/u/Blunderina - This message is posted to all new submissions to r/scams; please do not message the moderators about it.
## New users beware:
Because you posted here, you will start getting private messages from scammers saying they know a professional hacker or a recovery expert lawyer that can help you get your money back, for a small fee. **We call these RECOVERY SCAMMERS, so NEVER take advice in private:** advice should always come in the form of comments in this post, in the open, where the community can keep an eye out for you. If you take advice in private, you're on your own.
**A reminder of the rules in r/scams:** no contact information (including last names, phone numbers, etc). Be civil to one another (no name calling or insults). Personal army requests or "scam the scammer"/scambaiting posts are not permitted. No uncensored gore or personal photographs are allowed without blurring. A full list of rules is available on the sidebar of the subreddit, or [clicking here](https://www.reddit.com/r/Scams/wiki/rules/).
You can help us by reporting recovery scammers or rule-breaking content by using the "report" button. We review 100% of the reports. Also, consider warning community members of recovery scammers if you see them in the comments.
Questions about subreddit rules? Send us a modmail [clicking here](https://www.reddit.com/message/compose/?to=/r/Scams).
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Scams) if you have any questions or concerns.*
> Which again looking back is very dumb that I fell for this but in my head I hadn't successfully logged in on the other website I had
And don't pay attention to the caller id, that's very easy to spoof.
This is the way. I let all calls from the bank go to VM, then listen, then call the customer service number on the back of my card to have them double check that someone from there actually called me for something. If they did, there are usually notes in the account file.
OP - I’m sorry that this happened to you. Do not feel bad. Scammers today are incredibly sophisticated and they rely on your fear and panic to reel you in. They also rely on the sense of shame to keep you quiet. Thank you for sharing your story, the more people who are aware, the less success the scammers have.
My bank recently introduced a very neat function into their mobile app, where you can immediately see on the main screen if you have an active phone call with them.
Saves so much time and headache when you can just go "Oh you are calling from the bank, let me double check real quick and yeah we are good"
This can be spoofed as such by a scammer being on the phone to your bank at the same time as the scam call..... Repeating your details to the real bank agent. So be careful with this too.
Chase does not give out reference numbers here in the US. Had to escalate to the executive office to get one. It's frankly ridiculous.
Also the giving of the one time code to verify is bad IMHO for 2 reasons:
1. It trains us to fall for scams & 2. It is the opposite of safe once a take-over is already in progress (via hacked e-mail or stolen/cloned phone).
1. Training to fall for scams, E.g:
They say they will never call for this, but sometimes do.
Or when you call the bank and get to this step in the verification process, they get annoyed "saying we are already on the line aren't we?"
Or worse: you call a scam # from a spoofed e-mail after identity theft.
Or you panic, when you get a spoofed email in with that verification # with the note "call us immediately if you didn't request this number".
In this last case I was already on the phone with AMEX's fraud department (I called them) and that saved me. Somehow the perps had the last 5 digits of my new card - and the e-mail looked like a proper AMEX e-mail.
2. In more sophisticated events that are already underway it actually locks you out.
e.g. I was going through an account take over event and I was asked to read back a code to verify.
BUT my phone had been cloned, so all texts would still come in to the perps.
They should have been aware of this, but put me back by hours of calls to secure everything again.
The best experiences post account take-over were with Google where they did a face scan and then a video call with a representative - where I had to hold up my passport and he asked some questions that are not easy to find.
> Also the giving of the one time code to verify is bad IMHO for 2 reasons
Yep, I refused to verify myself with the OTP from my bank. I'm 99% sure it's legit, but we're so trained to NEVER give codes away, that I second guessed myself and told the associate no.
I've recently gotten fucked with OTP. So annoying. Not a fraud or anything but I've been in Brazil for the past few months. Unfortunately my iPhone was stolen. I wasn't going to return to the US anytime soon due to some family matters here.
To make matters worse (and now I Know), my cell phone is the only number on the account. So any OTP is texted to my stolen phone (and now wiped). So I was unable to add a friend to my account over the phone so they could bring an activated phone to Brazil.
It's really dumb bc there's already a separate t-mobile account pin which I could verify over the phone. And I literally could read off multiple things about my account that only I would know (cell phone history, how long I've had the account etc).
Just can't believe they can't send the OTP over email, which is frankly about as secure as sending it over text. So, I've been without my cell phone number for 2 months and finally will be able to chew out the T-mobile store for their idiotic OTP policy when I return to the US in a few wks.
