HSBC Phishing Email Scam UK: How to Spot and Stop It
Fraudsters are sending convincing fake HSBC emails to UK customers — here's exactly how to spot them and stay safe.
What is this scam?
HSBC phishing emails are fraudulent messages that mimic genuine HSBC correspondence to trick you into revealing sensitive information or installing malware. Scammers send emails claiming your account has suspicious activity, needs urgent verification, or requires immediate action to avoid closure. These emails contain links to fake HSBC login pages, contact forms, or security verification portals designed to capture your username, password, card details, PIN, or personal information. The scammers then use this stolen data to access your real HSBC account, make unauthorised transfers, or commit identity theft. This scam is particularly effective because HSBC is a major UK bank with millions of customers, and the fake emails often closely mimic genuine HSBC communications in layout, branding, and tone. Recent variations target customers with messages about suspected fraud, pending card replacement, or upcoming account updates.
Warning signs to look for
['- The email asks you to click a link to verify your details, reset your password, or confirm your identity — HSBC never requests this via email.', "- The sender's email address doesn't match HSBC's official domain (it might use @hsbc-security.com, @hsbc-verify.co.uk, or similar fake variations instead of @hsbc.co.uk).", "- The email uses generic greetings like 'Dear Customer' or 'Dear HSBC Client' instead of your actual name.", "- The message creates urgency with phrases like 'Act now', 'Urgent action required', 'Your account will be closed', or 'Verify within 24 hours'.", '- The email contains spelling, grammar, or formatting errors — genuine HSBC communications are professionally written.', "- Links in the email don't lead to the official HSBC website when you hover over them (check the URL preview in your email client before clicking).", '- The email mentions unusual activity, suspicious logins, or fraud alerts without specific details about your actual account.', "- You didn't request the action the email is asking you to take — for example, you didn't ask to reset your password or update your payment method."]
How this scam works step by step
The scam begins when you receive an email appearing to come from HSBC, often triggered by a fake security alert or urgent account notification. The email contains alarming language designed to make you act quickly without thinking — for example, 'Suspicious activity detected' or 'Your account has been compromised'. It includes a prominent link or button urging you to 'Verify your account', 'Confirm your identity', or 'Update your security details'. When you click the link, you're taken to a fake HSBC website that looks almost identical to the real one. You enter your login credentials, card number, PIN, or personal details into this fraudulent portal. The scammers capture this information in real time. Once they have your credentials, they log into your genuine HSBC account, change your password, and transfer money out or make purchases. Alternatively, they may sell your stolen data to other criminals or use it for identity theft. Some variations include malware links that install spyware on your device to capture future login attempts.
How to verify if it is genuine
Never click any links in unsolicited HSBC emails. Instead, open a new browser tab and go directly to HSBC.co.uk by typing the address yourself. Log into your account and check the 'Messages' or 'Alerts' section to see if HSBC has sent you an official notification. If you're unsure about a specific message, contact HSBC directly using the phone number on your bank card or the official HSBC website — do not use any contact details from the suspicious email. Check the sender's email address carefully: genuine HSBC emails come from @hsbc.co.uk addresses only. Be aware that scammers can spoof email addresses to make them appear legitimate, so always verify through official channels. If the email asks for personal or financial information that HSBC already has on file (like your PIN or full card number), it's definitely a scam — HSBC never requests these details via email. For more help determining if a website is genuine, see our guide on /guides/is-this-website-a-scam/.
What to do if you have already interacted
If you clicked a phishing link but didn't enter any information, your immediate risk is low, but monitor your account carefully over the next few weeks. If you entered your HSBC login credentials, change your password immediately using the official HSBC website or app. Use a strong, unique password that you've never used elsewhere. Next, contact HSBC directly on the phone number on your bank card (not any number in the suspicious email) and inform them you may have compromised your credentials. HSBC can flag your account, monitor for fraud, and help you secure it. If you shared your card number, PIN, or security details, ask HSBC to issue a replacement card immediately. Check your recent transactions carefully for any unauthorised activity. Report the phishing email to Action Fraud (0300 123 2040) and the NCSC Suspicious Email Reporting Service (report@phishing.gov.uk). If money has been transferred from your account, contact your bank immediately — they may be able to recall the payment, especially if it was recent. Consider placing a fraud alert with Experian, Equifax, or CallCredit to prevent identity theft.
Reporting this scam in the UK
Report the phishing email directly to NCSC (National Cyber Security Centre) by forwarding it to report@phishing.gov.uk — simply forward the entire email with full headers intact. NCSC works to take down fake websites and malicious links quickly. File a report with Action Fraud, the UK's national fraud reporting service, by calling 0300 123 2040 or visiting actionfraud.police.uk. Provide as much detail as possible, including the email address it came from, the date you received it, and any links you clicked. If the email came as an SMS or text message instead, forward it to 7726 (the free reporting number). Report the scam to HSBC directly using their online fraud reporting tool on the official HSBC website or call the number on your bank card. For broader support and advice, contact Citizens Advice consumer helpline on 0808 223 1133. If you've lost money, also report it to the police via 101 (non-emergency) to create a formal crime reference number, which may help with recovery. Report the fraudulent website or link to the Internet Watch Foundation at iwf.org.uk if it's hosting phishing content.
Frequently asked questions
Is HSBC a legitimate bank, or should I assume all HSBC emails are scams?
HSBC is a legitimate UK bank, but that doesn't mean every email claiming to be from HSBC is real. Scammers deliberately impersonate HSBC because of its size and reputation. Always verify emails by contacting HSBC directly using the number on your card, never by clicking links in the email. Most genuine HSBC communications won't ask you to click links or enter sensitive information via email.
I already entered my login details into a fake HSBC website. What should I do immediately?
Contact HSBC right away using the number on your bank card and tell them your credentials may be compromised. Change your HSBC password immediately using the official app or website. Monitor your account closely for unauthorised transactions and ask HSBC to issue a replacement card. If money has been moved or spent, contact HSBC and Action Fraud (0300 123 2040) straight away — your bank may be able to recover funds if they act quickly.
What should I do if I received an HSBC phishing email but it looked very similar to real HSBC emails I've received before?
This is common — scammers copy HSBC's real emails closely to fool you. The safest rule is: never click links in any unsolicited bank email, no matter how real it looks. Instead, log directly into your HSBC account via the official website or app, or call HSBC on your card to ask if the email is genuine. If you're uncertain, it's always safer to assume it's a scam and contact your bank directly.
How do I report a fake HSBC email I received?
Forward the suspicious email to the NCSC Suspicious Email Reporting Service at report@phishing.gov.uk with the full headers included. Report it to Action Fraud by calling 0300 123 2040 or visiting actionfraud.police.uk. If it came as a text message, forward it to 7726. Also report it to HSBC directly through their official website or by calling the number on your card so they can warn other customers.