First published: 30th October 2015
Standard Chartered Bank (Hong Kong) Limited has warned about a phishing email and linked website that target its customers. The email contains a link labelled S2BWeb.Admin@s2bmail.standardchartered.com which connects to a webpage http://www.standard-charteredssoappl.com/login/index.html. The webserver was not available at the time of writing, but it previously fraudulently purported to be Standard Chartered’s “Straight2Bank” portal for business clients.
Victims should contact call the Bank’s 24-hour customer service hotline at (852) 2886 8868 (press 2 - 6 - 0), and report to the Police or contact the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force at 2860 5012.
Standard Chartered reminded its customers that it will not request customers’ personal information (including user names and passwords) by email. Passwords, such as One-Time passwords, are also never requested by the Bank over the phone. Customers should only log into Standard Chartered Online Banking through the Bank’s website www.sc.com/hk , or https://s2b.standardchartered.com for Straight2Bank, and not through hyperlinks embedded in emails or third party websites. They should ensure they are connected to a valid Standard Chartered’s website before keying in any confidential personal data.
Standard Chartered did not elaborate on how to check a website is valid, some points to look out for are:
- Don't follow links in emails. Type the address yourself, or use your own bookmark from a previous visit.
- Be aware of the domain name in the address. When typing, look out for miss-spellings and confusing names. In this case, the fraudsters registered standard-charteredssoappl.com so that the bank's name was part of the domain name. Good browsers bold the base domain name to make it easier to recognise when a fraudster is using, for example, www.bigbank.evilfraudsters.com is easily recognised as nothing to do with BigBank Ltd.
- Check that you have a secure connection. Browsers display a lock icon to indicate when there is an encrypted connection between the website and your browser, do not enter sensitive data (passwords, personal information) unless the connection is encrypted).
- Check that the certificate for the site was issued to the owner of the site you want to visit, and that the certificate was issued by an Authority you trust. For an Extended Validation certificate, a good browser will show the name of the site owner in green next to the lock icon.
- Remember the normal features of the site you are visiting and double-check if there are any changes. If your bank has been using an Extended Validation certificate, and then, one visit, it only has an ordinary certificate, that is suspicious.