Internet Security Information

Beware of phishing scams via email or SMS

There is an increasing trend of phishing scams through emails and SMS where fraudsters disguise as trustworthy institutions such as courier companies, government agencies, banks or airlines in an attempt to obtain personal information, passwords, or credit card details.

Please note that the Bank will never directly request customers to provide sensitive information such as ID number, mobile phone number, account number, ATM card/credit card number, Internet Banking User ID and password, one-time password etc., through emails, SMS or pre-recorded voice message phone calls.

To protect your privacy and wealth, here are some security tips to help you recognise phishing scams and fake websites:

They may come from a suspicious email address or have a misleading domain name (URL) ;
They may have grammar or spelling errors or get facts wrong that you can spot ;
They may offer incentives, such as prizes or rewards, vouchers for completing a survey, entering into a lucky draw, confirmation of parcel delivery or promoting investment products in order to trick you into revealing personal and financial information;
They may claim there is a problem with your account and ask you to log in again to verify.

Please stay vigilant of any suspicious emails or SMS and when visiting websites.

Do not click on the links embedded in suspicious emails or SMS. Even if the domain name of such links appears to be legitimate, you may still be redirected to fraudulent websites with another domain name, and you will be requested to submit your sensitive information, passwords or credit card information. The fraudulent websites may appear under domains that are slightly different from the Bank’s official website. A common method is to add English letters, numbers or symbols. The fraudulent websites may also looks quite similar to real website of the Bank.
Do verify the transaction details in the SMS content of One-time Password (OTP) sent by the Bank, such as correctness of transaction amount and merchant name, before entering the OTP to complete your Internet transaction.
Do pay attention to the sender name of emails or SMS. Notifications using bank name as the sender name does not guarantee that it is originated from the bank and trust worthy.
Suggest disabling the "Auto Fill" feature on your mobile devices to avoid the OTP automatically submitted to fake websites.
Do not disclose your One-time Password (OTP) from SMS to third party.
Do not make any payments through any suspicious links.
Do not call any number provided in the suspicious emails or SMS.

Latest Security Notes

(1) Never disclose your personal data or bank account details to unsolicited callers or pre-recorded voice message phone calls requesting such information

Shanghai Commercial Bank Limited ("the Bank") noticed that our customers may receive bogus calls that claim to be calling from the Bank for cross-selling or gathering personal information. If you receive a suspicious call or would like to verify the caller's identity, do not disclose your personal or account information and please call us on (852) 28180282 immediately.
Please note that our bank will not contact local customers with any phone numbers beginning with "+". If such call is received, please hang up immediately.
The Bank would never require customers to provide sensitive personal information through emails, SMS messages,or pre-recorded voice message phone calls. The Bank would never require customers to provide user names and passwords through emails, SMS messages or phone calls.
If you have disclosed your personal information or password to a suspicious caller, please immediately contact the Bank at (852) 28180282 and report the same to the Hong Kong Police Force (the "Police") for investigation, and:
- Provide caller's phone number if available
- Indicate the disclosed personal information

(2) Read all SMS messages from Shanghai Commercial Bank and your telecommunication service provider carefully

The Bank will send SMS notification to you in the event of any suspicious transactions occur.
The Bank will send you an SMS-based One-time Password ("OTP") as a safety measure to safeguard the designated online transactions performed by you via credit card. Please verify the transaction details in the SMS content, such as transaction amount and merchant name, before entering the "OTP" to complete the transaction. Never disclose your "OTP" to anyone and do not allow anyone to use your "OTP". If you have disclosed your personal information to suspicious third parties or "OTP" to anyone, please immediately contact our Customer Service Hotline at (852) 2818 0282 for investigation.
Be careful of any notifications sent by your telecommunication provider about activation of the SMS/Voice Call forwarding function of your mobile device. Check with your service provider and report any suspicious notifications if you have not authorized the activation.
You may request your telecommunication provider to suspend the remote SMS/Voice Call forwarding function of your mobile device to avoid any unauthorized activation.

(3) Verify a request to change payee information for remittance by contacting the requesting party via another channel

Confirm the identity of the purported business partners by means of telephone or channels other than e-mail before making the payment and/or remittance to prevent fraud from e-mail scams.