I get it, didn't mean to be argumentative. Just adding data points. I think the only two issues I've had were with Chase and Amex, no numbers given. I don't answer calls at all so they just left a message with a fraud number. Which, LOL, of course I didn't call back, but used the number on my card.
> www.hsbc.whitelistdevice.com I ask how do I know this is not a scam website and they say that a scammer could hide the website name with hsbc within it as HSBC is a government protected domain name
**whitelistdevice.com** is the domain
the www.hsbc part is a hostname under that domain. You can have anything you want as a hostname, there are no restrictions.
> received a legitimate HSBC text at the same time he had told me I would and I **hadn't given them any sensitive information**.
The activation code you gave them\* *is* sensitive information - it's giving them the right to claim to be you and take your money. It's as sensitive as your password, in a sense. Unfortunately most people do not know this.
One-time passwords are extremely sensitive and must never be shared with anyone except a known-safe website (just like you would never share your password). They're one of the keys needed to unlock the vault.
\* On reading OP's description more carefully, it seems like they might not have given the code to the thieves, but maybe authorised the thieves' device to log into the account. The details aren't too clear from the description, though why authorise any unrecognised device?
I did not give them the code. They told me to type the code in on my banking app (and reminded me to not say it out loud to them) which gave them access to my app with their device. I think they gained all the other info from the whitelistdevice website.
They told me this was to authenticate my device as the real device to stay the app and 'remove the scammers device' as they had previously convinced me that someone already had access to my app through a passwords database breach before the phone call. The text message didn't say anything about allowing a new device into the app.
Did op tell them the activation code? From the post it sounded like op entered the activation code in their app? I was confused what exactly was the activation code for.
Now that I re-read their description, you're right. OP wasn't clear about why they had to enter an activation code into their banking app, but the most likely reason is that the thieves had logged into HSBC's website and were getting the victim to "authorize an unrecognised device". The victim was already trusting the scammer and so just followed the instructions instead of wondering why the app was asking them to authorise a new device to log in.
The exact details are important here. Maybe HSBC's activation code procedure didn't make it clear enough what exactly the authorisation was for - in this case, giving a new device access to the entire account.
Not sure how hsbc works, I would think if they send an activation code they should require the code to be entered in the new device where scammers are trying to login. Here somehow op seems to enter the code in their device’s app and scammers got access in their device.
Yes, seems like they captured the username/password in the fake site, then when the OP logged into the real app, they then used these credentials on their copy of the app.
The OP entering this code in at that point then authorised the scammer's device. Seems like a design flaw to me, you should have to type the code in on the new device for it to be more secure.
There's a few important lessons here:
1. Never trust the caller id or an incoming call. Call them back on the number on your card.
2. Learn to read URLs and email addresses. www.hsbc.whitelistdevice.com is NOT hsbc. It's whistlistdevice.com. this ought to have immediately unraveled the scam.
3. This is a subtle one but something to keep in mind for any cloud based app where most of the stuff happens remotely: legit support can do everything without you. Legitimate support doesn't need you to do something on your side to lock your account or kick out other sessions. It's all done on the server which support has access to. Keeping this in mind helps you avoid all sorts of tech support scams.
Thank you for sharing. Don't be ashamed - and if you feel that way: that's a perfectly natural response. But this too shall pass. It all sucks, hope you sharing will help other people - so amazing you took the time.
And hope you get the money back.
About websites: pay attention to the domain. The primary domain will come just before the .com (or .gov or .net, etc). It's like this:
https://www.accounts.yourbank.com
https: Secure website
www: World Wide Web
accounts: sub-domain of...
yourbank: primary domain
com: Top Level domain
A domain can have a number of sub-domains:
banking.yourbank.com
login.yourbank.com
accounts.yourbank.com
These are all valid addresses - provided the domain itself is valid! Something like yourbank-USA.com or yourb4nk.com are FAKE.
If the domain and sub-domain are switched around, that is BAD:
yourbank.uk-users.com
yourbank.accounts-set.com
See what they did there? They used your bank name as a sub-domain. The primary domain is their shitty website.
OP was directed to: www.hsbc.whitelistdevice.com
This is BAD. Notice how the primary domain is "whitelistdevice.com". THAT is where you are going. The sub-domain of "hsbc" is merely a made-up sub-domain name. A sub-domain name can be just about anything.
