Howto: Phish HSBC credit card numbers

Like many other people, I try helping developing countries when I can. So to help boost GDP in Eastern Europe and Africa (or ‘redistribute the wealth’ if you will) here’s a quick tutorial that will help scammers get HSBC customers’ credit card numbers. All the steps below are done by the real HSBC, so you don’t even need to “fool” anyone.

An HSBC customer who has gone through this process before won’t be able to distinguish between you and the real HSBC. Customer that has not been through this process certainly won’t know better anyway. In fact, you can do it to HSBC employees and they won’t know.

All you need is a toll-free number for them to call (feel free to forward it to Nigeria). The nice thing about HSBC is that the process below is identical to how the real HSBC asks customers for information. In other words: HSBC is training their customers to follow this path. I propose a new term for HSBC’s method of breeding phish: spowning (spawn+p0wn).

Step 1:

Prepare an email that looks like:

Dear :

As a service to our customers and in an effort to protect their HSBC Premier  MasterCard  account, we are attempting to confirm recent charge activity or changes to the account.

Please contact the HSBC Premier Fraud Servicing Center to validate the activity at 1-888-206-5963 within the Continental United States. If you are calling from outside the United States, please call us collect at 716-841-7755.

If the activity is unauthorized, we will be able to close the account and reissue both a new account number and cards. Please use the Subject Reference Number below, when calling.

At HSBC, the security of our customer’s accounts has always been, and will continue to be a high priority. We appreciate your business and regret any inconvenience this may have caused you.

Sincerely,

Security & Fraud Risk HSBC USA

Alert ID Number :  10917558

Note:  Emails sent to this repository will go unmonitored.  Please do not reply to this email. —————————————– ************************************************************** This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ************************************************************** “SAVE PAPER – THINK BEFORE YOU PRINT!”

Step 2:

Replace the phone numbers with your own. The above are HSBC’s.

Don’t worry about the ‘alert ID’. Just make something up. Unlike other credit cards, the caller (me, in this case) can’t use the alert ID to confirm this is really HSBC.

Step 3:

Blast this email. You’re bound to reach plenty of HSBC card holders. The rest you don’t care about anyway.

Main perk: Before the customer gets to speak to a human they need to enter full credit card number and 4 digit SSN. So even the most lazy scammer can at least get those.

For the overachieving scammers, have a human answer and ask for  Card expiration and Full name on the card before agreeing to answer any other questions from the customer. This is all standard procedure at HSBC so customers shouldn’t be suspicious.

Oh, and if the customer who happens to be a security blogger tries to authenticate you back, tell them to hang up and call the number on the back of their card. That will shut them up.

At HSBC, the security of our customer’s accounts has always been, and will continue to be a high priority.

If it really was, you wouldn’t make me such an easy target for scammers. But thanks for playing.

 

Share
  • The Scam Channel
  • gabe

    as a customer, I can say this still happens. also searching for the phone number before calling (I’m not the usual sucker that call any number back to discuss my credit card) this is the first result… kudos

  • hsbc customer

    The real HSBC never asks you for the expiration date or the name on the card. Nor does it require you to enter the number on the IVR before talking to a representative. Banks are stupid but not _that_ stupid.