Internet Security Information

Beware of Phishing Emails or Bogus Phone Calls and SMS

In view of the recent rise in various forms of phishing email, bogus phone calls, SMS and online frauds, fradsters will impersonate courier companies, government institutions, law enforcement authorities, banks, airlines, online shopping, online entertainment or video streaming companies to call and invite you to take part in surveys, join lucky draws, log in to receive prizes, confirm sending and receiving mail parcels, purchase products or services, etc., and then send phishing emails or spoof SMS messages to trick customers entering or providing personal information, credit card accounts or passwords to steal funds.

To protect your privacy and wealth, please beware the characteristics of spoofed SMS, bogus phone call, phishing email and messages, phone calls or fake website:

They may come from a suspicious email address or have a misleading domain name (URL) ;
They may have grammar or spelling errors or get facts wrong that you can spot ;
They may offer incentives, such as prizes or rewards, vouchers for completing a survey, entering into a lucky draw, confirmation of parcel delivery or promoting products and services in order to trick you into revealing personal and financial information;
They may claim there is a problem with your account and ask you to provide sensitive information such as login names, passwords or One-Time Passwords.
Fraudsters take advantage of the fact that overseas / outbound calls are not easily traced to commit fraud through such calls. Overseas / Outbound phone numbers are displayed with a prefix of “+”, such as "+886", "+02", "+04" and "+09". Unless you know and trust the calling number, you should be alert to incoming calls from abroad.
The mobile device suddenly loses its signal where it used to receive it and does not return to normal for a long time. If the above situation happens, please check with your telecommunications service provider immediately. Fraudsters may have impersonated the customer with stolen personal information, and ask the telecommunications service provider to issue a new SIM card in order to receive one-time security passwords for operating online banking and transferring funds from the customer's account.
Fraudsters pretended to be buyer on free trading platforms and request to buy item by post. The fraudster will try to direct seller out of the trading platform for contact, provide unknown website or suspicious links claiming to be from the trading platform, and ask seller to enter personal information, credit card account and one-time password for payment purpose.

Latest Security Notes and Online Security Tips

Please stay vigilant of the following security notes and online security tips to help you prevent online scam!

(1) Never disclose any of your personal or account information to unsolicited callers, pre-recorded voice messages phone calls, suspicious emails or links/QR codes in SMS

Shanghai Commercial Bank Limited ("the Bank") noticed that our customers may receive bogus calls that claim to be calling from the Bank for cross-selling or gathering personal information. If you receive a suspicious call or would like to verify the caller's identity, do not disclose your personal or account information and please call us on (852) 2818 0282 immediately.
Please note that our bank will not contact local customers with any phone numbers beginning with "+". If such call is received, please hang up immediately.
Remember that in any circumstances, the Bank will never directly request customers to provide any sensitive information such as ID number, mobile phone number, account number, ATM card/credit card number, Internet Banking User ID and password, and One-Time Password through email, SMS or pre-recorded voice message phone calls.
If you have any doubts about the message received, please do not disclose your personal or account information. If you suspect that you have leaked personal or account information, password or conducted any financial transactions to a suspicious third party, please immediately contact our Customer Service Hotline on (852) 2818 0282 for verification or Police's Anti-Scam Hotline (852) 18222.
Do not click on the links embedded or QR code in suspicious emails, SMS or mobile communication apps (e.g. WhatsApp). Even if the domain name of such links appears to be legitimate, you may still be redirected to fraudulent websites with another domain name, and you will be requested to submit your sensitive information, passwords or credit card information. The fraudulent websites may appear under domains that are slightly different from the Bank's official website. A common method is to add English letters, numbers or symbols. The fraudulent websites may also looks quite similar to real website of the Bank.
Please be reminded never reveal your online banking information to third parties (including other person, persons claimed to be the Bank's staff or law enforcement agencies, social media and unauthorized third-party service provider applications), such as your login name, password, One-Time Password (OTP) or any other sensitive information.
not make any transactions through any suspicious links.
Do not contact any phone numbers provided in suspicious emails or SMS.

