Beware of Phishing Emails or Bogus Phone Calls and SMS
In view of the recent rise in various forms of phishing email, bogus phone calls, SMS and online frauds, fradsters will impersonate courier companies, government institutions, law enforcement authorities, banks, airlines, online shopping, online entertainment or video streaming companies to call and invite you to take part in surveys, join lucky draws, log in to receive prizes, confirm sending and receiving mail parcels, purchase products or services, etc., and then send phishing emails or spoof SMS messages to trick customers entering or providing personal information, credit card accounts or passwords to steal funds.
To protect your privacy and wealth, please beware the characteristics of spoofed SMS, bogus phone call, phishing email and messages, phone calls or fake website:
- They may come from a suspicious email address or have a misleading domain name (URL) ;
- They may have grammar or spelling errors or get facts wrong that you can spot ;
- They may offer incentives, such as prizes or rewards, vouchers for completing a survey, entering into a lucky draw, confirmation of parcel delivery or promoting products and services in order to trick you into revealing personal and financial information;
- They may claim there is a problem with your account and ask you to provide sensitive information such as login names, passwords or One-Time Passwords.
- Fraudsters take advantage of the fact that overseas / outbound calls are not easily traced to commit fraud through such calls. Overseas / Outbound phone numbers are displayed with a prefix of “+”, such as "+886", "+02", "+04" and "+09". Unless you know and trust the calling number, you should be alert to incoming calls from abroad.
- The mobile device suddenly loses its signal where it used to receive it and does not return to normal for a long time. If the above situation happens, please check with your telecommunications service provider immediately. Fraudsters may have impersonated the customer with stolen personal information, and ask the telecommunications service provider to issue a new SIM card in order to receive one-time security passwords for operating online banking and transferring funds from the customer's account.
- Fraudsters pretended to be buyer on free trading platforms and request to buy item by post. The fraudster will try to direct seller out of the trading platform for contact, provide unknown website or suspicious links claiming to be from the trading platform, and ask seller to enter personal information, credit card account and one-time password for payment purpose.
Latest Security Notes and Online Security Tips
Please stay vigilant of the following security notes and online security tips to help you prevent online scam!
(1) Never disclose any of your personal or account information to unsolicited callers, pre-recorded voice messages phone calls, suspicious emails or links/QR codes in SMS
- Shanghai Commercial Bank Limited ("the Bank") noticed that our customers may receive bogus calls that claim to be calling from the Bank for cross-selling or gathering personal information. If you receive a suspicious call or would like to verify the caller's identity, do not disclose your personal or account information and please call us on (852) 2818 0282 immediately.
- Please note that our bank will not contact local customers with any phone numbers beginning with "+". If such call is received, please hang up immediately.
- Remember that in any circumstances, the Bank will never directly request customers to provide any sensitive information such as ID number, mobile phone number, account number, ATM card/credit card number, Internet Banking User ID and password, and One-Time Password through email, SMS or pre-recorded voice message phone calls.
- If you have any doubts about the message received, please do not disclose your personal or account information. If you suspect that you have leaked personal or account information, password or conducted any financial transactions to a suspicious third party, please immediately contact our Customer Service Hotline on (852) 2818 0282 for verification or Police's Anti-Scam Hotline (852) 18222.
- Do not click on the links embedded or QR code in suspicious emails, SMS or mobile communication apps (e.g. WhatsApp). Even if the domain name of such links appears to be legitimate, you may still be redirected to fraudulent websites with another domain name, and you will be requested to submit your sensitive information, passwords or credit card information. The fraudulent websites may appear under domains that are slightly different from the Bank's official website. A common method is to add English letters, numbers or symbols. The fraudulent websites may also looks quite similar to real website of the Bank.
- Please be reminded never reveal your online banking information to third parties (including other person, persons claimed to be the Bank's staff or law enforcement agencies, social media and unauthorized third-party service provider applications), such as your login name, password, One-Time Password (OTP) or any other sensitive information.
- not make any transactions through any suspicious links.
- Do not contact any phone numbers provided in suspicious emails or SMS.
(2) Read all SMS messages and emails from Shanghai Commercial Bank and your telecommunication service provider carefully
- The Bank will send SMS notification to you in the event of any suspicious transactions occur.
- The Bank will send you an SMS-based One-time Password ("OTP") as a safety measure to safeguard the designated online transactions performed by you via credit card. Please verify the transaction details in the SMS content, such as transaction amount and merchant name, before entering the "OTP" to complete the transaction. Never disclose your "OTP" to anyone and do not allow anyone to use your "OTP". If you have disclosed your personal information to suspicious third parties or "OTP" to anyone, please immediately contact our Customer Service Hotline at (852) 2818 0282 for investigation.
- Pay attention to the notifications sent by your telecommunication service provider about the activation of the SMS/Voice Call forwarding function of your mobile device. If you receive a notification without authorized to activate these functions, please check with your telecommunication service provider immediately, and request to stop the function and report any suspicious cases.
- You may request your telecommunication provider to suspend the remote SMS/Voice Call forwarding function of your mobile device to avoid any unauthorized activation.
- Be sure to check your email frequently to ensure that you can receive important information from the Bank as soon as possible. Please pay attention to the email address and domain name when receiving emails, and check if they are entirely correct.
