Phishing Alert - Beware of Fake Postal Site Requesting Personal Info
Type: Phishing
Phishing Alert
Current Status and Related Trends
Recently, HKCERT has discovered that scammers are creating phishing websites that impersonate Hongkong Post. These sites exploit users' eagerness to receive parcels by tricking them into providing personal information for parcel redelivery or paying additional delivery fees. Upon receiving these reports, HKCERT identified the fraudulent websites and promptly issued alerts and defensive strategies to the public, urging them to take preventive measures. Scammers often use phrases such as 'parcel redelivery request' or 'additional delivery fee payment' and employ deceptive, similar-looking URLs to obscure the legitimacy of their sites.
The following is recent examples of phishing URLs reported by HKCERT:
Once users click on the fraudulent website, they receive a 'payment failure notification.' The scammers then inform them that the parcel will be resent and prompt users to click 'continue.'
On the next page, users are asked to enter personal information, such as their name, address, city, postcode, email, and phone number.
After entering these details and clicking 'update now,' the scammers request an online payment for the redelivery service fee. They then ask users to provide their bank card number, cardholder's name, expiration date, and security code (CVV), thereby attempting to deceive users into transferring their funds illicitly.
HKCERT urges the public to increase their awareness of cybersecurity and recommends that Internet users should::
- Check the URL: The URL of a phishing website is usually similar to the real website, but there will be slight differences, such as misspellings or using a different domain name. Users should double check the URL to ensure it is correct.
- Pay attention to security certificates: Although phishing websites can also use the HTTPS protocol, users should still check the security lock symbol in the browser address bar and ensure that the certificate information matches the website.
- Watch out for suspicious content: Phishing websites may contain misspellings, grammatical errors, or inconsistent design elements. These are potential warning signs.
- Use anti-phishing tools: Use the free search engine “Scameter” of Cyberdefender.hk to identify fraud and network traps by checking website addresses and IP addresses, or call the Anti-Fraud Coordination Center of the Hong Kong Police Force. Call the police for help through the anti-fraud hotline 18222.
- Avoid clicking on unknown links: Don’t click on random links from unknown sources, especially links you receive in email or on social media.
- Implement SMS spam blocking on devices:
for Android phone, go to Settings > SMS Spam Recognition.
for IOS phone, go to Settings > Messages > Unknown & Spam. - Update software regularly: Ensure operating systems and applications are kept up to date to prevent known vulnerabilities from being exploited.
- Enable multi-factor authentication: Enable multi-factor authentication for important accounts to add an extra layer of security.
- Education and training: Companies should provide regular cybersecurity training to employees to improve their awareness of prevention.
- Monitor account activity: Regularly check the activity of bank accounts and other important accounts to detect suspicious behavior early.
- Back up important data: Back up important data regularly to prevent data loss due to phishing attacks or other cyber threats.
Businesses or members of the public who wish to report to HKCERT on information security related incidents such as malware, phishing, denial of service attacks, etc. can do so by completing the online form at: https://www.hkcert.org/incident-reporting, or calling the 24-hour hotline at +852 8105 6060. For further enquiries, please contact HKCERT at [email protected].
Related Tags
Share with