(4) Update your personal contact information with Shanghai Commercial Bank

Please update your latest mailing address, mobile phone number and e-mail address with the Bank to allow verification in the event of suspicious transactions appear. For security reasons, you are required to update your information by submitting the Notice of Addition / Change of Contact Details Form to the Bank by post or visiting one of our branches.

(5) How to protect against mobile malware

Recently, variants of mobile malware targeting Android smartphones have appeared, attempt to steal clients' credentials and perform fraudulent transactions through their mobile banking apps. In some cases, the mobile malware will attempt to circumvent the additional layer of security provided by a One-Time Password (OTP) by intercepting text messages (SMS) or generate a fake dialogue inside the mobile banking application in order to trick a user.

(6) To prevent the Spyware installation without your knowledge and virus attack, please avoid visiting or downloading software from suspicious websites.

(7) If any unusual screens pop-up and/or the computer responds unusually slow, please log off from the Internet Banking and scan the computer with virus protection software.

(8) Do not enter any information (user ID, password etc.) to the screens pop-up or suspicious websites.

(9) Please read and follow the instructions specified in the "Internet Security Notes" from time to time.

(10) It is very important to vigilantly protect your computers to safeguard against Internet Banking fraud. All customers are strongly recommended to refer to the following publications and broadcasting materials provided by the Hong Kong Monetary Authority ('HKMA'), the Hong Kong Association of Banks ('HKAB') and Hong Kong Police Force ('HKPF').

Peace of mind with 2-Factor Authentication

2-Factor Authentication uses a combination of two different factors for verifying a user's identity. It provides a safer Internet banking services and protects you from Internet banking fraud.


Something you know i.e. User ID & Password		Something you have i.e. e-Cert or Security Device etc.

Security Device

A Security Device is any smartcard, token, electronic device, hardware or any other equipment issued by the Bank from time to time for generating Security Code(s) to verify your online identity and authenticate designated online transactions.

For Personal Banking Customers, please click here for more details.
For Commercial Banking Customers, please click here for more details.

The Bank advises customers of the need to take reasonable steps to keep the device safe and the secret code secret to prevent fraud. In particular, customer should advise its staffs to:
(1) destroy the original printed copy of the secret code immediately after its usage;
(2) do not allow anyone else to use their secret code;
(3) never to write down the secret code on any device for accessing e-banking services or on anything usually kept with or near it;
(4) do not write down or record the secret code without disguising it; and
(5) do not use combinations that are readily accessible/deducible such as your identity card number, telephone number, date of birth, driver's licence number or any popular number sequence (eg. 123456) for your PIN. Avoid using the same digit consecutively or the same sequence of numbers more than twice (eg.112233) as a PIN.

Mobile Security Token

Mobile Security Token is an authentication tool of "Shacom Bank" and "Shacom Business" App. You can log in and confirm designated transactions via Biometric Authentication or self-defined Security Passcode.

Please click here for more details of Mobile Security Token in "Shacom Bank" App.

Please click here for more details of Mobile Security Token in "Shacom Business" App.

Security Tips on using Mobile Security Token

The Bank staff would never require customers to provide personal information through emails, SMS messages, or pre-recorded voice message phone calls. The Bank staff would never require customers to provide Internet Banking User ID, password and Security Passcode through emails, SMS messages or phone calls.
Avoid using easy-to-guess Security Passcode and Internet Banking password such as your birthday, phone number, repeated numeric combination or the same user name and password that you use to access other systems or online services.
Change your Security Passcode and Internet Banking password from time to time.
Memorise your Security Passcode, Internet Banking User ID and password. Do NOT keep any written copy or save this information on your mobile device.
Do NOT allow anyone to use your Security Passcode and Internet Banking password.
Pay attention to your surroundings before conducting any banking transactions, and ensure that no one can see your Security Passcode and Internet Banking password. Cover the keypad of your mobile device when you enter your Security Passcode and Internet Banking password on it.
Ensure that Fingerprint / Touch ID / Face ID function is enabled on your mobile device first, under device settings. Otherwise, you will not be able to use biometric authentication to log in and confirm transactions.
If your device is capable of biometric authentication (e.g. fingerprint or facial recognition), do not let any other person register his/her biometric information on it.
You should NOT use facial recognition for authentication if you have identical siblings or siblings that look like you, or if you are an adolescent with rapidly developing facial features.
You must NOT take any action to disable any function provided by, and/or agree to any settings of, your mobile device that would otherwise compromise the security of the use of your biometric credentials for Biometric authentication purposes (e.g. disabling "attention-aware" for facial recognition).
Do NOT forward SMS from our Bank, including One-Time Password (OTP) and push notification to anyone.