(2) Read all SMS messages and emails from Shanghai Commercial Bank and your telecommunication service provider carefully

The Bank will send SMS notification to you in the event of any suspicious transactions occur.
The Bank will send you an SMS-based One-time Password ("OTP") as a safety measure to safeguard the designated online transactions performed by you via credit card. Please verify the transaction details in the SMS content, such as transaction amount and merchant name, before entering the "OTP" to complete the transaction. Never disclose your "OTP" to anyone and do not allow anyone to use your "OTP". If you have disclosed your personal information to suspicious third parties or "OTP" to anyone, please immediately contact our Customer Service Hotline at (852) 2818 0282 for investigation.
Pay attention to the notifications sent by your telecommunication service provider about the activation of the SMS/Voice Call forwarding function of your mobile device. If you receive a notification without authorized to activate these functions, please check with your telecommunication service provider immediately, and request to stop the function and report any suspicious cases.
You may request your telecommunication provider to suspend the remote SMS/Voice Call forwarding function of your mobile device to avoid any unauthorized activation.
Be sure to check your email frequently to ensure that you can receive important information from the Bank as soon as possible. Please pay attention to the email address and domain name when receiving emails, and check if they are entirely correct.

(3) Verify a request to change payee information for remittance by contacting the requesting party via another channel

If you receive a transfer or remittance request including by familiar party, please STOP and THINK before taking any action, and consider whether this is a phishing scam. Remember to verify the identity of the counterparty through other channels, such as phone call, email, social communication software.

(4) Update your personal contact information with Shanghai Commercial Bank

Please update your latest mailing address, mobile phone number and e-mail address with the Bank to allow verification in the event of suspicious transactions appear. If there is any change of the above contact information, please update in our Bank as soon as possible. For security reasons, you are required to update your information by submitting the Notice of Addition / Change of Contact Details Form to the Bank by post or visiting one of our branches.

(5) Protect against mobile/computer malware

Avoid downloading and using cracked applications to prevent malicious programs from intercepting the One-Time Password on SMS.
Do not download, install and use suspicious mobile applications on unofficial websites. Apps should be downloaded and upgraded from the official app store.
Some malicious programs targeting Android phones attempt to steal customers' personal information through their mobile banking apps for fraudulent transactions. In some cases, the malware will attempt to circumvent the additional layer of security provided by a One-Time Password (OTP) by intercepting SMS or generate a fake dialogue inside the mobile banking app in order to trick customers.
Install and regularly update antivirus software to monitor the installation of spyware/computer viruses on the device.
To prevent the Spyware installation without your knowledge and virus attack, please avoid visiting or downloading software from suspicious websites.
If any unusual screens pop-up and/or the computer responds unusually slow, please log off from the Internet Banking and scan the computer with virus protection software.

(6) Do verify the transaction details in the SMS content of One-time Password (OTP) sent by the Bank, such as correctness of transaction amount and merchant name, before entering the OTP to complete your Internet transaction.

(7) Do not enter sensitive information while using public networks which are less secure. Information can be intercepted during transmission.

(8) Suggest disabling the "Auto Fill" feature on your mobile devices to avoid the OTP automatically submitted to fake websites.

(9) Please read and follow the instructions specified in the "Internet Security Notes" from time to time.

(10) It is very important to vigilantly protect your computers to safeguard against Internet Banking fraud. All customers are strongly recommended to refer to the following publications and broadcasting materials provided by the Hong Kong Monetary Authority ('HKMA'), the Hong Kong Association of Banks ('HKAB') and Hong Kong Police Force ('HKPF').

HKMA Article relating to the Internet Banking Security
"Smart Tips on Using Internet Banking Services" leaflet.
Beware of Phishing Websites.
Consumer Education Programme - Major Safety Tips on Using Internet Banking Services and Demystify Phishing Emails
"Remind those around you. Don't fall for scammers!" video (provided by HKAB)

Peace of mind with 2-Factor Authentication

2-Factor Authentication uses a combination of two different factors for verifying a user's identity. It provides a safer Internet banking services and protects you from Internet banking fraud.