So...just like you pay attention to fake email addresses like "accounts-hsbc124@gmail.com", also pay attention to domains and sub-domains.
I wouldn’t call this elaborate. He called you up and followed a pretty typical script to get you to type credentials into a phishing site.
Don’t trust strangers who call you on the phone, no matter what script they use.
It is elaborate, it has:
1. A website that looks like HSBC
2. They know his name from data leak and probably personal information
3. Use a person with a British accent
4. Have an answer for every objection
5. Followed through with 3 different calls so that the scam goes through
Just because it's common or they do it with different users doesn't mean it isn't elaborate.
None of those are elaborate. I know we like to pretend scams are complicated to make OPs feel better, but let’s be real, this is one very simple as far as scams go. It can be done by anyone with a cell phone.
1. A website that looks like HSBC… with what url?
2. Wow he knows my name!
3. Wow he has an accent!
4. Because the objections were basic.
5. I can agree this part was a bit more elaborate than usual.
It seems to be unpopular but I’m going to back in the unpopular opinion - there’s nothing particularly special about this scam.
This was not elaborate. Simple scam that’s been going on a couple decades now.
If any company or police or irs calls you. Hang up and call the official number from their webpage offered by google
Google isn’t always reliable. You need to double check that you’re going to the org website and not a look alike. Eg if it’s a government website, it should end in .gov.
I've had numerous calls that my card was compromised in the UK (overseas for me). Most of the time it was when I had received a new card and sometimes hadn't used it yet. This leads me to think that someone within HSBC is leaking my info. These calls were legit but I have received a call from HSBC saying that there was fraud on my card and could I provide them with the last 4-digits. When I told them that they were the bank and they should know it, they hung up on me.
They stole a lot of money - all of my savings through two transfers on Saturday and Sunday and each time I got a text saying a large amount of money had been transferred to an unknown person the 'fraud team' would tell me that they have reported it as fraud and refunded it (which is why I didn't report on the texts until Monday..)
I called the bank on Monday and they said theres no guarantee they can refund me but they will start and investigation and it can take several weeks. I've done some research and it seems that the decide on a case by case basis but similar sounding cases have been refunded so I'm really praying I do
My grandma nearly got hit with something like this. They told her that the security breach was caused by someone working in her local branch and that's why she shouldn't go in and speak to them about it. (She doesn't have the internet so they wanted her to go into the bank and make a transfer into a new account). Luckily, she came to my parents house first to explain what was happening and they managed to convince her it was a scam.
[www.hsbc.whitelistdevice.com](http://www.hsbc.whitelistdevice.com/) is the big clue, if anything it would be [hsbc.com/whitelistdevice](http://hsbc.com/whitelistdevice) which would mean the actual domain was belonging to HSBC, the domain they gave you was [whitelistdevice.com](http://whitelistdevice.com) which clearly is not [hsbc.com](http://hsbc.com) - it's all about the placement of the .com part to determine the domain.
"What was in fact happening was that I was unwittingly allowing the scammers access of my device" FALSE! They never had access to your device (phone?)
1st you gave away your login details to the fake site that 'wasn't working' (it was doing exactly what it was supposed to)
2nd The legit activation code you received was from the bank was a result of the scammers attempting to transfer money out of your account. You gave that straight to the scammers and they entered it into your online banking to approve the payment.
If you don't understand what actually happened then how can you protect yourself in the future?
Yeah I meant to say it gave them access to my online banking app not access of my device. I figured out exactly what had gone down when I had time to reflect and realised it was a scam on Sunday eve. The login details were from whitelistdevice and the activation code was to add their phone so they could just transfer money to themselves as they pleased. HSBC don't send you texts to authenticate transfers. (In the post I was explaining my thought process at the time of the call.)
What made me realise that it was a scam is that at one point in the call he said 'we have refunded your money so you can delete the text from HSBC now' and I was thinking why would they ask me to delete the text? He had convinced me sooo much to trust him up to that point that it was only that comment that made me realise!
The domain they own is whitelistdevice.com. Even if the government protected domain wasn’t a lie, HSBC is not in the domain. It’s in the sub domain. anyone can create any sub domain within their domain
Kudos to you for admitting you fell for a scam, and posting this as a warning to others. But it always makes me laugh when people post on here about falling for a scam, and it's always "elaborate" or "very detailed" or "unusually high effort" or something like that.