Internet Banking Security Tips

Do not disclose your User ID and password to anyone, including someone claims to be the Bank's staff or the Police. Under no circumstances will our staff ask for such information from customers through whatever channels, such as telephone, e-mail, etc.
After you have memorized your password, destroy the original printed copy of it immediately.
Do not allow anyone to use your password.
Create a password with a combination of letters and numbers. Avoid using easy-to-guess password such as your birthday, phone number, repeated numeric combination or the same user ID and password that you use to access other systems or online services.
Change your password from time to time.

Web Browsing Best Practice

Do not leave your computer and mobile communication device (eg. mobile handset, tablet etc.) unattended and promptly exit by clicking "Logoff" button and disconnecting from on-line services. Set up auto-lock and enable passcode lock to prevent unauthorized access of your handsets/notebook/tablet PC.
Remove the temporary files stored in the memory or in the hard disks of the computer shared with others.
Memorise your User ID and password and do not write it down. Do not store password in your computer/mobile communication device or the browser or re-use passwords, and disable auto-complete function.
Do not install document sharing software in your computer.
Check your account balances and statements regularly. Report to the Bank as soon as possible if you spot any unusual transactions.
Avoid using public or shared computer/shared mobile communication device or public Wi-Fi network or Wi-Fi without password setting to access our i-Banking services and ensure that your screen or input cannot be viewed by any other person.
Ensure proper physical access controls for your personal computer/mobile communication device and Internet connections.

About Anti-Virus Protection

Install Firewall with appropriate safety level or access control set-up and regularly update PC security softwares (eg. Anti-Spyware, Anti-Virus etc.) to protect from Spyware and virus such as Trojan Horses. Also, scan your computer from time to time with anti-virus software and anti-spyware software.
Download and apply security updates and patches to the computer and mobile communication device/browser when they are made available to ensure you have the latest protection against any security vulnerabilities.
To prevent the Spyware installation without your knowledge and virus attack, avoid visiting or downloading software from suspicious websites, never install freewares, programs and smartphone applications from unreliable sources or pirated softwares or use jailbroken/rooted devices or open e-mails and attachments from unknown or doubtful sources. If any unusual screens pop-up and/or the computer responds unusually slowly, log off from the Internet Banking and scan the computer with virus protection software.
To prevent unauthorized access by third party to your data through network, please disable the "File and Printer Sharing" function and set up the proper access rights of your computer.
Make sure that you backup your files regularly so that you can recover them after a virus attack.

Security Alert - Hong Kong Computer Emergency Response Team Coordination Center (HKCERT)

How to detect virus?.

When using Internet Banking

Verify last logon date and time.
Ensure all other Internet sessions are closed before and during logging on to our i-Banking services.
Avoid accessing our i-Banking services through hyperlinks embedded in e-mails or suspicious pop-up windows or third party websites. Do not enter any information (user ID, password etc.) to the screen pop-up or suspicious websites.
Access to the i-Banking's web site via the web browsers' bookmarks menu which has previously been identified genuine or typing the exact URL: http://www.shacombank.com.hk. The bank has adopted the latest Internet Security measure, EV SSL Certificate (Extended Validation SSL Certificate). If you are using the following browsers to access our i-Banking services, the colour of the browser address bar will be changed to green and the bank name will be displayed on the address bar (Internet Explorer 7.0 / Firefox 3.0 / Chrome / Safari 4.0 or above). If you are not using the above browsers, on the logon page you will see a small lock. If you double-click the lock, a server certificate issued by VeriSign will appear and the details and validity of the certificate will be shown to authenticate you are accessing the genuine website of the bank.
Ensure any device (for example, smart card, i-Key, that store digital certificate) and/or password used for accessing i-Banking services is secure and kept safe. Remove the storage media of the digital certificate from your PC after use.
Do not install the digital certificate on your web browser or store the digital certificate in a hard disk.
Notify the Bank of any changes in your personal details as soon as possible (e.g. telephone number, email and correspondence address).
Login passwords - Set a password that is difficult to guess and different from the ones for other services. The login password should be changed regularly and should never be stored on computers, mobile phones or placed in plain sight. Keep the security token (if any) provided by the Bank at a safe place.
Computers and mobile phones - Protect your computer and mobile phone used for logging into Internet banking. Avoid using public computers or public Wi-Fi to access Internet banking services.
Bank websites and Apps – Internet banking should be accessed by entering the Bank’s website address directly, or using a bookmark or an Internet banking mobile application (App). Never access the Bank website or provide your personal information (including your password) through any hyperlinks or attachments embedded in emails or from websites.
Login process – Beware of any unusual login screen or process (e.g. a suspicious pop-up window, unusually slow browser response, multiple requests for password input or request for providing additional personal information) and whether anyone is trying to peek at your password. Log out immediately after use.
Check the Bank's SMS messages and other messages in a timely manner and verify your transaction records. Inform the Bank immediately in case of any suspicious situations. The Bank would not ask for any sensitive personal information through emails, SMS messages or pre-recorded vice message phone calls. The Bank would never require customers to provide user names and passwords through emails, SMS messages or phone calls.