Something you know i.e. User ID & Password		Something you have i.e. e-Cert or Security Device etc.

Security Device

A Security Device is any smartcard, token, electronic device, hardware or any other equipment issued by the Bank from time to time for generating Security Code(s) to verify your online identity and authenticate designated online transactions.

For Personal Banking Customers, please click here for more details.
For Commercial Banking Customers, please click here for more details.

The Bank advises customers of the need to take reasonable steps to keep the device safe and the secret code secret to prevent fraud. In particular, customer should advise its staffs to:
(1) destroy the original printed copy of the secret code immediately after its usage;
(2) do not allow anyone else to use their secret code;
(3) never to write down the secret code on any device for accessing e-banking services or on anything usually kept with or near it;
(4) do not write down or record the secret code without disguising it; and
(5) do not use combinations that are readily accessible/deducible such as your identity card number, telephone number, date of birth, driver's licence number or any popular number sequence (eg. 123456) for your PIN. Avoid using the same digit consecutively or the same sequence of numbers more than twice (eg.112233) as a PIN.

Mobile Security Token

Mobile Security Token is an authentication tool of "Shacom Bank" and "Shacom Business" App. You can log in and confirm designated transactions via Biometric Authentication or self-defined Security Passcode.

Please click here for more details of Mobile Security Token in "Shacom Bank" App.

Please click here for more details of Mobile Security Token in "Shacom Business" App.

Security Tips on using Mobile Security Token

The Bank staff would never require customers to provide personal information through emails, SMS messages, or pre-recorded voice message phone calls. The Bank staff would never require customers to provide Internet Banking User ID, password and Security Passcode through emails, SMS messages or phone calls.
Avoid using easy-to-guess Security Passcode and Internet Banking password such as your birthday, phone number, repeated numeric combination or the same user name and password that you use to access other systems or online services.
Change your Security Passcode and Internet Banking password from time to time.
Memorise your Security Passcode, Internet Banking User ID and password. Do NOT keep any written copy or save this information on your mobile device.
Do NOT allow anyone to use your Security Passcode and Internet Banking password.
Pay attention to your surroundings before conducting any banking transactions, and ensure that no one can see your Security Passcode and Internet Banking password. Cover the keypad of your mobile device when you enter your Security Passcode and Internet Banking password on it.
Ensure that Fingerprint / Touch ID / Face ID function is enabled on your mobile device first, under device settings. Otherwise, you will not be able to use biometric authentication to log in and confirm transactions.
If your device is capable of biometric authentication (e.g. fingerprint or facial recognition), do not let any other person register his/her biometric information on it.
You should NOT use facial recognition for authentication if you have identical siblings or siblings that look like you, or if you are an adolescent with rapidly developing facial features.
You must NOT take any action to disable any function provided by, and/or agree to any settings of, your mobile device that would otherwise compromise the security of the use of your biometric credentials for Biometric authentication purposes (e.g. disabling "attention-aware" for facial recognition).
Do NOT forward SMS from our Bank, including One-Time Password (OTP) and push notification to anyone.

Internet Banking Security Tips

Do not disclose your User ID and password to anyone, including someone claims to be the Bank's staff or the Police. Under no circumstances will our staff ask for such information from customers through whatever channels, such as telephone, e-mail, etc.
After you have memorized your password, destroy the original printed copy of it immediately.
Do not allow anyone to use your password.
Create a password with a combination of letters and numbers. Avoid using easy-to-guess password such as your birthday, phone number, repeated numeric combination or the same user ID and password that you use to access other systems or online services.
Change your password from time to time.

