Understanding phishing

Phishing is a common fraudulent technique. Fraudsters would pretend themselves to come from legitimate organisations such as banks, payment service providers and online retail merchants. They would trick a victim to provide sensitive information and personal data including password, credit card / bank account information, through electronic communications such as emails and SMS. The phishing emails may also include a malicious hyperlink, attachment for the recipients, or providing a QR code for redirecting the recipient to illegal websites and install a malicious software in a victim's PC / mobile phone, which results in hacking activities afterwards.

Phishing emails and SMS could be very difficult to be distinguished from the emails and SMS sent from legitimate organisations. And the phishing website provided by the email could look like a genuine homepage of the organisation. Once gained access to this fraudulent website, victims are usually required to input personal data, for example, login name, account number, password or security code. These phishing websites would collect the data you provided, allowing the criminal to gain financial benefit from your loss.

Identifying phishing email or SMS

You may spot the received email or SMS as phishing by asking the below questions:

  • Does it request personal information, such as credit card / bank account number or password?
  • Do you expect to receive it?
  • Does it contain a suspicious attachment?
  • When you hover your cursor over a hyperlink in the e-mail (please do not click the link), does it display a URL other than the official URL of the legitimate organisation that claims to have sent the message?
  • Is there any grammatical or spelling mistake in email content?
  • Does it request you to take unusual actions, such as transferring money to an unknown source, or replying it for sending your account information?
  • Does the sender’s email address or phone number mismatch the name of the organisation that it claims to be from?
  • Is your email address or phone number different from the one that you provided to that organisation?
  • Is it sent or copied to unrelated persons?

Identifying phishing website

You may spot the connected website as phishing by asking the below questions:

  • Does the website address mismatch with the searching record from well-known search engines or public information from official / regulatory authorities?
  • Is it with poor design, or with any grammatical or spelling mistake?
  • Does it have a different look and feel than the relevant organisation’s regular website?

Preventing phishing properly

To safeguard your interests, please consider adopting the below measures to prevent damages caused by phishing:

  • Do not click and open any hyperlink, attachment or QR code in the suspicious email / SMS
  • Please be vigilant about the content of the email or SMS, and the customer service hotline number provided in a suspicious email / SMS / website, especially for verification purpose
  • If you have any doubt about the legitimacy of an email / SMS / website, contact the relevant bank or institution by calling its customer service hotline for confirmation. Only taking any requested action after verification

In case you receive any emails or SMS claiming from Hang Seng Bank, please be reminded on the following messages:

  • Hang Seng Bank never proactively asks you for sensitive personal information (such as log-in password or one-time password), or ask you to click on a hyperlink in an email or SMS for logging in to Hang Seng Personal e-Banking or updating your information
  • If you need more information about any bank offer, browse the bank's website or log in to Personal e-Banking, enter its website address in your browser for visiting our website or click the Bank’s Mobile Banking app directly
  • All Hang Seng websites are digitally signed with certificate. The website address starts with "https"

Handling phishing

If you believe you have shared your sensitive personal information, such as HKID, e-Banking login credentials, credit card number, CVV, One Time Password (OTP) via online, by telephone or any other means, please call our Customer Service Hotline (852) 2822 0228 immediately.

If you are suspicious of any emails, SMS text or websites claiming to be from Hang Seng Bank, please forward it to, and delete the messages completely afterwards. We will take appropriate actions against the reported items. You may also call our Customer Service Hotline (852) 2822 0228 for enquiry.

Things to note:

  • Ensure you copy the full email, SMS text or website address (URL) into the body of the email
  • Do not send any sensitive personal information within the email
  • Please note is an automated inbound mailbox only. You will receive an automated response from us when we have received your email

Online resources for fraud prevention