If you suspect any unusual account activities, including discrepancy details found on the last logon time and, certificate information, please change your i-Banking password immediately and contact our 24-hour hotline on (852)2818 0282 or visit any of our branches for immediate assistance. You are highly recommended to call the Anti-Deception Coordination Centre (ADCC)'s "Anti-Scam" consultation hotline on 18222 to help combat suspected fraud cases.

Credit Cards Security Tips

Double check the transaction amount before signing the Credit Card payment slip.
Try to keep an eye on your card when making transactions, to avoid any unauthorized person from gaining your credit card information.
Ensure that your card is returned to you after each transaction.
Do not sign credit card slips without an amount.
Keep all card receipts / statements in a safe place, and destroy them when they are no longer required.
Review your statements and notify the Bank immediately once discrepancies are found.
Check your account balance regularly.
Avoid entering credit card information when using public computers (such as those in Internet cafes).
Never leave your credit cards unattended or lend them to anyone.
Inform the Bank in advance of your travel plans to allow the Bank to validate your credit card purchases incurred overseas.
Update your latest and valid personal details with the Bank, such as mobile phone number, email address, mailing address to ensure correct correspondence to be reached for confirmation when suspicious transactions occur.
Beware of leaving your wallet inside your jacket hung on the back of your chair at restaurants, prevent any unauthorized person from obtaining your credit card or other personal belongings.
Bring along the only credit cards you need, in particular when visiting places provide locker service, such as the changing rooms of swimming pools, playgrounds or health/fitness centers.

Mobile Banking Security Tips

Always log off your online session when done. Do not just close your mobile phone browser. Follow the logoff instructions to ensure your online security protection.
Avoid sharing your mobile handsets with others and use your own handset to log on i-banking.
Do not keep sensitive information such as your account numbers, PIN and Log on passwords in your mobile phone.
Do not leave your handset unattended after logging on to Internet Banking. Always log off the mobile banking properly when you have done.
Use the latest versions of operating system, Internet Banking Apps and browser. Do not jailbreak or root privileges to your mobile phone and tablet.
Ensure that no one is watching you and it is not a crowded area while you key in your User ID, Password, or any other sensitive information.
Install and update the latest anti-virus and anti-spyware software regularly on your mobile handsets, whenever they are available.
Download and install security updates and patches whenever available to ensure your device has the latest protection against any security vulnerabilities.
Install security patches and the latest software updates in your mobile phone. Do not download program/apps from unsecured sources. Do not install any application(s) onto your mobile devices from mistrusted sources.
Remove temporary files and the cache stored in the memory of your mobile phone regularly since they may contain sensitive information such as your account number.
Set up auto-lock and enable passcode lock to prevent unauthorized access of your handsets/notebook/tablet PC.
Keep your mobile device safe and stay alert on security vulnerabilities when using mobile device.
Use default browsers originally provided by mobile handsets rather than newly installed browsers downloaded from other sources.
Only pre-set and access reliable wireless networks for Internet connection.
Use trusted Wi-Fi networks or service providers. Disable any wireless network functions (e.g. Wi-Fi, Bluetooth, NFC) not in use. Choose encrypted networks when using Wi-Fi and remove any unnecessary Wi-Fi connection settings.
Do not download or open doubtful files, browse suspicious websites, or click on the hyperlinks and attachments from questionable sources (e.g. emails, instant messaging, SMS messages, QR codes). Download and upgrade your Apps from official App Stores or reliable sources only.
Please logout the Mobile Banking services when you are using another Apps.