Web Browsing Best Practice

Do not leave your computer and mobile communication device (eg. mobile handset, tablet etc.) unattended and promptly exit by clicking "Logoff" button and disconnecting from on-line services. Set up auto-lock and enable passcode lock to prevent unauthorized access of your handsets/notebook/tablet PC.
Remove the temporary files stored in the memory or in the hard disks of the computer shared with others.
Memorise your User ID and password and do not write it down. Do not store password in your computer/mobile communication device or the browser or re-use passwords, and disable auto-complete function.
Do not install document sharing software in your computer.
Check your account balances and statements regularly. Report to the Bank as soon as possible if you spot any unusual transactions.
Avoid using public or shared computer/shared mobile communication device or public Wi-Fi network or Wi-Fi without password setting to access our i-Banking services and ensure that your screen or input cannot be viewed by any other person.
Ensure proper physical access controls for your personal computer/mobile communication device and Internet connections.

About Anti-Virus Protection

Install Firewall with appropriate safety level or access control set-up and regularly update PC security softwares (eg. Anti-Spyware, Anti-Virus etc.) to protect from Spyware and virus such as Trojan Horses. Also, scan your computer from time to time with anti-virus software and anti-spyware software.
Download and apply security updates and patches to the computer and mobile communication device/browser when they are made available to ensure you have the latest protection against any security vulnerabilities.
To prevent the Spyware installation without your knowledge and virus attack, avoid visiting or downloading software from suspicious websites, never install freewares, programs and smartphone applications from unreliable sources or pirated softwares or use jailbroken/rooted devices or open e-mails and attachments from unknown or doubtful sources. If any unusual screens pop-up and/or the computer responds unusually slowly, log off from the Internet Banking and scan the computer with virus protection software.
To prevent unauthorized access by third party to your data through network, please disable the "File and Printer Sharing" function and set up the proper access rights of your computer.
Make sure that you backup your files regularly so that you can recover them after a virus attack.

Security Alert - Hong Kong Computer Emergency Response Team Coordination Center (HKCERT)

How to detect virus?.

When using Internet Banking

Verify last logon date and time.
Ensure all other Internet sessions are closed before and during logging on to our i-Banking services.
Avoid accessing our i-Banking services through hyperlinks embedded in e-mails or suspicious pop-up windows or third party websites. Do not enter any information (user ID, password etc.) to the screen pop-up or suspicious websites.
Access to the i-Banking's web site via the web browsers' bookmarks menu which has previously been identified genuine or typing the exact URL: http://www.shacombank.com.hk. The bank has adopted the latest Internet Security measure, EV SSL Certificate (Extended Validation SSL Certificate). If you are using the following browsers to access our i-Banking services, the colour of the browser address bar will be changed to green and the bank name will be displayed on the address bar (Internet Explorer 7.0 / Firefox 3.0 / Chrome / Safari 4.0 or above). If you are not using the above browsers, on the logon page you will see a small lock. If you double-click the lock, a server certificate issued by VeriSign will appear and the details and validity of the certificate will be shown to authenticate you are accessing the genuine website of the bank.
Ensure any device (for example, smart card, i-Key, that store digital certificate) and/or password used for accessing i-Banking services is secure and kept safe. Remove the storage media of the digital certificate from your PC after use.
Do not install the digital certificate on your web browser or store the digital certificate in a hard disk.
Notify the Bank of any changes in your personal details as soon as possible (e.g. telephone number, email and correspondence address).
Login passwords - Set a password that is difficult to guess and different from the ones for other services. The login password should be changed regularly and should never be stored on computers, mobile phones or placed in plain sight. Keep the security token (if any) provided by the Bank at a safe place.
Computers and mobile phones - Protect your computer and mobile phone used for logging into Internet banking. Avoid using public computers or public Wi-Fi to access Internet banking services.
Bank websites and Apps – Internet banking should be accessed by entering the Bank’s website address directly, or using a bookmark or an Internet banking mobile application (App). Never access the Bank website or provide your personal information (including your password) through any hyperlinks or attachments embedded in emails or from websites.
Login process – Beware of any unusual login screen or process (e.g. a suspicious pop-up window, unusually slow browser response, multiple requests for password input or request for providing additional personal information) and whether anyone is trying to peek at your password. Log out immediately after use.
Check the Bank's SMS messages and other messages in a timely manner and verify your transaction records. Inform the Bank immediately in case of any suspicious situations. The Bank would not ask for any sensitive personal information through emails, SMS messages or pre-recorded vice message phone calls. The Bank would never require customers to provide user names and passwords through emails, SMS messages or phone calls.