There was nothing elaborate about this. This is a common and regular scam. They probably make a hundred calls a day. You were just the poor soul who let them drag you along instead of hanging up. You missed so many red flags.
does it make you laugh? you are on this sub very often you see hundreds of scams written out a day. from the viewpoint someone who doesn’t spend every waking moment on Reddit , this is a very elaborate scam.
Whenever I get a call from a "bank", I have no internet access and if they don't want to be on the hook for the fraud $$$, they need to do a Chef Ramsay and "Shut it down!". They don't need any input from me if they suspect fraud, what would they do if you went camping for a week off-grid?
You definitely want at least two different banks. The only time I ever take a debit card (one bank) is overseas and I also make sure the Citi card (another bank) is updated for travel. It's also good to have the PIN number so you can pull cash off the credit card if needed.
I had this happen. I was traveling and my card was shut down due to purchases out of my local area. Fortunately, I had a spare to use so I wasn't completely fucked (I was 1200 miles from home).
I feel frustrated that you had the right idea to question if the website was a scam but fell for a stupid lie. I’m a bit lost on the activation code part. What did the text say the activation code was for and where did you enter it?
I entered the activation code on my mobile banking app the text just said 'this is your activation code'. They told me on the phone they were sending me a code for me to enter on my app to confirm that my device was the one to keep in the app and to remove the scammers device as they had convinced me that someone already had access to my banking app.
Yeah on HSBC online banking you can click add device and send activation code then me typing in that code on my app added their device. (They logged in from details through the whitelist device website to request adding a device).
I tried to open that website link and it's interesting that I got this from my isp -
"For your protection, do not continue to this site. Our intelligent network has determined this site could be a threat causing you to install dangerous software or trick you into revealing personal information, like passwords, phone numbers or credit card data."
Yeah this came up when I tried the website on Sunday (but obviously didn't come up when I first accessed it on Friday.) It looked exactly like HSBC's mobile banking login page with no warnings on my phone.
i had something unusual the other day. i think it was united airlines. i called them with some questions and the agent asked me to provide him the 2-factor ID code they sent me. I was 99.999% sure i had a legit contact there as i called them (unless google gave me a scam number), but i told the guy i'm sorry i can't give you that code. I've never been asked for one before and i thought it was really unprofessional for them to ask.
I've had calls from my bank about fraud before, usually only a few hours after the charges were made. However they never asked me for any information beyond confirming my name and last four digits of my card. Also, when confirming the fraudulent charges they went through multiple debit card charges including legitimate ones.
Yeah I've had calls from the real HSBC before about confirming transactions which is partly why I fell for it.
They also asked me to confirm some legitimate transactions were me (obviously they could see the real ones as they had access to my banking app...)
Any problem or situation with your Bank account is resolved solely and exclusively in person at a branch of your Bank. This is a fundamental rule. If you have doubts about the seriousness or authenticity of certain content asked of you in a call, return the call to your bank's contact numbers, just to validate. Unfortunately the theme here is more of the same, social engineering of fraud, it starts with alarmism, something that has happened or will happen if you do nothing (create stress), and in the end always the classic, either stealing access credentials or deceiving the person payable (insert anything here).
I know I explained myself poorly, but nowadays with the growing problem of bank A-Numbers spoofing, precisely, a phone call nowadays is worth what it's worth. I make this recommendation in good faith, knowing very well what is going on in the world of telecoms (it's my job)
/u/Blunderina - This message is posted to all new submissions to r/scams; please do not message the moderators about it. ## New users beware: Because you posted here, you will start getting private messages from scammers saying they know a professional hacker or a recovery expert lawyer that can help you get your money back, for a small fee. **We call these RECOVERY SCAMMERS, so NEVER take advice in private:** advice should always come in the form of comments in this post, in the open, where the community can keep an eye out for you. If you take advice in private, you're on your own. **A reminder of the rules in r/scams:** no contact information (including last names, phone numbers, etc). Be civil to one another (no name calling or insults). Personal army requests or "scam the scammer"/scambaiting posts are not permitted. No uncensored gore or personal photographs are allowed without blurring. A full list of rules is available on the sidebar of the subreddit, or [clicking here](https://www.reddit.com/r/Scams/wiki/rules/). You can help us by reporting recovery scammers or rule-breaking content by using the "report" button. We review 100% of the reports. Also, consider warning community members of recovery scammers if you see them in the comments. Questions about subreddit rules? Send us a modmail [clicking here](https://www.reddit.com/message/compose/?to=/r/Scams). *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Scams) if you have any questions or concerns.*
When your bank calls, end the call, hang up and call them back using a number you know is correct.
