But the code was instead used to authorise fraudulent spending.
The practice is part of a scamming technique called social engineering. Once a potential victim has fallen for the fake text and entered their name and bank details, the scammer knows enough about the victim to manipulate them.
Because the one time passcode is sent once a transaction is attempted, the criminal is able to time its arrival and persuade the victim that they are from the bank and that they should read the rumber in spite of the warnings on the text message that it should be shared with no-one.
David Callington of HSBC UK said: “We’re aware that fraudsters are impersonating banks and trusted organisations and contacting customers regarding potential fraudulent transactions. Whilst we have an experienced team looking for signs of fraud, customers can help themselves by being aware of the tactics fraudsters use.
“HSBC UK or any other bank will never ask you to divulge any of your banking passwords. If someone calls you out of the blue and asks for your one time passcode, hang up straightaway, it’s a scam.”