If you suspect any unusual account activities, including discrepancy details found on the last logon time and, certificate information, please change your i-Banking password immediately and contact our 24-hour hotline on (852)2818 0282 or visit any of our branches for immediate assistance. You are highly recommended to call the Anti-Deception Coordination Centre (ADCC)'s "Anti-Scam" consultation hotline on 18222 to help combat suspected fraud cases.

Credit Cards Security Tips

Double check the transaction amount before signing the Credit Card payment slip.
Try to keep an eye on your card when making transactions, to avoid any unauthorized person from gaining your credit card information.
Ensure that your card is returned to you after each transaction.
Do not sign credit card slips without an amount.
Keep all card receipts / statements in a safe place, and destroy them when they are no longer required.
Review your statements and notify the Bank immediately once discrepancies are found.
Check your account balance regularly.
Avoid entering credit card information when using public computers (such as those in Internet cafes).
Never leave your credit cards unattended or lend them to anyone.
Inform the Bank in advance of your travel plans to allow the Bank to validate your credit card purchases incurred overseas.
Update your latest and valid personal details with the Bank, such as mobile phone number, email address, mailing address to ensure correct correspondence to be reached for confirmation when suspicious transactions occur.
Beware of leaving your wallet inside your jacket hung on the back of your chair at restaurants, prevent any unauthorized person from obtaining your credit card or other personal belongings.
Bring along the only credit cards you need, in particular when visiting places provide locker service, such as the changing rooms of swimming pools, playgrounds or health/fitness centers.

Mobile Banking Security Tips

Always log off your online session when done. Do not just close your mobile phone browser. Follow the logoff instructions to ensure your online security protection.
Avoid sharing your mobile handsets with others and use your own handset to log on i-banking.
Do not keep sensitive information such as your account numbers, PIN and Log on passwords in your mobile phone.
Do not leave your handset unattended after logging on to Internet Banking. Always log off the mobile banking properly when you have done.
Use the latest versions of operating system, Internet Banking Apps and browser. Do not jailbreak or root privileges to your mobile phone and tablet.
Ensure that no one is watching you and it is not a crowded area while you key in your User ID, Password, or any other sensitive information.
Install and update the latest anti-virus and anti-spyware software regularly on your mobile handsets, whenever they are available.
Download and install security updates and patches whenever available to ensure your device has the latest protection against any security vulnerabilities.
Install security patches and the latest software updates in your mobile phone. Do not download program/apps from unsecured sources. Do not install any application(s) onto your mobile devices from mistrusted sources.
Remove temporary files and the cache stored in the memory of your mobile phone regularly since they may contain sensitive information such as your account number.
Set up auto-lock and enable passcode lock to prevent unauthorized access of your handsets/notebook/tablet PC.
Keep your mobile device safe and stay alert on security vulnerabilities when using mobile device.
Use default browsers originally provided by mobile handsets rather than newly installed browsers downloaded from other sources.
Only pre-set and access reliable wireless networks for Internet connection.
Use trusted Wi-Fi networks or service providers. Disable any wireless network functions (e.g. Wi-Fi, Bluetooth, NFC) not in use. Choose encrypted networks when using Wi-Fi and remove any unnecessary Wi-Fi connection settings.
Do not download or open doubtful files, browse suspicious websites, or click on the hyperlinks and attachments from questionable sources (e.g. emails, instant messaging, SMS messages, QR codes). Download and upgrade your Apps from official App Stores or reliable sources only.
Please logout the Mobile Banking services when you are using another Apps.