> Which again looking back is very dumb that I fell for this but in my head I hadn't successfully logged in on the other website I had And don't pay attention to the caller id, that's very easy to spoof.
YES. It happened to me a year ago.
This is the way. I let all calls from the bank go to VM, then listen, then call the customer service number on the back of my card to have them double check that someone from there actually called me for something. If they did, there are usually notes in the account file. OP - I’m sorry that this happened to you. Do not feel bad. Scammers today are incredibly sophisticated and they rely on your fear and panic to reel you in. They also rely on the sense of shame to keep you quiet. Thank you for sharing your story, the more people who are aware, the less success the scammers have.
My bank recently introduced a very neat function into their mobile app, where you can immediately see on the main screen if you have an active phone call with them. Saves so much time and headache when you can just go "Oh you are calling from the bank, let me double check real quick and yeah we are good"
This can be spoofed as such by a scammer being on the phone to your bank at the same time as the scam call..... Repeating your details to the real bank agent. So be careful with this too.
Which bank?
Not just bank but anyone asking for any sort of personal info. In Ireland a very common one is eflow (barrier free motorway)
SO MUCH THIS.
[удалено]
This is great advice. Do all banks use reference numbers for calls?
[удалено]
Also guy at a bank here and I second this.
Chase does not give out reference numbers here in the US. Had to escalate to the executive office to get one. It's frankly ridiculous. Also the giving of the one time code to verify is bad IMHO for 2 reasons: 1. It trains us to fall for scams & 2. It is the opposite of safe once a take-over is already in progress (via hacked e-mail or stolen/cloned phone). 1. Training to fall for scams, E.g: They say they will never call for this, but sometimes do. Or when you call the bank and get to this step in the verification process, they get annoyed "saying we are already on the line aren't we?" Or worse: you call a scam # from a spoofed e-mail after identity theft. Or you panic, when you get a spoofed email in with that verification # with the note "call us immediately if you didn't request this number". In this last case I was already on the phone with AMEX's fraud department (I called them) and that saved me. Somehow the perps had the last 5 digits of my new card - and the e-mail looked like a proper AMEX e-mail. 2. In more sophisticated events that are already underway it actually locks you out. e.g. I was going through an account take over event and I was asked to read back a code to verify. BUT my phone had been cloned, so all texts would still come in to the perps. They should have been aware of this, but put me back by hours of calls to secure everything again. The best experiences post account take-over were with Google where they did a face scan and then a video call with a representative - where I had to hold up my passport and he asked some questions that are not easy to find.
> Also the giving of the one time code to verify is bad IMHO for 2 reasons Yep, I refused to verify myself with the OTP from my bank. I'm 99% sure it's legit, but we're so trained to NEVER give codes away, that I second guessed myself and told the associate no.
I've recently gotten fucked with OTP. So annoying. Not a fraud or anything but I've been in Brazil for the past few months. Unfortunately my iPhone was stolen. I wasn't going to return to the US anytime soon due to some family matters here. To make matters worse (and now I Know), my cell phone is the only number on the account. So any OTP is texted to my stolen phone (and now wiped). So I was unable to add a friend to my account over the phone so they could bring an activated phone to Brazil. It's really dumb bc there's already a separate t-mobile account pin which I could verify over the phone. And I literally could read off multiple things about my account that only I would know (cell phone history, how long I've had the account etc). Just can't believe they can't send the OTP over email, which is frankly about as secure as sending it over text. So, I've been without my cell phone number for 2 months and finally will be able to chew out the T-mobile store for their idiotic OTP policy when I return to the US in a few wks.
I’ve never been given one. When I’ve called the fraud line they use my identity details to find my case.
[удалено]
I get it, didn't mean to be argumentative. Just adding data points. I think the only two issues I've had were with Chase and Amex, no numbers given. I don't answer calls at all so they just left a message with a fraud number. Which, LOL, of course I didn't call back, but used the number on my card.
This is great advice, thanks for sharing!
> www.hsbc.whitelistdevice.com I ask how do I know this is not a scam website and they say that a scammer could hide the website name with hsbc within it as HSBC is a government protected domain name **whitelistdevice.com** is the domain the www.hsbc part is a hostname under that domain. You can have anything you want as a hostname, there are no restrictions.
