HSBC pays little attention to the prevention of email phishing.
I received an email from HSBC about annual service fee. Usually, if I receive an email from a bank, I will open the email header to identify if it is really coming from a bank or it is just a phishing email. For the HSBC's email, the sender domain is checked ok. However, there is no DKIM messages in the email header. To probe further on email protection, I tried to dig the SPF records of hsbc.com.hk. Oh no, its SPF is based on "soft fail". That is a poor setting. Without the proper use of SPF and DKIM, I can conclude that HSBC pays little attention to the prevention of email phishing.