HKCERT Reminds Public to Stay Vigilant Against Phishing and Fake Websites During Easter Online Shopping

(Hong Kong, 16 April 2025) As the Easter approaches, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) reminds the public to stay alert to phishing scams and counterfeit websites while shopping online, safeguarding personal data and avoiding financial losses.

Easter is a time for gift-giving, and many consumers turn to online platforms to purchase festive goods or pre-order event supplies. While e-commerce offers convenience and variety, it also exposes users to evolving cyber threats. Criminals often exploit seasonal shopping trends by creating fake websites and promotional traps to steal personal and financial information.

Upgraded Scam Tactics: Fake Payment Pages
HKCERT’s monitoring reveals that hackers recently created fake websites that pretended to be second-hand trading platforms like Carousell, directing users to counterfeit bank payment pages during transactions after online shopping. These pages mimic legitimate banking interfaces, requesting sensitive details such as account credentials, SMS verification codes, and even CVV numbers. Embedded within the trading platform’s workflow, victims often mistake these pages for authentic payment steps, leading to financial data breaches.

As shown in below image, the page will switch to another page with designs that mimic the chosen bank based on the victim's selection. For example, when the victim chooses to transfer money via "XX Bank," the web page will change to a page imitating the legitimate XX Bank's official website with same color scheme, trademark, and form fields to confuse the user. There have been cases where victims entered their online banking passwords on the forged page, and the stolen credentials were immediately used for high-value cross-border transactions.

In addition, cybercriminals combine "fake official notifications" with "multiple URL redirects" technique to greatly increase the misleading nature of the fraudulent messages. They carry out phishing attacks disguised as WhatsApp verification via SMS, using shortened URLs to hide the real domain names. Users can only see a disguised link like "t.ly/wsapps-hk" in the SMS and may not be able to identify the authenticity of the URL before clicking on it. After clicking, the page displayed fully imitates the WhatsApp account verification process and asks for the account information.

To protect yourself from these fraudulent activities, HKCERT recommends the public take the following security measures:

1. Stay vigilant to all suspicious payment requests, emails, or text messages. If in doubt, verify directly through official channels;
2. Never disclose your SMS verification code, security code of credit card (such as CVV2, CVC code), SMS verification code of credit card (such as 3D Secure verification code), password of online payment or e-banking platform, etc. to others under any circumstances;
3. If you receive an "account abnormality" notification, use the official app of the related entity directly to check the status, and never click on the link in the notification; when contacting customer service, use only the numbers provided on the official website or application, and never use the "direct line" provided by the sender;
4. Use strong passwords and enable multi-factor authentication (MFA);
5. Regularly check the transaction records of payment platforms to ensure there are no abnormal activities;
6. Ensure all software and applications are updated to the latest version to prevent known security vulnerabilities;
7. Use "CyberDefender" to identify fraud and cyber traps by checking email addresses, URLs, and IP addresses, or call the Hong Kong Police Anti-Deception Coordination Centre "Anti-Scam Helpline 18222" for assistance;
8. Enhance cybersecurity awareness and learn more about new fraudulent tactics and preventive measures.

- Ends -