose a OTP code in order to recover funds, not realising this was actually authorising card transactions. Ms S only realised she hadn’t been speaking to someone from the bank when she received a genuine call from HSBC UK to question the transactions.

Another scam involved a customer (Mr M) receiving a text message that appeared to be from Royal Mail to arrange a redelivery. Mr M clicked on the link within the text and input his card details on a web form. Fifteen minutes later, Mr M received a call from someone purporting to be from HSBC UK’s fraud team trying to verify potential fraudulent activity. The caller advised they could stop the transactions going through by use of a code that the customer would receive, which the customer then shared. This was the OTP code. Subsequently, large value transactions were authorised on the card. Mr M only realised this was a scam when he received a text from HSBC UK advising he had exceeded his overdraft limit. Upon calling HSBC UK, our legitimate operator confirmed no previous conversations had taken place and the customer had been scammed.

HSBC UK adheres to best practice standards to prevent financial crime and where we identify a potentially fraudulent payment or scam we take action immediately. We publish advice on the latest scams and how customers can protect themselves on our website: https://www.hsbc.co.uk/help/security-centre/

Media enquiries to:

Hannah Langston, HSBC UK Press Office: 07384 792 248 | hannah.langston@hsbc.com

For the latest news and updates, visit the HSBC UK newsroom:


HSBC UK serves around 14.5 million customers in the UK and employs approximately 32,000 people. HSBC UK offers a complete range of personal, premier and private banking services including bank accounts and mortgages. It also provides commercial banking for small to medium businesses and large corporates. HSBC UK is a wholly owned subsidiary of HSBC Holdings plc.

HSBC Holdings plc

HSBC Holdings plc, the parent company of HSBC, is headquartered in London. HSBC serves customers worldwide from offices in 64 countries and territories in its geographical regions: Europe, Asia, North America, Latin America, and Middle East and North Africa. With assets of US$2,976bn at 30 June 2021, HSBC is one of the world’s largest banking and financial services organisations.