Top of main content

Online security

Smart tips to manage online threats.

Scam awareness videos

Beware of financial scams promising unrealistic high returns. If it sounds too good to be true, it probably is. Do not be a scam victim. When in doubt, please call BNMTELELINK at 1-300-88-5465.

Illegal forex scam
Your hard earned savings deserve better. Don't fall victim to illegal forex scams. Before engaging in any online trading, do your research and verify with the bank directly whenever in doubt.
Skim Cepat Kaya scam (BM)
Don't let scammers deceive you with outward appearances. Always check with the bank before investing any money in a scheme, no matter how attractive it may seem.
Money Game scam (CHI)
Don't let scammers deceive you with outward appearances. Always check with the bank before investing any money in a scheme, no matter how attractive it may seem.
Safe online banking
Learn with us some security measures that are bound to make your online and mobile banking experience, even better!
Email scam
Phishing emails usually have telltale signs like poor grammar, unofficial links and typos. Be alert and avoid clicking on any questionable links, especially if it asks for your personal information.

Smart tips for online banking / mobile banking

Here's how to stay safe when using online banking and mobile banking:

  • Don't use a public computer to access your bank account
  • Never disclose your personal security details such as your account number, PIN or security code to others
  • Be wary of scams that involve receiving or holding money for strangers
  • Immediately report any unusual transactions that you see on your statement 
  • Always keep your electronic receipts for fund transfers and bill payment transactions
  • Memorise your PIN and do not write it down
  • Select PINs that cannot easily be guessed
  • Use different PINs for different websites
  • Never disclose your PIN to anyone, including the police or anyone claiming to be from HSBC 
  • Set transfer limits according to your banking needs, and avoid setting limits that are higher than what you'd usually transfer
  • Do not use a jailbroken or rooted mobile device, as this removes important security features from your device
  • Turn on push notifications to receive alerts from HSBC (find out more about push notifications here

To learn more about online security, please visit the HSBC Group online security page

HSBC Amanahwill not display your personal information in emails or ask you to confirm any personal data in an email. The only exception is when our customer service staff are replying to your enquiry via email. If we need to do this, then we'll email you by using an encrypted form in our secured online banking platform. You'll need to log on using your username and password to access this.

What HSBC Amanah can do

Mobile Secure Key and Security Device

We're committed to protecting your security when you use online banking. The Mobile Secure Key (MSK) is a safe, convenient way to generate unique, one-time security codes on the HSBC Malaysia Mobile Banking app so that you can log on and approve transactions without needing a physical Security Device.

Your MSK provides two-factor authentication to protect your activity and information. It also has the following benefits:

  •  Safe and secure - you're the only person who can access your accounts and transactions, and there's an added layer of protection with biometric authentication and your 6-digit PIN
  • Always with you - your MSK is available on the HSBC Malaysia Mobile Banking app so long as you've got your mobile device with you
  • Fast and reliable - you can activate your MSK with a few taps of your mobile, rather than needing to wait for us to send you a physical Security Device
  • Environmentally friendly - your MSK has a lower carbon footprint compared to the physical Security Device as it doesn't need to be manufactured, shipped, packaged, and disposed

There's also a 12-hour cooling-off period for MSK set-up. If you get an SMS from us saying your MSK has been set up, but you didn't authorise this, you can report this to us during this time period.

Protecting your Android devices from malware

From 28 May 2024 onwards, we'll roll out a new safety measure to the Android version of the HSBC Malaysia Mobile Banking app. This will help us better protect you from potential fraud due to malware.

So if you’ve turned on accessibility permissions for certain apps on your Android device, you won't be able to use the HSBC Malaysia Mobile Banking app. You'll get an alert about this before the app closes. To open the app and continue using it, you must turn off the accessibility permissions for those apps and / or uninstall them.

Read more on malware scams.

SMS notifications

You'll get an SMS from us if you make a telegraphic transfer, credit card payment, or transfer to a third party. We'll also send an SMS if you try to make a transaction that exceeds your maximum transaction limit.