Automatic Teller Machine (ATM) Security Tips

ATM cards and passwords - Keep your ATM card safe. Set a PIN that is difficult to guess and different from the ones for other services. Change your PIN regularly. Do not keep your ATM card and PIN together.
ATMs - Beware of anything unusual about the card insertion slot, keypad and keypad cover (e.g. whether any suspicious device is installed). Cover the keypad with your hand when entering your PIN and check whether anyone is trying to peek at your PIN.
Handling your cash withdrawals - Count the banknotes immediately after each cash withdrawal. Do not take away any banknotes at the cash dispenser or ATM card at the card insertion slot left behind by someone else. Let the banknotes or ATM card return to the ATM automatically.
Overseas cash withdrawals - If you intend to withdraw cash from overseas ATMs, check with the Bank whether your intended overseas destination can support cash withdrawal using your ATM card. You should also activate the overseas ATM cash withdrawal function in advance and set a prudent overseas ATM cash withdrawal limit and an activation period.
Check the transaction records provided by the Bank in a timely manner. Inform the Bank immediately if you lose your ATM card, or in case of any suspicious transactions/situations. Banks will not ask for any sensitive personal information (including PIN) through phone calls or emails.
Do not allow anyone to use your ATM card and your PIN.
If you encounter any difficulties when using the ATM, cancel your transaction, take back your ATM/credit card and inform the Bank. Do not request someone else to perform ATM or EPS transactions for you.
If your ATM card or PIN is lost or stolen or if you suspect that someone learns your PIN, please inform the Bank immediately.
Do not accept assistance from strangers when you are performing transactions.
Please remember to take back your ATM card after transaction is completed. Do not leave the card and money in the slot.
Change your ATM card & credit card PIN regularly.

Major Safety Tips on Using ATMs.

Emails Security Tips

The Bank will never send you an e-mail asking for your account number, i-banking Password, ATM Card/Credit Card Personal Identification Number (PIN), account balance and identity card/passport number or other sensitive information.
Be alert of fraudulent e-mails. These may appear to come from a trusted business or friend, but actually are designed to mislead you into entering a fraudulent website and disclosing sensitive information.
Be cautious of any e-mail that contains an embedded hyperlink or a request to enter personal information. Do not reply, click on the hyperlinks or input any sensitive information.
If you have received any suspicious e-mails purporting to be from the Bank, please notify the Bank immediately.
If you have provided sensitive information to a suspicious website, you should report the same to the police immediately. If the website is purporting to be a Shanghai Commercial Bank site, please notify the Bank immediately.
Do not send sensitive personal or financial information via Internet unless it is encrypted on a secure website. Regular e-mails are not encrypted.
If you use a link in an e-mail received from the Bank, please check the authenticity of the website you are accessing by checking the website SSL certificate information, such as company name, URL, certificate issuer, validation date, and encryption types, etc., to confirm that is the website you intend to access.
Please do not depend solely on email correspondences for any remittance instruction. You should confirm with the beneficiary through other channels (e.g. telephone) for the transaction and the beneficiary details before submitting the remittance application.

The Hong Kong Police - Anti-Deception Coordination Centre (ADCC)

Fund Transfer Alert

When making fund transfer, please pay attention to the following:

During the transaction
Please make sure that the information of payee (e.g., name, account number, Proxy ID, etc.) and the transaction amount are correct, before confirming the transaction.
After the transaction
After transferring money, please check and keep the transaction record for reference when necessary.
Mis-transferred Fund FROM Your Account
If you accidentally transfer money to an unintended payee, please visit our website to download and complete the "Return of Mis-transferred Fund Request Form" and return it to us. If you have any queries, please contact us.
Mis-transferred Fund TO Your Account
If there is a claim for return of a mis-transferred fund into your account, please check and confirm with us. Please be reminded that if the fund is proved to be a wrong transfer to your account but it is not returned by you, you may be criminally liable.