HSBC scam texts: ACMA warns Telesign after $34m losses

Australia’s telco regulator has formally warned Telesign after 1,121 fake HSBC texts reached Australian customers in a scam linked to more than $34 million in reported losses. The Australian Communications and Media Authority said the California messaging provider let the HSBC-branded messages pass across its network and did not give the regulator details of more than 11,000 other scam texts when asked.

The warning exposes the narrow sanctions available under Australia’s current telecommunications scam code. For a first breach, ACMA says a warning is its strongest enforcement option; a second breach can draw a penalty of up to $250,000. ABC News, which first reported the action, said the HSBC campaign was tied to more than 1,000 consumer reports and $34 million in losses.

“the strongest enforcement option currently available for a first-time offence”

Source: ACMA, via ABC News

The case reaches beyond a single bank scam because Telesign sits in the messaging layer that carries branded texts between businesses and mobile networks. In the HSBC campaign, customers received messages that appeared inside the bank’s existing text thread, making the fraud harder to spot. Victims were then directed to fake webpages or phone calls where scammers sought account details and one-time passcodes, ABC News reported.

ACMA said Telesign also failed to provide details of more than 11,000 scam texts when the regulator requested them. That reporting duty matters because it helps the watchdog trace campaigns across aggregators, carriers and brand names, then test whether providers are stopping obvious impersonation attempts quickly enough.

Consumer Action Law Centre chief executive Stephanie Tonkin said the response was too weak for a case that produced large consumer losses. She told ABC News the warning was “disappointing and entirely unhelpful”. Telesign said it takes its obligations seriously and is focused on “protecting end users from the harm that scam messages cause”.

The sector is weeks away from a technical fix that should make this kind of spoofing harder. ACMA’s SMS Sender ID Register is due to start next month, giving carriers and messaging providers a way to verify which businesses are allowed to use branded sender names such as HSBC before texts are delivered. The warning also arrived a day after ABC News reported that HSBC had agreed to pay a $35 million penalty in a separate Federal Court matter over broader scam-control failures.

Together, the cases show SMS fraud liability moving across the stack. Banks are being pressed on account protections. Messaging intermediaries and telcos are being pressed on the traffic they carry.

From July, the sender ID register is meant to give providers a cleaner way to stop branded impersonation texts before they reach consumers. Canberra is also moving from industry codes to a statutory scam-prevention framework with larger fines. The Albanese government’s proposed regime would lift potential penalties to as much as $10 million. Until then, the Telesign warning shows ACMA documenting major consumer losses while still being limited to a first-breach sanction.