Skip to Content

Beware of Phishing Attacks

Phishing is one of the most common cyber attacks nowadays which targets all Internet and email users. Phishers aim at inducing you to visit malicious websites or to reveal your sensitive information for malicious purposes. To better protect your identity, properties, reputation and computer systems, read on!

  1. What is phishing? What is phishing?
  2. Common types of phishing Common types of phishing
  3. Risks and impacts Risks and impacts
  4. How to detect? How to detect?
  5. How to avoid? How to avoid?
  6. What to do? What to do?
  7. Videos Videos
  8. Extended readings Extended readings

What is phishing?What is phishing?

Phishing is the attempt mainly to obtain sensitive information from Internet users by disguising as known individuals or trustworthy institutions such as banks, schools or working partners. In some cases, phishing attacks may infect and compromise computer devices with malware.

Phishing attacks are typically delivered by emails, instant messaging, forged websites or social media. Phishers may attack any time and they often carry out massive phishing campaigns during holidays or in the events of natural disasters, epidemics and major political elections, etc. Internet users should stay vigilant at all times.

Common types of phishingCommon types of phishing

  1. Deceptive phishing - Phishers craft messages that look almost identical to those of legitimate institutions or individuals and conduct mass mailings so that recipients might be tricked to give out their sensitive and important personal information.
  2. Spear phishing - Spear phishing is a more sophisticated version of deceptive phishing. It targets specific individuals or companies. Phishers make use of personal information available from different sources such as social media to craft personalised messages and send them to a selected group or individual, such as senior executives and top management personnel. With a smaller target size, it is easier to include personal information such as the target’s name or job title, making the message seemingly more trustworthy and difficult to be detected.

Common types of phishingRisks and impacts

Risks:

  1. Leakage of sensitive information - Phishers will disguise themselves as known individuals of victims (e.g. victims’ senior management or customers) or trustworthy institutions (e.g. banks) to lure victims to give out their sensitive information such as account names, passwords and identity information. Phishers may further use these sensitive information for malicious purpose or sell them to third parties.
  2. Malware infection - Links or attachments in phishing emails or phishing websites may contain different malware (e.g. key-logger, ransomware and cryptocurrency mining malware). If users click these links or open these attachments, their devices may get infected by the malware, which may lead to data leakage, data loss or other financial loss.

Impacts:

  1. Financial loss - With sensitive information obtained from victims, phishers can carry out transactions such as transferring victims’ money to their pockets. Business operations can be disrupted due to the waste of employees’ productivity on handling consequences brought by phishing such as leakage of login account and password.
  2. Reputational loss - Phishers can further make use of information obtained from victims to send blackmail, intimidate victims’ contacts or even perform illegal activities (e.g. hacking into the system of the victim’s organisation to steal confidential information), causing the victims to be blamed or even get into legal and liability problems. As for an organisation being attacked, it may suffer reputation damage to its brand, and its customers may move their business elsewhere due to losing trust in the organisation in safeguarding their data.
  3. Intellectual property theft - Intellectual property, including trademarks, patents, trade secrets, etc. is crucial for the success of a company. With the information obtained from victims, phishing attacks can lead to theft of intellectual property which can represent millions or even billions of research and development costs, and may even threaten the future of the company.

Common types of phishingHow to detect?

Phishing emails:

Phishing emails are crafted like emails sent from legitimate individuals or organisations. They usually contain threats (e.g. suspicious account activities that require immediate actions) or too good to be true offers (e.g. free smartphones). You should stay vigilant when such messages appear in your mailbox.

  • Common characteristics of phishing emails:
Common characteristics of phishing emails

Phishing websites:

Phishing websites are usually reached through links from phishing emails, social media or by clicking a suspicious advertisement. The phishing websites usually involve an account login page or a payment page which asks for your sensitive information. Therefore, you should always stay vigilant when visiting such pages.

  • Common characteristics of phishing websites:
  1. Forged URLs – Phishing websites often have URLs that are very similar to those of a known organisation, e.g. www.famousorganisation.com vs www.famous-organisation.com.
  2. Address begins with HTTP – You should only submit your sensitive information through a HTTPS website, instead of a HTTP website.
  3. Low quality – Phishing websites are often created rashly with a short life cycle, thus grammatical/spelling mistakes and low resolution images are sometimes observed.
  4. Ask for personal information – Phishing websites are created to lure you into giving out your personal information or credentials.
  • Example of a phishing website:
Example of a phishing website

Common types of phishingHow to avoid?

Internet users:

While using email services
  1. Always stay vigilant to suspicious emails.
  2. Do not open any suspicious emails.
  3. Always check email attachments’ extension – Open email attachments with extreme care. Never open an attachment with “pif”, “exe”, “bat”, “cmd”, “vbs” extension.
  4. Always stay vigilant when giving out sensitive personal or account information – Banks and financial institutions seldom ask for your personal or account information through emails. Check with the relevant organisations in case of doubt.
While browsing the Internet
  1. Avoid following links - Never follow URL links from un-trusted sources, emails or social media. Do not rely on search engine results without verifying the validity of websites of banking or financial institutions.
  2. Type URLs manually or use bookmarks for frequently visited websites or financial institution websites.
  3. Do not visit suspicious websites.
  4. Avoid conducting online banking using public WiFi connections, public terminals or insecure terminals such as those in cafés or libraries.
While using social media platforms
  1. Do not accept friend-making requests from people you do not know - Once someone becomes your friend on the social media, he can access your information such as your profile, photos and social activities records. Such information may be used for illegal purposes such as spear phishing.
  2. Limit the amount of personal information available in your profile – Avoid including sensitive information such as your home address in your profile. Always remember the more information you include in your profile, the higher are the risks of leaking such information to strangers.
  3. Carefully configure your privacy settings – Decide very carefully what information you wish to make public or what to keep to your friends only.
Other security considerations
  1. Update security patches and virus signatures - Always ensure that the security patches and virus signatures on your computer are up-to-date.
  2. Deploy spam filter software – Consider using desktop spam-filtering products and browser’s built-in functions to help detect and block fraudulent emails but beware of false alarms.

