HSBC customers hit by phishing attack

Internet users in the UAE are being warned to be on their guard following a massive phishing scam targeting HSBC customers there.

  • E-Mail
By  Diana Milne Published  June 11, 2006

Internet users in the UAE are being warned to be on their guard following a massive phishing scam targeting HSBC customers there. The phishing attack follows a reported hacking attack on Emirates Bank and a fraud incident in Dubai, where criminals captured card data and PIN numbers from an ATM using a pinhole camera and ‘skimmer’ — a device inserted into a card slot to read data. In the latest security attack to hit the region’s banking industry, a fraudulent e-mail claiming to have come from HSBC was sent to users entitled ‘HSBC UAE. Urgent Update’. The e-mail requested customers to click onto a link to a website designed to look like HSBC’s then enter their pin code as a means of activating a new security system. Account holders were warned their accounts would be suspended if they did not reply to the e-mail. Etisalat and HSBC detected the e-mail on May 31 and Etisalat blocked the fake website through its proxy server around 15 minutes after the e-mail reached customers. HSBC admitted this action was too late for a “few customers” that responded to the e-mail, although it said it was only a small number of customers that replied relative to the volume of e-mails that were sent out. Lester Wynne-Jones, regional head of personal financial services for HSBC Bank in the Middle East, said the bank was taking the incident extremely seriously. “I think on the scale we are talking about here in relation to this type of thing this is the first major incident that we have seen in this region,” he said. However, the fact that e-mails had been sent out made the incident serious, he said. “We are very concerned because fraudsters have written directly to a large number of people.” Wynne-Jones said the bank was concerned as the phishing attack followed so closely after the ATM fraud incident in Dubai last month. According to press reports customers from a number of banks had used an Emirates Bank ATM in a ten-day period leading up to May 24 before the fraud was discovered, with Emirates Bank subsequently reporting hacking incidents on a handful of customer accounts, which it traced back to Bulgaria. The bank said “a handful” of customers had lost money in the attacks before it blocked access. “I think it’s co-incidental but that’s one of the reasons why we took it [the phishing attack] very seriously,” Wynne-Jones said. “It means our name is in the pubic domain connected with potential fraud,” he said. He revealed however that because e-mails were sent out indiscriminately and not just to HSBC customers, the e-mail addresses could not have been taken from an HSBC customer database. “They could have picked on any other bank,” said Wynne-Jones. Rashid Alabbar, project manager of e-security at Etisalat, said the e-mails had been received by a number of employees of major corporations in the UAE — including Etisalat and Tecom. He said the security team within Etisalat detected the phishing attack after receiving an alert on their spamming system. “One of the security operations team, received this email actually and he immediately investigated this matter,” he went on to add. The e-mail was addressed from support@hsbc-uae.com —a domain name that is not used by the bank and linked to a website that was strikingly similar to the bonafide HSBC UAE site. Alabbar said that as soon as Etisalat verified that the e-mail was not valid, it immediately blocked it on the proxy server. To prevent customers falling victims to such phishing attacks in the future HSBC plans to increase awareness of safe banking practices with messages on its internet banking website and in its own communications with customers such as bank statements.

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code