Taking Security Best Practice During Festive Season

Phishing Attacks

As people purchase festive gifts, they often book their trips online to take advantage of sales and discounts on flights and hotels. However, this increase in online activity creates an opportunity for hackers to target internet users. From the hackers' perspective, phishing attacks are particularly appealing because they require minimal cost and effort compared to other types of cyberattacks. Users are often easily deceived by phishing scams because hackers can create content that closely resembles official communications, making it hard to distinguish between them.

Recently, phishing attacks in Hong Kong have involved hackers creating fake pages impersonating local membership platforms like HKTVmall. These scams often lure users to a counterfeit WhatsApp link, where they are prompted to enter personal information. Once users provide their login credentials on these fake pages, hackers can steal sensitive information from their accounts.

Hackers impersonate HKTVmall customer service to establish fake WhatsApp groups

Hackers exploit fake WhatsApp groups to deceive individuals into clicking on fake links and disclosing sensitive information

To learn more about phishing attacks and how to prevent them, HKCERT has introduced a thematic page, “All-Out-Anti-Phishing”. The public can visit the page with all essential information about phishing, including attack techniques, prevention, identification, and handling procedures for suspicious messages, as well as highlighting some important points to note.

Tech Support Scams

Individuals may unknowingly come across websites that display alarming security warnings, suggesting their devices are at risk of malware infections. Victims are often deceived by these alerts because they are designed to look convincing and urgent, making them difficult to distinguish from real notifications.

When individuals call the fake technical support number, hackers aim to trick them into installing remote access software. This allows the hackers to access the victim's device and potentially steal personal data. HKCERT has recently observed an increase in technical support scams where hackers create fake alerts and pretend to be reputable tech support services. They manipulate users into allowing remote access to their devices, enabling the theft of sensitive information.

Below is an example of a recently identified technical support scam webpage that impersonates legitimate security alerts:

Hackers impersonate legitimate security alerts on fake Microsoft support scam link to deceive users

Security Best Practices

To have safer travel and enjoy trip and shopping with less worries in the digital era, people should consider following the security best practices below.

For security best practices when travelling abroad:

1. Use personal device to log into personal accounts and avoid using public devices;
2. Use trusted public Wi-Fi connections, avoid to connect to Wi-Fi hotspots with low security settings;
3. Check any malicious logins in your online accounts;
4. Check carefully when purchasing goods using mobile payments; verify the payment receiver and the amount before confirming and proceeding with the payment;
5. If required to access a webpage or scan QR code, verify if the URL of the website is legitimate before entering any information;
6. Do not open any links or attachments sent to overseas SIM cards. It might be related to phishing attacks;
7. If necessary, install applications only from official websites and app stores;
8. Do not charge your device at unknown public charging port to avoid Juice Jacking attacks;
9. Do not leave your device unattended; and
10. Power off your devices at home and office if they are no use, and power off your portable devices when it is not in use overnight during travel.

For security best practices when shopping online:

1. Don't click on any links or attachments from an unknown sender. Always enter the URL of the online shopping platform directly in your browser or use bookmarks. Be careful with the legitimacy of the links and emails. For example, check for spelling and grammatical errors in the URL, or whether the sender is trustworthy. If the website does not use HTTPS for encryption, please be careful and do not provide sensitive information;
2. To prevent scams, be vigilant for spelling or grammatical errors in WhatsApp messages, avoid downloading apps, do not share personal information, refrain from forwarding messages, and do not respond to requests for money or payment instructions;
3. Be wary of impersonators and group messages. After joining a group, check the group details, including the creator, date, and description. Stay alert to messages concerning lotteries, gambling, job opportunities, investments, or loans. When receiving WhatsApp messages from non-contacts, follow the prompts to decide whether to respond, block, or report [Click to learn more];
4. Change the account password of the online shopping platform regularly. Use different passwords for different accounts to prevent a cascading impact if one of them is compromised;
5. If the platform supports multi-factor authentications, enable it to enhance security;
6. Place orders or check order status from the official website or mobile app only;
7. Do not save any sensitive information, such as credit card information, in online accounts;
8. Check your online payment records regularly for suspicious transactions;
9. If you receive a suspicious email or instant message, please verify the details at official channels. Do not provide sensitive information to an unknown sender;
10. Adopt anti-phishing features in web browsers to help block phishing attacks, and
11. Use the free search engine “Scameter” of Cyberdefender.hk to identify frauds and online pitfalls through email, URL or IP address, etc.

For security best practices when facing tech support scams:

1. Treat unexpected pop-up warnings or alerts with suspicious. Legitimate tech companies typically do not send unsolicited warnings or request personal information through pop-ups;
2. Always verify the contact information for technical support through the official website or documentation of the company. Avoid calling numbers provided in pop-ups or unsolicited messages;
3. Never allow remote access to your computer unless you have verified the legitimacy of the support representative. Genuine tech support will not ask for remote access without prior engagement;
4. Contact technical support directly through official company websites or customer service numbers listed on official documentation;
5. Regularly update your operating system and software to protect against vulnerabilities that scammers might exploit;
6. Use built-in security features such as firewalls and antivirus software to help detect and block malicious activities;
7. Stay informed about the latest tech support scam tactics and educate family and friends to prevent them from falling victim, and
8. If you encounter a suspected tech support scam, report it to HKCERT and related service providers for assistance.