ASIC Sues HSBC for Failing to Protect Customers from $23 Million Scam

Australia’s corporate regulator alleges systemic failings in HSBC’s fraud controls and delayed responses to victims of a sophisticated spoofing scam.

ASIC is suing HSBC Australia over allegations of inadequate fraud controls that allowed scammers to steal $23 million from 950 customers between 2020 and 2024.
The scam involved fraudsters spoofing HSBC’s phone numbers and text message chains to impersonate the bank and trick customers into sharing sensitive information.
Victims reported significant delays in HSBC’s investigations, with some waiting months—and in one case, over 500 days—to regain account access.
A landmark ruling by the Australian Financial Complaints Authority (AFCA) in August required HSBC to fully reimburse a victim, influencing the bank to improve its compensation and fraud prevention measures.
HSBC has since implemented new security measures, including restrictions on payment limits, blocking high-risk transactions, and enhancing SMS warnings for transfers exceeding $500.