You can check and update your registered mobile phone number by calling the HSBC Contact Centre or by visiting your nearest branch. Make sure that you check and update your contact details promptly if they've changed.

You can apply for SMS notifications using the SMS application form

Push notifications

You'll get push notifications on your mobile device for certain services. For example, if you're using the HSBC Malaysia Mobile Banking app and have enabled push notifications, then you'll receive a notification when your credit card eStatement is ready. 

You can find out more about push notifications here.

Secure sessions

It's important that your online banking sessions are secure. You can check if you're in a secure session by looking at the URL address of the webpage, which should start with the characters 'https://', or if a padlock icon appears in the lower right-hand corner of your browser.


Your online banking sessions use Secure Sockets Layer (SSL) encryption to protect your personal information. This ensures that nobody else can access it. Depending on the browser you're using, a pop-up window might appear to tell you that you're entering a secure page.

We use 128-bit SSL encryption at HSBC, which is the industry standard. Any email messaging service that you might use within your online banking is also protected with encryption technology.

Session time-out

Our system will automatically log you out of your online banking session if you forget to log off when you're finished, or if your computer is inactive for a period of time. The pages that you looked at during a secure session are not kept in your computer's temporary file storage.

What you can do

There are many ways to enhance your protection on using online banking. HSBC Amanah would suggest you to follow the below.

Get the latest security updates and patches

From time to time, vulnerabilities are discovered in operating systems and internet browsers. Before the publisher can release a security patch to correct these weaknesses, they can be exploited by virus writers and hackers to gain unauthorised access to those PCs that have not yet been patched.

To check for patches and updates you should visit the publisher's website, typically in their Download section.

Microsoft users can visit: which can automatically check what is required, and then suggest to download it.

Use and update anti-virus software regularly

You may already be using anti-virus software but to be effective the software should be updated on a regular basis with the latest "virus definition" files. If you are unsure how to do this, you should refer to the program's own Help function.

It is a good idea to install anti-virus software if you don’t have any already. There are many effective programs to choose from. But be sure to visit the software provider’s genuine site because there are many fake products claiming to protect your computer but which may actually infect it with viruses.

Use personal firewalls

A firewall is another small program that helps to protect your computer and its contents from outsiders on the Internet. When properly installed, it stops unauthorised traffic to and from your PC.

Read our password advice

Keep your password secured - Passwords are the key to your online account information, to accounts at online stores and a host of other online activities. Your HSBC Malaysia online banking password, together with your online banking ID, permits access to your bank accounts. For this reason your password should be unique and very well protected.

Keep them to yourself - Do not be tempted to share your passwords with anyone.

Be unique - Use passwords that are unique and not easy to guess.

Use letters, numbers and symbols - Passwords containing upper and lower case letters, numbers, and symbols are far harder to guess.

Be different - Avoid using the same password for different services.

Don't be personal - Do not be tempted to use passwords that can easily be guessed e.g. your name, your date of birth, telephone numbers, pet's name.

Never write them down - If you really need to record your password then use a code system or transpose some of the letters. No one at HSBC Amanah will ever ask you for your online banking password. If someone does ask you for it, they do not represent HSBC Amanah.

Change your passwords - Always change passwords that may have been compromised.

Contact the bank if you think someone else knows your online banking password.

Use an anti-spyware program

Spyware is the term used to describe programs that run on your computer for the purpose of monitoring and recording the way in which you browse the web and the internet sites you visit. For example, spyware can combine information about your online behaviour with that of many other users in order to generate market research data. This information can be bought and sold by companies interested in improving the way websites are designed and how the internet is used.

You may or may not wish for your internet usage to be monitored in this way. In addition, just as spyware can be used to improve the online experience it can also be used to extract personal information that you have entered, including passwords, telephone numbers, credit card numbers and identity card numbers.

Spyware is often loaded onto a PC as part of a free download of another service - for example a service that claims to improve the performance of your PC. Sometimes your agreement to the download is requested in the small print, but spyware may also be loaded onto your PC without your agreement or knowledge.

