Protect Your Personal Data: HKCERT Alerts Shoppers to Holiday Phishing Risks

(Hong Kong, 19 December 2025) As the Christmas shopping season approaches, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) urges the public to stay vigilant when shopping online, protect personal data, and avoid entering sensitive information on insecure websites to prevent identity theft and online fraud. Recent scams have become increasingly diverse, including counterfeit e-commerce platforms, phishing emails, and social media discount traps, which can lead to financial losses or data leaks if consumers are not cautious.

Highly Convincing Fake Shopping Platforms and Phishing Sites
HKCERT has observed that cybercriminals often set up highly convincing fake online shopping platforms during festive peaks. These fraudulent sites trick users into entering login credentials, credit card details, and delivery addresses. Their design, domain names, and logos closely mimic legitimate platforms, making it difficult for consumers to distinguish between real and fake sites.

Festive Discount Traps via Social Media and Messaging Apps
In addition to fake websites, scammers may use social media advertisements, instant messaging app links, or emails claiming to offer limited-time Christmas discounts or free shipping. These often redirect victims to phishing sites. Some scams even use fake QR codes or forged payment pages to capture sensitive information without the victim’s awareness.

Telephone Scams Impersonating E-commerce Platform Staff
In these scams, fraudsters claim to be HKTVmall staff and allege that victims were automatically enrolled in additional services during account registration. Victims are then directed to contact so called customer service representatives via messaging apps or to visit designated websites to “cancel” the service. These interactions are used to harvest personal data and banking information through social engineering and phishing techniques. HKCERT reminds public to remain cautious of unsolicited calls related to online shopping accounts, avoid following instructions to visit external websites or messaging platforms, and verify any account related claims through official channels before action.

Emerging Threat: Fake Delivery Company “Parcel Notification” Scams
HKCERT has recently received multiple reports of scams impersonating delivery companies. Scammers send SMS messages, emails, or instant messages claiming that the recipient has a parcel awaiting collection. Some even warn that if users do not contact the company or visit a website promptly, they may be charged an “overdue storage fee” later. This tactic is designed to create a false sense of urgency and pressure victims into immediate action.

There are two main variants of this scam:

1. Phishing Website Variant — The message contains a link to a fake courier website that mimics the official site to trick victims into entering personal details, credit card numbers, or payment account credentials, and may even prompt downloads of malicious software.
2. Fake Customer Service Variant — The message provides a phone number posing as the support hotline. When victims call, scammers use social engineering to extract sensitive information such as ID numbers, bank account details, or one-time verification codes.

Once victims disclose their information, scammers can steal funds or misuse their identity for further criminal activities. If you receive such messages, verify directly through official customer service channels or the company’s official app, and avoid clicking suspicious links or calling unknown numbers.

Phishing Links Exploiting Browser and System Vulnerabilities: Infected Just by Entering the Website
Phishing risks are not limited to credential theft. Recently disclosed vulnerabilities, including CVE 2025 14174 affecting Google Chrome on macOS and CVE 2025 43529 impacting multiple Apple operating systems, show that attackers may compromise devices simply by luring victims to visit a malicious website. Such websites are often delivered through phishing emails, fake shopping advertisements, or fraudulent delivery notifications. During peak shopping seasons, users tend to click more promotional links and tracking messages, increasing the risk of exposure. If devices or browsers are not updated, these malicious sites may exploit system vulnerabilities without the user’s knowledge. HKCERT urges the public to stay vigilant when clicking links and ensure their devices and browsers are kept up to date.

HKCERT has issued security bulletins, and the risks were rated as “Extremely High Risk”:

• Google Chrome Browser (Mac)
  • Upgrade to version 143.0.7499.110 or later
  • https://www.hkcert.org/tc/security-bulletin/google-chrome-multiple-vulnerabilities_20251211
• Apple Products
  • Upgrade to iPhone’s version iOS 18.7.3 or iOS 26.2, iPad’s version iPadOS 18.7.3 or iPadOS 26.2, Mac’s version macOS Tahoe 26.2, Apple Watch’s version watchOS 26.2, Apple Vision Pro’s version visionOS 26.2, Apple TV’s version tvOS 26.2 and Safari’s version 26.2.
  • https://www.hkcert.org/tc/security-bulletin/apple-products-multiple-vulnerabilities_20251215

HKCERT Cybersecurity Best Practices
To ensure safe online shopping during the Christmas season, HKCERT recommends the following security best practices:

1. Regularly install security updates and patches for operating systems, web browsers, and applications to reduce the risk of exploitation when visiting malicious websites or clicking phishing links.
2. Use secure and trusted Wi-Fi connections, especially when making bookings or payments online. Avoid connecting to public Wi-Fi hotspots with low security settings, as they may be vulnerable to interception.
3. Enable anti-phishing features in web browsers to help block phishing attacks.
4. Access shopping platforms by entering the official URL directly or using saved bookmarks. Avoid clicking on links from unknown sources. Avoid clicking on links from unsolicited emails, messages, or social media posts, as they may lead to phishing sites.
5. Carefully verify the legitimacy of websites before entering personal or payment information. Check for signs of phishing, such as unusual URLs, spelling errors, missing security certificates, or design inconsistencies.
6. Do not disclose sensitive information, such as gift card numbers, credit card details, or personal information, to unverified websites or unknown parties.
7. Do not handle account settings, service cancellations, or refund requests through external websites or messaging applications. Such actions should only be performed on the platform’s official website or mobile app.
8. Be cautious of unsolicited phone calls claiming to be from online shopping platforms. Do not act immediately on such requests, even if the caller appears to know personal details. Always verify through official channels.
9. Use “CyberDefender” to identify fraud and cyber traps by checking email addresses, URLs, and IP addresses, or call the Hong Kong Police Force Anti-Deception Coordination Centre “Anti-Scam Helpline 18222” for assistance.
10. Regularly monitor online accounts and payment records for suspicious activities. Set up transaction alerts and review bank statements to detect unauthorised transactions promptly.
11. In case you are suspected of falling victim to a phishing scam, immediately change your passwords, notify your bank or service provider, and report the incident to HKCERT for further assistance.

- Ends -