Beware of phishing scams via email or SMS
There is an increasing trend of phishing scams through emails and SMS where fraudsters disguise as trustworthy institutions such as courier companies, government agencies, banks or airlines in an attempt to obtain personal information, passwords, or credit card details.
Please note that the Bank will
never directly request customers to provide sensitive information such as ID number, mobile phone number, account number, ATM card/credit card number, Internet Banking User ID and password, one-time password etc., through emails, SMS or pre-recorded voice message phone calls.
To protect your privacy and wealth, here are some security tips to help you recognise phishing scams and fake websites:
- They may come from a suspicious email address or have a misleading domain name (URL) ;
- They may have grammar or spelling errors or get facts wrong that you can spot ;
- They may offer incentives, such as prizes or rewards, vouchers for completing a survey, entering into a lucky draw, confirmation of parcel delivery or promoting investment products in order to trick you into revealing personal and financial information;
- They may claim there is a problem with your account and ask you to log in again to verify.
Please stay vigilant of any suspicious emails or SMS and when visiting websites.
- Do not click on the links embedded in suspicious emails or SMS. Even if the domain name of such links appears to be legitimate, you may still be redirected to fraudulent websites with another domain name, and you will be requested to submit your sensitive information, passwords or credit card information. The fraudulent websites may appear under domains that are slightly different from the Bank’s official website. A common method is to add English letters, numbers or symbols. The fraudulent websites may also looks quite similar to real website of the Bank.
- Do verify the transaction details in the SMS content of One-time Password (OTP) sent by the Bank, such as correctness of transaction amount and merchant name, before entering the OTP to complete your Internet transaction.
- Do pay attention to the sender name of emails or SMS. Notifications using bank name as the sender name does not guarantee that it is originated from the bank and trust worthy.
- Suggest disabling the "Auto Fill" feature on your mobile devices to avoid the OTP automatically submitted to fake websites.
- Do not disclose your One-time Password (OTP) from SMS to third party.
- Do not make any payments through any suspicious links.
- Do not call any number provided in the suspicious emails or SMS.
Latest Security Notes
(1) Never disclose your personal data or bank account details to unsolicited callers or pre-recorded voice message phone calls requesting such information
- Shanghai Commercial Bank Limited ("the Bank") noticed that our customers may receive bogus calls that claim to be calling from the Bank for cross-selling or gathering personal information. If you receive a suspicious call or would like to verify the caller's identity, do not disclose your personal or account information and please call us on (852) 28180282 immediately.
- Please note that our bank will not contact local customers with any phone numbers beginning with "+". If such call is received, please hang up immediately.
- The Bank would never require customers to provide sensitive personal information through emails, SMS messages,or pre-recorded voice message phone calls. The Bank would never require customers to provide user names and passwords through emails, SMS messages or phone calls.
- If you have disclosed your personal information or password to a suspicious caller, please immediately contact the Bank at (852) 28180282 and report the same to the Hong Kong Police Force (the "Police") for investigation, and:
- Provide caller's phone number if available
- Indicate the disclosed personal information
(2) Read all SMS messages from Shanghai Commercial Bank and your telecommunication service provider carefully
- The Bank will send SMS notification to you in the event of any suspicious transactions occur.
- The Bank will send you an SMS-based One-time Password ("OTP") as a safety measure to safeguard the designated online transactions performed by you via credit card. Please verify the transaction details in the SMS content, such as transaction amount and merchant name, before entering the "OTP" to complete the transaction. Never disclose your "OTP" to anyone and do not allow anyone to use your "OTP". If you have disclosed your personal information to suspicious third parties or "OTP" to anyone, please immediately contact our Customer Service Hotline at (852) 2818 0282 for investigation.
- Be careful of any notifications sent by your telecommunication provider about activation of the SMS/Voice Call forwarding function of your mobile device. Check with your service provider and report any suspicious notifications if you have not authorized the activation.
- You may request your telecommunication provider to suspend the remote SMS/Voice Call forwarding function of your mobile device to avoid any unauthorized activation.
(3) Verify a request to change payee information for remittance by contacting the requesting party via another channel
- Confirm the identity of the purported business partners by means of telephone or channels other than e-mail before making the payment and/or remittance to prevent fraud from e-mail scams.