Spyware is not the same as a virus in that it only records what you do rather than altering how your machine works. Because of this, anti-virus software is not effective in identifying and removing spyware, you will need to download and run a specialised anti-spyware program.

Anti-spyware security software currently available include McAfee, Spybot Search and Destroy, AdAware, Spyware Eliminator, Spyware Doctor and Microsoft antispyware. We strongly recommend that you install and use a reputable anti-spyware product to protect yourself against spyware on your PC.

To learn more about online security, please visit the HSBC Group online security page.

What should I do if the security code on my Security Device is not accepted?

For security reasons, the security code is a unique number and is only valid for a certain period of time. If you input an expired security code when you logon to online banking, you will receive an error message. Please press the green button on the device to obtain a security code to enter. If the problem persists, please call our Call Centre 24-hour online banking hotline for assistance.

About fraud

Email scams and phishing

You may be aware after recent reports in media about emails that are sent which appear to be from the bank. These are known as 'phishing' scams, where the emails attempt to direct you to a fraudulent website with the intention to try and capture your login ID's, password and HSBC/HSBC Amanah's security device algorithm.

Here's how you can identify and avoid email scams:

  • Remember that HSBC/HSBC Amanah will never contact you via email to request confirmation of your personal information such as your username, passwords or account numbers. If you receive such an email, report it to us as it's fraudulent.
  • Don't open attachments or click on links in emails if you suspect they may be part of a scam attempt.
  • If you've received an email from HSBC you suspect isn't genuine, forward it immediately to, then delete the email and empty your deleted items folder.
Phishing email example; image used for HSBC Amanah online security page

These phishing emails will have an embedded hyperlink that redirects you to a fraudulent website.

Secure connection example; image used for HSBC Amanah online security page

This is an example of how the HSBC Amanah website looks under a secure connection, meaning that any information you enter will be kept safe.

What is phishing?

Phishing is an attempt by fraudsters to 'fish' for personal information such as the security details you use for banking. These emails may come from any source but is made to appear as if it came from your bank or an organisation you have registered with. The email will normally ask you to click on a link and/or to confirm your username or password - and through such responses they obtain your details.

How do they know where I bank?

They don't. They send out as many emails as they can and hope that they reach some customers. 

What should I do if I believe someone might have obtained my security or personal details?

Call us immediately at anytime at our online banking helpdesk, HSBC at 1300 88 1388 or HSBC Amanah on 1300 88 2626. Customers outside of Malaysia can also contact us on 03 8321 5400.

What makes my transactions on HSBC Amanah's online banking safe?

Each transaction on our online banking platform is protected by 'strong grade' encryption that keeps your information secure. On top of this, a Security Device that is provided to HSBC Malaysia online banking users gives you a 2nd level of security. Apart from logging in with your online banking username and password, a unique once only time sensitive security code from the Security Device is needed when you perform an outward transfer Since the Security Device is to be kept by you at all times and the codes change constantly - only you will be able to access your account! 

Click here to learn more about online security

Phishing, fraudulent and spoof websites

Phishing involves an email message being sent out randomly, claiming to come from a legitimate organisation such as a bank, online payment service, online retailer, etc.

The email will contain a link that takes you to a fraudulent & spoof website that looks identical, or at least very similar, to the organisation's genuine site.

You may be asked to provide personal security information eg. your account number, PIN, security code etc.


A computer software program that gathers information about a computer user without the user's knowledge or informed consent. Transmits the collected information to an unauthorised organisation that expects to be able to profit from it in some way.

Trojan horse

A type of computer virus that is a computer program masquerading as another program. Appears innocent, but your files could be damaged or erased if you open the program.

Related services


Safeguard your online banking with a touch of a button using our latest technology, your HSBC Amanah Security Device.


Whether it's logging onto the system or paying a bill, learn how to navigate online banking using our tutorials.


Save paper and save money on fees by enroling in eStatements which are viewable via online banking and password protected.

Listening to what you have to say about services matters to us. It's easy to share your ideas, stay informed and join the conversation.