HKCERT Urges Vigilance Against Phishing and Fake Websites During Easter and Tax Season

(Hong Kong, 31 March, 2026) As the Easter holidays and tax season approach, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) reminds the public to stay vigilant when enjoying the Easter break and handling tax-related matters during tax season. Remain alert to phishing risks and fake websites to secure personal data and prevent monetary loss.

During the peak travel season of the Easter holiday, a significant portion of the public purchases event tickets or arrange travel bookings through online platforms. Online booking of flights, hotel stays and event tickets has become increasingly popular among Hong Kong consumers. While these services offer convenience and a wide range of choices , they also expose users to cyber fraud threats. Cybercriminals often take advantage of festive travel peaks by creating many phishing websites and fake promotional offers, attempting to steal the public’s personal data and financial assets.

Fake Ticketing Websites Masquerade as Official Platforms Similar URLs and “Limited-time Offers” Exploit Consumer Trust 
HKCERT has identified that cybercriminals have been recently impersonating the Hong Kong Palace Museum (HKPM) by setting up fake ticketing websites. These websites closely resemble the official webpage design and deliberately use domain names like the official URL to mislead the public. The HKPM official website is https://www.hkpm.org.hk, while fraudulent websites may adopt similar-looking domains such as hkpmtickets.com, misleading the public into believing they are making purchases through official channels. 
 

HKCERT warns that fake ticketing sites will employ “official-looking interfaces” and similar URLs, lower vigilance. They often add tactics like countdown timers or limited time offers to pressure the users into making hasty decisions. The public is advised to carefully check the spelling of URLs and domain names, such as official sites ending in .org.hk. It is important to never rush to enter credit card information, login passwords, or one-time verification codes due to promotional prompts. When uncertain, users are advised to access the ticketing process through the official website or authorised mobile application to verify authenticity.

Beware of Fake Travel Websites When Travelling Abroad 
HKCERT has recently identified cases where fraudsters created counterfeit travel and hotel websites. These sites may trick users into entering credit card information with the intent of stealing financial data and assets. There have been cases where users were tricked into entering login IDs and passwords, which appear to have been used to steal account credentials and facilitate further unlawful activities. The public is reminded to exercise caution when browsing and making purchases on travel websites. Always stay vigilant to avoid falling to online scams.

Be Careful of Fraudulent Tax Department Websites During Tax Season
With the Hong Kong tax season approaching, scammers are adopting fresh strategies. Lately, several incidents have emerged where fraudulent websites impersonating the Inland Revenue Department (IRD) website. The fake websites even urge visitors to enter personal details such as their name and Hong Kong Identity Card (HKID) number, aiming to steal personal information for illegal use. These counterfeit sites can easily mislead the public with similar website designs. It is strongly advised that the public should remain vigilant while filing a tax return and avoid entering personal data on suspicious sites. Always be careful when checking web addresses and avoid entering sensitive data to prevent incurring financial loss.

To protect personal data and financial security, HKCERT recommends the public take the following security measures:

1. Use only official or trusted ticketing and travel booking platforms. Carefully verify the URL spelling and domain before making payments to avoid phishing websites.
2. Do not click on short URLs or suspicious links in unknown emails or SMS messages. If a login or ticket purchase is required, manually enter the official website address in the browser or access via the official app.
3. If notifications such as “account anomaly” or “payment failed, re-verification required” are received, open the official app or website directly to check the status. Do not click the provided link in the message. When calling customer service, use only phone numbers provided on the official website or app.
4. Before making payments, verify the merchant’s name and payment details. Avoid transferring funds to personal accounts as instructed by others. After completing transactions, keep order confirmations, e-tickets, and payment records, and regularly review transaction histories for any unauthorized charges.
5. Never disclose SMS verification codes, one-time passwords, credit card security codes (such as CVV2 or CVC), or online banking login passwords under any circumstances. If information is suspected to be compromised, contact the relevant institutions immediately and change passwords.
6. Use strong passwords and enable multi-factor authentication (MFA).
7. Regularly review transaction records on payment platforms to ensure there is no abnormal activity.
8. Ensure all software and applications are updated to the latest versions to mitigate known security vulnerabilities.
9. Use the "CyberDefender" tool to identify fraud and cyber traps by checking email addresses, URLs, and IP addresses, or call the Hong Kong Police Anti-Fraud Coordination Centre "Anti-Fraud 18222" hotline for assistance.
10. Enhance cyber security awareness and learn more about new fraudulent tactics and preventive measures.  
     

Businesses or members of the public who wish to report to HKCERT on cybersecurity related incidents such as malware, phishing, denial of service attacks, etc. may complete the online reporting form at: https://www.hkcert.org/incident-reporting, or call the 24-hour hotline at 8105 6060. For further enquiries, please contact HKCERT by email at hkcert@hkcert.org.

-Ends-