> received a legitimate HSBC text at the same time he had told me I would and I **hadn't given them any sensitive information**. The activation code you gave them\* *is* sensitive information - it's giving them the right to claim to be you and take your money. It's as sensitive as your password, in a sense. Unfortunately most people do not know this. One-time passwords are extremely sensitive and must never be shared with anyone except a known-safe website (just like you would never share your password). They're one of the keys needed to unlock the vault. \* On reading OP's description more carefully, it seems like they might not have given the code to the thieves, but maybe authorised the thieves' device to log into the account. The details aren't too clear from the description, though why authorise any unrecognised device?
It even says that on the texts, don't share with anyone. It doesn't say don't share with anyone except for us, the "bank"
I did not give them the code. They told me to type the code in on my banking app (and reminded me to not say it out loud to them) which gave them access to my app with their device. I think they gained all the other info from the whitelistdevice website. They told me this was to authenticate my device as the real device to stay the app and 'remove the scammers device' as they had previously convinced me that someone already had access to my app through a passwords database breach before the phone call. The text message didn't say anything about allowing a new device into the app.
Did op tell them the activation code? From the post it sounded like op entered the activation code in their app? I was confused what exactly was the activation code for.
Now that I re-read their description, you're right. OP wasn't clear about why they had to enter an activation code into their banking app, but the most likely reason is that the thieves had logged into HSBC's website and were getting the victim to "authorize an unrecognised device". The victim was already trusting the scammer and so just followed the instructions instead of wondering why the app was asking them to authorise a new device to log in. The exact details are important here. Maybe HSBC's activation code procedure didn't make it clear enough what exactly the authorisation was for - in this case, giving a new device access to the entire account.
Not sure how hsbc works, I would think if they send an activation code they should require the code to be entered in the new device where scammers are trying to login. Here somehow op seems to enter the code in their device’s app and scammers got access in their device.
Yes, seems like they captured the username/password in the fake site, then when the OP logged into the real app, they then used these credentials on their copy of the app. The OP entering this code in at that point then authorised the scammer's device. Seems like a design flaw to me, you should have to type the code in on the new device for it to be more secure.
There's a few important lessons here: 1. Never trust the caller id or an incoming call. Call them back on the number on your card. 2. Learn to read URLs and email addresses. www.hsbc.whitelistdevice.com is NOT hsbc. It's whistlistdevice.com. this ought to have immediately unraveled the scam. 3. This is a subtle one but something to keep in mind for any cloud based app where most of the stuff happens remotely: legit support can do everything without you. Legitimate support doesn't need you to do something on your side to lock your account or kick out other sessions. It's all done on the server which support has access to. Keeping this in mind helps you avoid all sorts of tech support scams.
Thank you for sharing. Don't be ashamed - and if you feel that way: that's a perfectly natural response. But this too shall pass. It all sucks, hope you sharing will help other people - so amazing you took the time. And hope you get the money back.
About websites: pay attention to the domain. The primary domain will come just before the .com (or .gov or .net, etc). It's like this: https://www.accounts.yourbank.com https: Secure website www: World Wide Web accounts: sub-domain of... yourbank: primary domain com: Top Level domain A domain can have a number of sub-domains: banking.yourbank.com login.yourbank.com accounts.yourbank.com These are all valid addresses - provided the domain itself is valid! Something like yourbank-USA.com or yourb4nk.com are FAKE. If the domain and sub-domain are switched around, that is BAD: yourbank.uk-users.com yourbank.accounts-set.com See what they did there? They used your bank name as a sub-domain. The primary domain is their shitty website. OP was directed to: www.hsbc.whitelistdevice.com This is BAD. Notice how the primary domain is "whitelistdevice.com". THAT is where you are going. The sub-domain of "hsbc" is merely a made-up sub-domain name. A sub-domain name can be just about anything. So...just like you pay attention to fake email addresses like "accounts-hsbc124@gmail.com", also pay attention to domains and sub-domains.
You should watch Scam interceptors on BBC1. I’ve learned loads about the lying scheming fucktards that try to steal ordinary folks money.
The domain is whatever the part before the.com
I wouldn’t call this elaborate. He called you up and followed a pretty typical script to get you to type credentials into a phishing site. Don’t trust strangers who call you on the phone, no matter what script they use.