(3) Verify a request to change payee information for remittance by contacting the requesting party via another channel
- If you receive a transfer or remittance request including by familiar party, please STOP and THINK before taking any action, and consider whether this is a phishing scam. Remember to verify the identity of the counterparty through other channels, such as phone call, email, social communication software.
(4) Update your personal contact information with Shanghai Commercial Bank
- Please update your latest mailing address, mobile phone number and e-mail address with the Bank to allow verification in the event of suspicious transactions appear. If there is any change of the above contact information, please update in our Bank as soon as possible. For security reasons, you are required to update your information by submitting the Notice of Addition / Change of Contact Details Form to the Bank by post or visiting one of our branches.
(5) Protect against mobile/computer malware
- Avoid downloading and using cracked applications to prevent malicious programs from intercepting the One-Time Password on SMS.
- Do not download, install and use suspicious mobile applications on unofficial websites. Apps should be downloaded and upgraded from the official app store.
- Some malicious programs targeting Android phones attempt to steal customers' personal information through their mobile banking apps for fraudulent transactions. In some cases, the malware will attempt to circumvent the additional layer of security provided by a One-Time Password (OTP) by intercepting SMS or generate a fake dialogue inside the mobile banking app in order to trick customers.
- Install and regularly update antivirus software to monitor the installation of spyware/computer viruses on the device.
- To prevent the Spyware installation without your knowledge and virus attack, please avoid visiting or downloading software from suspicious websites.
- If any unusual screens pop-up and/or the computer responds unusually slow, please log off from the Internet Banking and scan the computer with virus protection software.
(6) Do verify the transaction details in the SMS content of One-time Password (OTP) sent by the Bank, such as correctness of transaction amount and merchant name, before entering the OTP to complete your Internet transaction.
(7) Do not enter sensitive information while using public networks which are less secure. Information can be intercepted during transmission.
(8) Suggest disabling the "Auto Fill" feature on your mobile devices to avoid the OTP automatically submitted to fake websites.
(9) Please read and follow the instructions specified in the "Internet Security Notes" from time to time.
(10) It is very important to vigilantly protect your computers to safeguard against Internet Banking fraud. All customers are strongly recommended to refer to the following publications and broadcasting materials provided by the Hong Kong Monetary Authority ('HKMA'), the Hong Kong Association of Banks ('HKAB') and Hong Kong Police Force ('HKPF').
A Security Device is any smartcard, token, electronic device, hardware or any other equipment issued by the Bank from time to time for generating Security Code(s) to verify your online identity and authenticate designated online transactions.
For Personal Banking Customers, please click here for more details.
For Commercial Banking Customers, please click here for more details.
The Bank advises customers of the need to take reasonable steps to keep the device safe and the secret code secret to prevent fraud. In particular, customer should advise its staffs to:
(1) destroy the original printed copy of the secret code immediately after its usage;
(2) do not allow anyone else to use their secret code;
(3) never to write down the secret code on any device for accessing e-banking services or on anything usually kept with or near it;
(4) do not write down or record the secret code without disguising it; and
(5) do not use combinations that are readily accessible/deducible such as your identity card number, telephone number, date of birth, driver's licence number or any popular number sequence (eg. 123456) for your PIN. Avoid using the same digit consecutively or the same sequence of numbers more than twice (eg.112233) as a PIN.
Mobile Security Token
Mobile Security Token is an authentication tool of "Shacom Bank" and "Shacom Business" App. You can log in and confirm designated transactions via Biometric Authentication or self-defined Security Passcode.
Please click here for more details of Mobile Security Token in "Shacom Bank" App.
Please click here for more details of Mobile Security Token in "Shacom Business" App.
Security Tips on using Mobile Security Token
- The Bank staff would never require customers to provide personal information through emails, SMS messages, or pre-recorded voice message phone calls. The Bank staff would never require customers to provide Internet Banking User ID, password and Security Passcode through emails, SMS messages or phone calls.
- Avoid using easy-to-guess Security Passcode and Internet Banking password such as your birthday, phone number, repeated numeric combination or the same user name and password that you use to access other systems or online services.
- Change your Security Passcode and Internet Banking password from time to time.
- Memorise your Security Passcode, Internet Banking User ID and password. Do NOT keep any written copy or save this information on your mobile device.
- Do NOT allow anyone to use your Security Passcode and Internet Banking password.
- Pay attention to your surroundings before conducting any banking transactions, and ensure that no one can see your Security Passcode and Internet Banking password. Cover the keypad of your mobile device when you enter your Security Passcode and Internet Banking password on it.
- Ensure that Fingerprint / Touch ID / Face ID function is enabled on your mobile device first, under device settings. Otherwise, you will not be able to use biometric authentication to log in and confirm transactions.
- If your device is capable of biometric authentication (e.g. fingerprint or facial recognition), do not let any other person register his/her biometric information on it.
- You should NOT use facial recognition for authentication if you have identical siblings or siblings that look like you, or if you are an adolescent with rapidly developing facial features.
- You must NOT take any action to disable any function provided by, and/or agree to any settings of, your mobile device that would otherwise compromise the security of the use of your biometric credentials for Biometric authentication purposes (e.g. disabling "attention-aware" for facial recognition).
- Do NOT forward SMS from our Bank, including One-Time Password (OTP) and push notification to anyone.