HKCERT Alerts Travelers to Guard Against Phishing Scams During Summer Holidays to Protect Personal Data

(Hong Kong, 3 July 2025) As the summer travel season peaks, the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) urges the public to heighten vigilance against sophisticated phishing attacks targeting travelers. Cyber criminals are capitalising on increased travel demand with deceptive tactics including counterfeit booking platforms and mainland fuel card scams, potentially leading to financial losses and identity theft.

Surge in Fake Travel Platforms with Alarming Authenticity
Phishing remains one of Hong Kong's and the world's most prevalent cyber threats. During peak travel periods, hackers frequently create fake websites and emails impersonating major travel service providers. HKCERT has detected a rise in phishing sites mimicking platforms like Agoda and Trip.com - these near-perfect replicas trick users into surrendering login credentials, credit card numbers, and passport details. Victims often only discover they've been compromised after suffering financial damage.

Emerging Threat: Counterfeit Mainland Fuel Stations Target "Northbound Travel for Hong Kong Vehicles"
Beyond travel scams, HKCERT has received multiple reports of phishing sites impersonating major mainland fuel providers like Sinopec. These fraudulent platforms specifically steal prepaid card information, particularly endangering drivers in the "Northbound Travel for Hong Kong Vehicles" scheme. Affected individuals face not just monetary loss but potential travel disruptions due to inability to refuel.

Evolving Tactics: QR Codes and Urgency-Based Traps
Phishing attacks are not limited to websites alone. Cyber criminals may also use phishing emails, instant messages, and even QR codes to trick travellers into divulging personal or payment information. These attacks are becoming increasingly sophisticated, often using lookalike domain names, fake security certificates, and urgent messages to pressure victims into acting quickly without proper verification.

Security Best Practices
To help travellers safeguard their information and finances, HKCERT recommends the following security best practices:

1. Always access travel agency or service provider websites by entering the official URL directly or using trusted bookmarks. Avoid clicking on links from unsolicited emails, messages, or social media posts, as these may lead to phishing sites.
2. Carefully verify the legitimacy of websites before entering personal or payment information. Check for signs of phishing, such as unusual URLs, spelling errors, missing security certificates, or design inconsistencies.
3. Use secure and trusted Wi-Fi connections, especially when making bookings or payments online. Avoid connecting to public Wi-Fi hotspots with low security settings, as these may be vulnerable to interception.
4. Do not disclose sensitive information, such as recharge card numbers, credit card details, or passport information, to unverified websites or unknown parties.
5. Enable anti-phishing features in web browsers to help block phishing attacks.
6. Use “CyberDefender” to identify fraud and cyber traps by checking email addresses, URLs, and IP addresses, or call the Hong Kong Police Force Anti-Deception Coordination Centre “Anti-Scam Helpline 18222” for assistance.
7. Regularly monitor online accounts and payment records for suspicious activities. Set up transaction alerts and review bank statements to detect unauthorised transactions promptly.
8. When travelling in Mainland China, only top up fuel cards through official channels and never via third-party links or unofficial websites. If in doubt, consult official service provider hotlines for assistance.
9. In case suspected being fallen victim to a phishing scam, immediately change your passwords, notify your bank or service provider, and report the incident to HKCERT for further assistance.

- Ends -