Criminals posing as banks are asking people for their one-time passcodes, which can then be used to go on online spending sprees.
Fraudsters are tricking people into disclosing banking passcodes which they can then use to go on online spending sprees, HSBC UK is warning.
The bank is urging people never to reveal their one-time passcode (OTP) to others, after recording an increase in related scams.
It said scams involving suspected disclosed passcodes increased by 25% in August compared with March.
Someone may be prompted to enter a passcode to authenticate a transaction when using their card online. The code is texted to the customer, who then enters it on the retailer’s website.
But HSBC warned that fraudsters are calling customers pretending to be from banks or other trusted organisations and requesting an OTP, which they can then use to make a transaction.
Mer enn 3,000 cases of successful OTP fraud have been reported in the past six months, HSBC added.
Often, scams start with a bogus text message, tricking people initially into entering their card details before scammers then make further contact with the victim and request the OTP code.
One HSBC UK customer received a text that appeared to be from DPD which advised it was trying to deliver a package.
She clicked on the link within the text and was sent to a page she felt looked legitimate.
Within the page, she was asked to input her card number, sort code and account number. She was asked to pay a small fee.
She then received a call purporting to be from HSBC UK, advising the bank was aware of a suspected fraud.
She was asked to disclose an OTP code to recover funds, not realising this was authorising card transactions. She only realised she had not been speaking to the bank when she received a genuine call from HSBC UK to question the transactions.
Another scam involved a customer receiving a text that appeared to be from Royal Mail to arrange a redelivery. After inputting card details, he received a call from someone purporting to be from HSBC UK’s fraud team.
The caller advised they could stop transactions by using a code that the customer would receive, which the customer then shared. This was the OTP code. This meant high-value transactions were authorised on the card.
He only realised it was a scam when he received a text from HSBC UK saying he had breached his overdraft limit.
David Callington, head of fraud at HSBC UK, sa: “If someone calls you and asks for your one-time passcode, hang up straightaway, it’s a scam.”
HSBC UK said its customers will receive a warning in texts containing their OTP instructing them to never share the code, even with bank staff or police.
Customers can also choose to verify transactions in the bank’s app, instead of receiving an OTP.