HKCERT Warns of Phishing Scams Impersonating Water Supplies Department via Fake Bills

（(Hong Kong, 13 March 2026) Recently, scammers have been impersonating the Water Supplies Department (WSD), sending SMS messages or emails to the public under the guise of a “Water account information update notice.” These messages list alleged “arrears” to lure recipients into clicking links to phishing websites, where they are prompted to enter personal details or credit card information to make payment. The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT)(HKCERT)has received and handled multiple related cases in recent days. A review of case handling records shows that phishing impersonating the Water Supplies Department actually emerged as early as two years ago (see the relevant security alert). Recent cases indicate that this type of phishing attack conducted in the name of Government public services has become active again lately.

These phishing messages commonly use phrases such as “Your water account’s recent billing information has been updated” and “Please log into the WSD service platform to review your account details and billing records.” They include hyperlinked text that leads to phishing sites designed to look like official pages, claiming to take users directly to the “WSD Service Platform” or the “WSD official website” to review account and bill information. Once the link is clicked, users are taken to a fake WSD login page. The phishing site uses genuine-looking logos and layouts to deceive users into entering their information unknowingly. The public should remain vigilant and not be rushed into clicking links or submitting personal data, such as credit card numbers, by messages mentioning “water supply suspension”.

Common characteristics observed in recent phishing messages (examples):

1. Subject lines such as “Water Account Information Update Notice,” prompting users to log in to complete payment or provide information.
2. Use of shortened URLs or hyperlinked text (for example, “WSD Service Platform”), turning specific words into clickable links that lead to phishing websites.
3. Fake WSD login and payment pages that request sensitive data such as phone numbers and credit card details.
4. Phishing URLs deliberately containing terms related to the WSD official website or similar spellings to confuse users, such as “wsdbg/wsdio/wsdde/wsdazx.”
    

Attack Flow of the Phishing Emails and Websites Impersonating the Water Supplies Department

1. Scammers first impersonate WSD to send phishing emails or SMS messages, falsely claiming small outstanding amounts to entice victims to log in and resolve them.
   
    
2. After clicking the phishing link, the fake page closely mimics the official website in layout and design. It pretends to verify identity by asking for a phone number, but tests show that entering any number (e.g., 123456) will pass the verification.
   
    
3. The fake page then indicates there is an overdue water bill.
   
    
4. After clicking “Continue,” victims can even view detailed bill information.
   
    
5. By presenting a small payment amount to lower the victim’s guard, the fake page prompts users to click “Pay Now,” after which it requests credit card details.
   
    
6. After submission, the fake page remains on a perpetual loading screen, while the victim’s credit card information has already been transmitted to the scammers.
   
    

Fake Tourist Hotspot Ticketing Websites
In addition, scammers also impersonate the official ticketing websites of famous Hong Kong attractions, spreading claims of limited-time discounts or super low prices through search engine ads, social media platforms, and instant messaging tools to lure citizens into purchasing tickets and submitting their personal information. (The image above showed a fake ticketing site of a well-known attraction)
 

HKCERT urges the public to remain vigilant and never enter any information or make payments on suspicious websites. If you receive suspicious SMS messages or emails purporting to be from WSD, do not click on any links and do not provide personal or payment information. If you need to check your bill or make a payment, enter the official website address directly in your browser or use the official mobile application. To guard against related phishing attacks, please take the following measures:

• Avoid clicking links from unknown sources, especially messages that use urgent language such as “limited-time discount,” “arrears,” “water suspension,” or “fines.” 
• Verify the website address first. Government departments’ official websites generally use the “.gov.hk” domain. If a URL appears suspicious, stop the operation and manually enter the official address in your browser. The official WSD website is www.wsd.gov.hk.
• Never enter sensitive information, such as identity card numbers or credit card details, on suspicious websites. 
• For payments or bill enquiries, use official channels such as the official website or mobile application, or verify via the organisation’s official contact methods.
• Use the free search engine “Scameter” of Cyberdefender.hk to identify fraud and network traps by checking website addresses and IP addresses.
   

If you have already entered your credit card details on a phishing website, you should:

• Immediately contact your bank or card issuer to freeze and replace the card and change the passwords for any related accounts.
• Monitor your transactions and retain evidence (e.g., screenshots, emails, transaction records, URLs) for follow-up.
   

HKCERT has released its "Hong Kong Cybersecurity Outlook 2026". It recorded 15,877 security incidents in 2025, with phishing attacks remaining the biggest threat, making up nearly 60% of all cases. To learn more about defending against phishing, visit: https://www.hkcert.org/tc/publications/all-out-anti-phishing

Businesses or members of the public who wish to report to HKCERT on information security related incidents such as malware, phishing, denial of service attacks, etc. can do so by completing the online form at: https://www.hkcert.org/incident-reporting, or calling the 24-hour hotline at +852 8105 6060. For further enquiries, please contact HKCERT at hkcert@hkcert.org.

- Ends -