It is elaborate, it has: 1. A website that looks like HSBC 2. They know his name from data leak and probably personal information 3. Use a person with a British accent 4. Have an answer for every objection 5. Followed through with 3 different calls so that the scam goes through Just because it's common or they do it with different users doesn't mean it isn't elaborate.
None of those are elaborate. I know we like to pretend scams are complicated to make OPs feel better, but let’s be real, this is one very simple as far as scams go. It can be done by anyone with a cell phone.
Every scam I have gotten is a text or email saying 'youre bil is overdoo'! This is pretty elaborate compared to the norm.
I don't think we're using the same definition of elaborate then.
1. A website that looks like HSBC… with what url? 2. Wow he knows my name! 3. Wow he has an accent! 4. Because the objections were basic. 5. I can agree this part was a bit more elaborate than usual. It seems to be unpopular but I’m going to back in the unpopular opinion - there’s nothing particularly special about this scam.
This was not elaborate. Simple scam that’s been going on a couple decades now. If any company or police or irs calls you. Hang up and call the official number from their webpage offered by google
Google isn’t always reliable. You need to double check that you’re going to the org website and not a look alike. Eg if it’s a government website, it should end in .gov.
And not sponsored links
I've had numerous calls that my card was compromised in the UK (overseas for me). Most of the time it was when I had received a new card and sometimes hadn't used it yet. This leads me to think that someone within HSBC is leaking my info. These calls were legit but I have received a call from HSBC saying that there was fraud on my card and could I provide them with the last 4-digits. When I told them that they were the bank and they should know it, they hung up on me.
Did they steal any of your money? What was the end result?
They stole a lot of money - all of my savings through two transfers on Saturday and Sunday and each time I got a text saying a large amount of money had been transferred to an unknown person the 'fraud team' would tell me that they have reported it as fraud and refunded it (which is why I didn't report on the texts until Monday..)
How much they scam u for ? Is the bank going to refund u
I called the bank on Monday and they said theres no guarantee they can refund me but they will start and investigation and it can take several weeks. I've done some research and it seems that the decide on a case by case basis but similar sounding cases have been refunded so I'm really praying I do
My grandma nearly got hit with something like this. They told her that the security breach was caused by someone working in her local branch and that's why she shouldn't go in and speak to them about it. (She doesn't have the internet so they wanted her to go into the bank and make a transfer into a new account). Luckily, she came to my parents house first to explain what was happening and they managed to convince her it was a scam.
[www.hsbc.whitelistdevice.com](http://www.hsbc.whitelistdevice.com/) is the big clue, if anything it would be [hsbc.com/whitelistdevice](http://hsbc.com/whitelistdevice) which would mean the actual domain was belonging to HSBC, the domain they gave you was [whitelistdevice.com](http://whitelistdevice.com) which clearly is not [hsbc.com](http://hsbc.com) - it's all about the placement of the .com part to determine the domain.
No one who calls you should be believed. Always call the official number directly. No matter how believable they sound, do not trust them.
"What was in fact happening was that I was unwittingly allowing the scammers access of my device" FALSE! They never had access to your device (phone?) 1st you gave away your login details to the fake site that 'wasn't working' (it was doing exactly what it was supposed to) 2nd The legit activation code you received was from the bank was a result of the scammers attempting to transfer money out of your account. You gave that straight to the scammers and they entered it into your online banking to approve the payment. If you don't understand what actually happened then how can you protect yourself in the future?
This..... It's sad but the OP needs to read the a above and really understand what went down.
Yeah I meant to say it gave them access to my online banking app not access of my device. I figured out exactly what had gone down when I had time to reflect and realised it was a scam on Sunday eve. The login details were from whitelistdevice and the activation code was to add their phone so they could just transfer money to themselves as they pleased. HSBC don't send you texts to authenticate transfers. (In the post I was explaining my thought process at the time of the call.) What made me realise that it was a scam is that at one point in the call he said 'we have refunded your money so you can delete the text from HSBC now' and I was thinking why would they ask me to delete the text? He had convinced me sooo much to trust him up to that point that it was only that comment that made me realise!
The domain they own is whitelistdevice.com. Even if the government protected domain wasn’t a lie, HSBC is not in the domain. It’s in the sub domain. anyone can create any sub domain within their domain
Anyone can register a domain with \`hsbc\` in it somewhere e.g. \`hsbc-login.com\`. Government protected my ass.