(4) Update your personal contact information with Shanghai Commercial Bank
- Please update your latest mailing address, mobile phone number and e-mail address with the Bank to allow verification in the event of suspicious transactions appear. For security reasons, you are required to update your information by submitting the Notice of Addition / Change of Contact Details Form to the Bank by post or visiting one of our branches.
(5) How to protect against mobile malware
- Recently, variants of mobile malware targeting Android smartphones have appeared, attempt to steal clients' credentials and perform fraudulent transactions through their mobile banking apps. In some cases, the mobile malware will attempt to circumvent the additional layer of security provided by a One-Time Password (OTP) by intercepting text messages (SMS) or generate a fake dialogue inside the mobile banking application in order to trick a user.
(6) To prevent the Spyware installation without your knowledge and virus attack, please avoid visiting or downloading software from suspicious websites.
(7) If any unusual screens pop-up and/or the computer responds unusually slow, please log off from the Internet Banking and scan the computer with virus protection software.
(8) Do not enter any information (user ID, password etc.) to the screens pop-up or suspicious websites.
(9) Please read and follow the instructions specified in the "Internet Security Notes" from time to time.
(10) It is very important to vigilantly protect your computers to safeguard against Internet Banking fraud. All customers are strongly recommended to refer to the following publications and broadcasting materials provided by the Hong Kong Monetary Authority ('HKMA'), the Hong Kong Association of Banks ('HKAB') and Hong Kong Police Force ('HKPF').
Security Device
A Security Device is any smartcard, token, electronic device, hardware or any other equipment issued by the Bank from time to time for generating Security Code(s) to verify your online identity and authenticate designated online transactions.
For Personal Banking Customers, please click here for more details.
For Commercial Banking Customers, please click here for more details.
The Bank advises customers of the need to take reasonable steps to keep the device safe and the secret code secret to prevent fraud. In particular, customer should advise its staffs to:
(1) destroy the original printed copy of the secret code immediately after its usage;
(2) do not allow anyone else to use their secret code;
(3) never to write down the secret code on any device for accessing e-banking services or on anything usually kept with or near it;
(4) do not write down or record the secret code without disguising it; and
(5) do not use combinations that are readily accessible/deducible such as your identity card number, telephone number, date of birth, driver's licence number or any popular number sequence (eg. 123456) for your PIN. Avoid using the same digit consecutively or the same sequence of numbers more than twice (eg.112233) as a PIN.
Mobile Security Token
Mobile Security Token is an authentication tool of "Shacom Bank" and "Shacom Business" App. You can log in and confirm designated transactions via Biometric Authentication or self-defined Security Passcode.
Please click here for more details of Mobile Security Token in "Shacom Bank" App.
Please click here for more details of Mobile Security Token in "Shacom Business" App.
Security Tips on using Mobile Security Token
- The Bank staff would never require customers to provide personal information through emails, SMS messages, or pre-recorded voice message phone calls. The Bank staff would never require customers to provide Internet Banking User ID, password and Security Passcode through emails, SMS messages or phone calls.
- Avoid using easy-to-guess Security Passcode and Internet Banking password such as your birthday, phone number, repeated numeric combination or the same user name and password that you use to access other systems or online services.
- Change your Security Passcode and Internet Banking password from time to time.
- Memorise your Security Passcode, Internet Banking User ID and password. Do NOT keep any written copy or save this information on your mobile device.
- Do NOT allow anyone to use your Security Passcode and Internet Banking password.
- Pay attention to your surroundings before conducting any banking transactions, and ensure that no one can see your Security Passcode and Internet Banking password. Cover the keypad of your mobile device when you enter your Security Passcode and Internet Banking password on it.
- Ensure that Fingerprint / Touch ID / Face ID function is enabled on your mobile device first, under device settings. Otherwise, you will not be able to use biometric authentication to log in and confirm transactions.
- If your device is capable of biometric authentication (e.g. fingerprint or facial recognition), do not let any other person register his/her biometric information on it.
- You should NOT use facial recognition for authentication if you have identical siblings or siblings that look like you, or if you are an adolescent with rapidly developing facial features.
- You must NOT take any action to disable any function provided by, and/or agree to any settings of, your mobile device that would otherwise compromise the security of the use of your biometric credentials for Biometric authentication purposes (e.g. disabling "attention-aware" for facial recognition).
- Do NOT forward SMS from our Bank, including One-Time Password (OTP) and push notification to anyone.