Automatic Teller Machine (ATM) Security Tips

ATM cards and passwords - Keep your ATM card safe. Set a PIN that is difficult to guess and different from the ones for other services. Change your PIN regularly. Do not keep your ATM card and PIN together.
ATMs - Beware of anything unusual about the card insertion slot, keypad and keypad cover (e.g. whether any suspicious device is installed). Cover the keypad with your hand when entering your PIN and check whether anyone is trying to peek at your PIN.
Handling your cash withdrawals - Count the banknotes immediately after each cash withdrawal. Do not take away any banknotes at the cash dispenser or ATM card at the card insertion slot left behind by someone else. Let the banknotes or ATM card return to the ATM automatically.
Overseas cash withdrawals - If you intend to withdraw cash from overseas ATMs, check with the Bank whether your intended overseas destination can support cash withdrawal using your ATM card. You should also activate the overseas ATM cash withdrawal function in advance and set a prudent overseas ATM cash withdrawal limit and an activation period.
Check the transaction records provided by the Bank in a timely manner. Inform the Bank immediately if you lose your ATM card, or in case of any suspicious transactions/situations. Banks will not ask for any sensitive personal information (including PIN) through phone calls or emails.
Do not allow anyone to use your ATM card and your PIN.
If you encounter any difficulties when using the ATM, cancel your transaction, take back your ATM/credit card and inform the Bank. Do not request someone else to perform ATM or EPS transactions for you.
If your ATM card or PIN is lost or stolen or if you suspect that someone learns your PIN, please inform the Bank immediately.
Do not accept assistance from strangers when you are performing transactions.
Please remember to take back your ATM card after transaction is completed. Do not leave the card and money in the slot.
Change your ATM card & credit card PIN regularly.

Major Safety Tips on Using ATMs.

Emails Security Tips

The Bank will never send you an e-mail asking for your account number, i-banking Password, ATM Card/Credit Card Personal Identification Number (PIN), account balance and identity card/passport number or other sensitive information.
Be alert of fraudulent e-mails. These may appear to come from a trusted business or friend, but actually are designed to mislead you into entering a fraudulent website and disclosing sensitive information.
Be cautious of any e-mail that contains an embedded hyperlink or a request to enter personal information. Do not reply, click on the hyperlinks or input any sensitive information.
If you have received any suspicious e-mails purporting to be from the Bank, please notify the Bank immediately.
If you have provided sensitive information to a suspicious website, you should report the same to the police immediately. If the website is purporting to be a Shanghai Commercial Bank site, please notify the Bank immediately.
Do not send sensitive personal or financial information via Internet unless it is encrypted on a secure website. Regular e-mails are not encrypted.
If you use a link in an e-mail received from the Bank, please check the authenticity of the website you are accessing by checking the website SSL certificate information, such as company name, URL, certificate issuer, validation date, and encryption types, etc., to confirm that is the website you intend to access.
Please do not depend solely on email correspondences for any remittance instruction. You should confirm with the beneficiary through other channels (e.g. telephone) for the transaction and the beneficiary details before submitting the remittance application.

The Hong Kong Police - Anti-Deception Coordination Centre (ADCC)

Fund Transfer Alert

When making fund transfer, please pay attention to the following:

During the transaction
Please make sure that the information of payee (e.g., name, account number, Proxy ID, etc.) and the transaction amount are correct, before confirming the transaction.
After the transaction
After transferring money, please check and keep the transaction record for reference when necessary.
Mis-transferred Fund FROM Your Account
If you accidentally transfer money to an unintended payee, please visit our website to download and complete the "Return of Mis-transferred Fund Request Form" and return it to us. If you have any queries, please contact us.
Mis-transferred Fund TO Your Account
If there is a claim for return of a mis-transferred fund into your account, please check and confirm with us. Please be reminded that if the fund is proved to be a wrong transfer to your account but it is not returned by you, you may be criminally liable.