For organisations:

  1. Inform users of the preventive measures implemented by your organisation – For example, your organisation will not ask for users’ personal or account information through email or by phone.
  2. Keep your website certificates up-to-date - Users can be assured the legitimacy of the websites.
  3. Provide channels for users to verify and report any suspicious emails/websites.
  4. Register similar domain names - Consider registering domain names that are similar to the one that is currently used by your organisation. For example, in addition to the original domain name “www.aaaabank.com.hk”, domain names “www.aaaabank.com”, “www.aaaabank.hk” can also be registered.
  5. Strengthen the security controls of your organisation’s websites, applications and email systems – Consider deploying technological solutions such as Secure Sockets Layer (SSL), two-factor authentication, digital certificates, firewalls and anti-malware solutions. You may also consider implementing email authentication protocols such as Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). The SPF can help ensure that the email is sent by the sender it claims while DKIM can help verify that the content of the email is not tampered.
  6. Strengthen your operational controls - For financial institutions, implement policies such as setting limits on users’ maximum daily transaction amount, requesting pre-registration of users for using certain online transaction services.
  7. Educate users - Develop a set of best practices for users to follow when using Internet services.
  8. Conduct anti-phishing training/simulation tests regularly.

Common types of phishingWhat to do?

When you receive suspicious email messages:

  1. Do not click on any links or download any attachments
  2. Do not click on any links or download any attachments The links might lead you to malicious websites while the attachments might contain malware.
  3. Do not reply to the email
  4. Do not reply to the email Report to appropriate parties such as your organisation’s network administrator promptly for checking and cleansing.
  5. Check the true destination of links
  6. Check the true destination of links Hover over the link to check the destination address and scan the link with a link scanner such as Norton SafeWeb, URLVoid, VirusTotal.
  7. Verify the sender
  8. Verify the sender Verify the sender through channels other than those stated in the email, e.g. phone numbers found on your credit card or statement.
  9. Delete the suspicious messages

  10. Delete the suspicious messages Delete the message if you are confident enough that it is spam.
  11. Report to appropriate parties

  12. Report to appropriate parties Report to appropriate parties, e.g. your bank. You should also consider reporting the attack to the Hong Kong Police Force if necessary.

When you click on a link or download attachments in a suspicious email:

  1. Disconnect your device from the network
  2. Disconnect your device from the network This can reduce the risk of spreading malware to other devices on your network and prevent malware from sending sensitive information from your device.
  3. Report immediately
  4. Report immediately Report to appropriate parties such as your organisation’s network administrator promptly for checking and cleansing.
  5. Perform a malware scan
  6. Perform a malware scan Before reconnecting your device to the network, run a complete scan with your anti-malware software. Follow the instructions given by the software to remove any suspicious files found.
  7. Change your credentials
  8. Change your credentials Malware may have already harvested your credentials for online accounts such as email, online banking and social media. Thus, you should change your online credentials immediately to stop phishers from using your accounts.

When you have provided sensitive information to phishing emails/websites:

  1. Change your credentials
  2. Change your credentials Change your passwords for the related accounts.
  3. Report immediately
  4. Report immediately Report to appropriate parties, e.g. your bank, your organisation’s network administrators. You should also consider reporting the attack to the Hong Kong Police Force.

When my organisation’s identity is being used in a phishing attack:

  1. Alert users
  2. Alert users Issue prompt alerts to users, related parties or even the public through press release, website or emails about the fraudulent website and warn them not to respond to the suspicious or phishing emails.
  3. Report immediately
  4. Report immediately Report to the police and relevant organisations / regulatory bodies such as the Hong Kong Monetary Authority about the suspicious website.
  5. Advise potential defrauded users
  6. Advise potential defrauded users Advise users, who are suspected to be defrauded, to change their passwords immediately and report to the police if necessary.
  7. Alert your website administrators
  8. Alert your website administrators Issue alerts to staff, administrators or service providers of your organisation’s website to strengthen security measures and to watch out for any suspicious activities such as suspicious port scanning activities, abnormally high traffic volume from certain computer devices or connection to suspicious servers in the Internet.

VideosVideos

What is phishing?
What is phishing?
Duration: 1:01
Phishing email
Duration: 1:19
Phishing website
Duration: 1:46
Demystifying Phishing Emails Purportedly from Banks (Chinese Version Only) (by HKMA)
Duration: 2:28

VideosExtended readings

Disclaimer: Users are also recommended to observe the Important Notices of this website and read the user agreements and privacy policies of the security software and tools before download and use them.

Back to Top