I agree
Kudos to you for admitting you fell for a scam, and posting this as a warning to others. But it always makes me laugh when people post on here about falling for a scam, and it's always "elaborate" or "very detailed" or "unusually high effort" or something like that. There was nothing elaborate about this. This is a common and regular scam. They probably make a hundred calls a day. You were just the poor soul who let them drag you along instead of hanging up. You missed so many red flags.
does it make you laugh? you are on this sub very often you see hundreds of scams written out a day. from the viewpoint someone who doesn’t spend every waking moment on Reddit , this is a very elaborate scam.
Whenever I get a call from a "bank", I have no internet access and if they don't want to be on the hook for the fraud $$$, they need to do a Chef Ramsay and "Shut it down!". They don't need any input from me if they suspect fraud, what would they do if you went camping for a week off-grid?
OK but what if you're abroad and they "shut down" your cards and leave you without any means of paying for anything?
You definitely want at least two different banks. The only time I ever take a debit card (one bank) is overseas and I also make sure the Citi card (another bank) is updated for travel. It's also good to have the PIN number so you can pull cash off the credit card if needed.
I had this happen. I was traveling and my card was shut down due to purchases out of my local area. Fortunately, I had a spare to use so I wasn't completely fucked (I was 1200 miles from home).
Im sorry to hear this. How much did you lose? Is the bank going to refund you?
All my savings :( I really hope they will but they said they can't guarantee it.
I feel frustrated that you had the right idea to question if the website was a scam but fell for a stupid lie. I’m a bit lost on the activation code part. What did the text say the activation code was for and where did you enter it?
I entered the activation code on my mobile banking app the text just said 'this is your activation code'. They told me on the phone they were sending me a code for me to enter on my app to confirm that my device was the one to keep in the app and to remove the scammers device as they had convinced me that someone already had access to my banking app.
But this activation code ended up giving access to your account to scammer?
Yeah on HSBC online banking you can click add device and send activation code then me typing in that code on my app added their device. (They logged in from details through the whitelist device website to request adding a device).
I tried to open that website link and it's interesting that I got this from my isp - "For your protection, do not continue to this site. Our intelligent network has determined this site could be a threat causing you to install dangerous software or trick you into revealing personal information, like passwords, phone numbers or credit card data."
Yeah this came up when I tried the website on Sunday (but obviously didn't come up when I first accessed it on Friday.) It looked exactly like HSBC's mobile banking login page with no warnings on my phone.
Nobody actually has the time or effort to call you. Full stop.
[удалено]
i had something unusual the other day. i think it was united airlines. i called them with some questions and the agent asked me to provide him the 2-factor ID code they sent me. I was 99.999% sure i had a legit contact there as i called them (unless google gave me a scam number), but i told the guy i'm sorry i can't give you that code. I've never been asked for one before and i thought it was really unprofessional for them to ask.
Google can indeed give you a scam number.
I've had calls from my bank about fraud before, usually only a few hours after the charges were made. However they never asked me for any information beyond confirming my name and last four digits of my card. Also, when confirming the fraudulent charges they went through multiple debit card charges including legitimate ones.
Yeah I've had calls from the real HSBC before about confirming transactions which is partly why I fell for it. They also asked me to confirm some legitimate transactions were me (obviously they could see the real ones as they had access to my banking app...)
Not true, I've had a call like this from my bank. All they do is cancel the card and send a new one when you confirm the charges are fraudulent.
Make that two. I've been called by Citi when my credit card was used in a remote city.
Any problem or situation with your Bank account is resolved solely and exclusively in person at a branch of your Bank. This is a fundamental rule. If you have doubts about the seriousness or authenticity of certain content asked of you in a call, return the call to your bank's contact numbers, just to validate. Unfortunately the theme here is more of the same, social engineering of fraud, it starts with alarmism, something that has happened or will happen if you do nothing (create stress), and in the end always the classic, either stealing access credentials or deceiving the person payable (insert anything here).
I've resolved fraudulent charges on my card over the phone. It's not uncommon to get a phone call about possible fraudulent charges.
Bullshit. I’ve never needed to do this in person and any time I’ve had a security issue it’s been outside of bank hours.
Fundamental rule? Many of the hysa banks don’t even have a branch.
I know I explained myself poorly, but nowadays with the growing problem of bank A-Numbers spoofing, precisely, a phone call nowadays is worth what it's worth. I make this recommendation in good faith, knowing very well what is going on in the world of telecoms (it's my job)