HQ/EMEAFind out how we can help your business
ASIC, the Australian Securities and Investments Commission, has filed a lawsuit against HSBC, alleging that the financial giant failed to protect its clients from a sophisticated scheme that caused $23 million in losses. The corporate regulator alleges that the bank’s Australian arm was negligent in safeguarding 950 customers from a “spoofing” scam that operated over nearly five years, from January 2020 to August 2024.
According to ASIC, the scam exploited software to disguise phone numbers, making fraudulent messages appear within the same threads as legitimate HSBC communications. Scammers used these messages and calls to alert victims to alleged suspicious transactions on their accounts, urging them to contact a purported fraud hotline. Posing as HSBC staff, the scammers manipulated customers into revealing sensitive personal information, which enabled them to take control of accounts and transfer funds. In some instances, victims lost over $90,000 each.
ASIC investigations revealed significant delays in HSBC’s response to customer complaints.
The severity of the issue came to light during ASIC’s investigations, which also revealed the bank’s delayed response to customer complaints. Some victims waited up to 145 days for investigations to be completed, while one customer endured a staggering 542 days to regain access to their account.
The ACCC’s National Anti-Scam Centre raised concerns earlier in February 2024, issuing warnings about the scam. Despite this, the bank faced criticism for its handling of affected customers. ASIC Deputy Chair Sarah Court described the bank’s failures as “widespread and systemic,” emphasising that financial institutions are required by law to protect the personal information of their clients.
One high-profile case involved Melbourne resident Mary Yu, who received a fraudulent message about her HSBC account and unknowingly contacted a fake hotline. Believing she was speaking to the bank’s fraud team, Yu disclosed personal details, leading to nearly $100,000 being stolen from her account over consecutive days. Although she eventually recovered her money after a 10-month dispute with HSBC and the Australian Financial Complaints Authority (AFCA), Yu expressed frustration with the bank’s handling of her case, describing the experience as “like talking to a brick wall.”
Following a landmark AFCA determination in August that criticised HSBC for failing to act promptly and comply with banking codes, the bank has introduced measures to improve security. Customers must now call HSBC to increase transaction limits, and SMS warnings have been enhanced for payments exceeding $500. The bank has also worked with telecommunications providers to block spoofed calls and suspended payments to high-risk channels, such as cryptocurrency platforms.
While most of the 360 complaints filed with AFCA regarding the spoofing scam have been resolved, ASIC continues to pursue legal action, seeking penalties and measures to hold HSBC accountable for its alleged failures.
