Online Security and Privacy

Customers should read the Bank's Online Security and Privacy for Online Security from time to time to ensure that adequate and appropriate measures have been taken.

Phishing is a cybercrime that fraudsters try to lure you into providing sensitive data such as personal information, bank account / credit card details, and login credentials, etc. The common way to do so is asking you to click on a hyperlink, scan a QR code, or open an attachment embedded in email, SMS or instant message, and the fraudsters can use the information provided by you to access your bank accounts and conduct unauthorized transactions.

China CITIC Bank International Limited (“the Bank” or “we”) would never send any SMS or emails with embedded hyperlinks, QR codes or attachments which direct customers to our websites or Apps to carry out transactions. We would not request customers to share their login credentials and / or sensitive personal information, e.g. credit card details, login passwords, PIN or OTP, etc. by phone, email or SMS (including via embedded hyperlinks).

To step up customer account security, starting from 28 January 2024, we have implemented the SMS Sender Registration Scheme (the “Scheme”) set up by the Office of the Communications Authority; SMS messages from the bank would carry one of the following registered SMS Sender IDs:

1. #CNCBI
2. #CNCBI_INFO
3. #CNCBI_TXN

• SMS messages of which customers are expected to reply to the bank via phone numbers
• Local subscribers of single-card-multiple-numbers/one-card-two-numbers mobile service provided by non-Hong Kong operators.

Please refer to the website for details.

A stooge account is either set up with false paperwork using a stolen or manipulated identity, or belongs to a legitimate customer who has allowed criminals to use their account. Criminals often target vulnerable people, i.e. those financially struggling, by tempting them with cash to permit access to their accounts.

Through telemarketing or social media platforms, criminal syndicates would offer the benefit of making quick money and lure the public into selling or lending their bank accounts, or use their personal credentials to open bank accounts. The syndicate will then use these "stooge accounts" (i.e. the accounts which is held by the account holder but manipulated by the culprit) to receive/launder fraudulent payments or other crime proceeds.

Trojan Horse Program could capture your PC screen, logging keystrokes history or at the runtime, and remote control your computer or mobile devices (smartphones or tablets) (thereafter collectively as “Devices”). It steals information like your Login ID, passwords, SMS OTP or other personal data to proceed fraudulent or unauthorized transactions with your bank accounts. If you found any unusual circumstance when using the Bank’s Internet banking services, please immediately contact us and should also stop inputting any password or transaction.

Spyware is a malicious program that is installed on the Devices without user's acknowledgement or consent, with a threat to information leakage. This program often comes from the hidden components of "free program".

Such software claims to accelerate your internet speed and protect your Devices from email virus. Once you have installed such software on your Devices, user's information and internet activities will be redirected to unauthorized organizations that allow them to store and analyze your internet activities/ information.

To further protect your e-banking security, access to inMotion, inVest, FX Go and CNCBI Token would be suspended if potential risks had been detected on your device.

Potential risks may include:

If your access to mobile banking applications is suspended, you should:

In addition, Android device users will also use the secure keyboard provided by the Bank when entering their passwords on mobile banking applications.

For more information, please refer to the press release from the Hong Kong Association of Banks “Enhancement on security measures to safeguard customers against malware scams”: https://www.hkab.org.hk/en/news/press-release/292

There are some fraudulent websites or mobile application created by Internet fraudsters that mimics the look of a particular bank's website to capture your login credentials and / or sensitive personal information such as Login ID, passwords, other personal information or transaction details etc. Some of them will attract people to their sites through scam emails. Therefore, it is crucial to make sure that you are connecting with a genuine website of the Bank.

Please take note that the Bank observes a well-adopted practice of not seeking sensitive personal information (including i-banking login ID, login passwords or one-time passwords) through phone calls, voice messages, SMS/instant messages or emails. Fraudsters may make bogus phone calls, voice messages, SMS/instant messages and emails purported to be from the Bank in which most of them appear to come from a lawful source. Such communications may trick recipients, including citing irregularities regarding the customer’s transactions or accounts, to reveal their personal information such as login ID, passwords, credit card numbers, bank account numbers, one-time passwords, etc., or even inviting them to visit fraudulent website, call a bogus bank hotline number or contact an operator for account authentication requesting for provision of such information. They may also pose as invitations to group chats about investment and/or banking products, or requests for third-party software downloads or fund transfers.

In cases of voice message phone calls, SMS/instant messages or email scam, the fraudsters could hack into the victim's computers, mobile phones, mobile devices or email account, checked the victim's business correspondence with business partners. They send voice message phone calls, SMS/instant messages or email to the victim using the same or similar contact or email account of his business partner and claim that the payment bank account had been changed and further request the victim to deposit the payment for goods into the fraudster's designated bank account or require customers to provide Internet banking login credentials or sensitive personal information (including Login ID, passwords or one-time passwords). If you receive any suspicious voice message phone calls, SMS/instant messages or emails, you should confirm the identity of the purported business partners or the authenticity of the requests by means of telephone before remittance so as to prevent from being deceived.

We employ one of the highest levels of security to protect customer's accounts and personal data.

To ensure highest security while using the Bank’s Internet banking services, customers are recommended to take a number of safeguard measures for their own protection. At the same time, customer should be acknowledged about the risks associated with authentication factors such as biometric authentication, CNCBI Token and device binding.

Risk you should know about using biometric authentication login service.

• Biometric authentication relies on unique physical characteristics like fingerprints and facial recognition. Risks include but not limited to
  1) Possibility of false positives: Unauthorized individuals gain access.
  2) Data leaks: Biometric data can also be stolen or compromised if not properly secured.
  
  Risk you should know about using CNCBI Token & Device binding.


• CNCBI Token and Device binding require the use of specific devices or applications.
  The loss or theft may provide a way for attackers to access the user’ account or initiate fraudulent transactions.