Key Information

Speeches by Speaker
Norman T.L. Chan
Peter Pang
Eddie Yue
Arthur Yuen
Zeti Akhtar Aziz
Raymond Li
Edmond Lau
Esmond Lee
Meena Datwani
Vincent W.S. Lee
James Lau
Joseph Yam
Y K Choi
William Ryback
David Carse
Tony Latter
Andrew Sheng
Hans Genberg
Simon Topping
Michael Taylor
The Honourable Donald Tsang
Chen Yuan
Dai Xianglong
Don Brash
Jaime Caruana
Andrew Crockett
Mario Draghi
David Eldon
Stanley Fischer
Timothy F. Geithner
Stephen Grenville
Kenneth G. Lay
William McDonough
Ernest Patrikis
Glenn Stevens
Jean-Claude Trichet
Tarisa Watanagase
Zeti Akhtar Aziz
Press Releases
Press Releases by Category
Bogus Voice Message Phone Calls
Banking in Hong Kong
Fraudulent Websites, E-mails and Telephone System, and other fraud cases
Granting of Banking Licences
Exchange Fund
Table of Multiples of Notes and Payments for Allotted Amount under non-competitive tender
Table of Multiples of Notes and Payments of Application Amount under non-competitive tender
Tender of Exchange Fund Bills and Notes
Tender Results of Exchange Fund Bills and Notes
Tentative Issuance Schedule for Exchange Fund Bills and Notes
Appointments and Departures
HKMA Pay Review
HKMA Publications
The Hong Kong Mortgage Corporation
Hong Kong Note Printing Limited
Hong Kong Institute for Monetary Research
Exchange Fund Investment Limited
Hong Kong Financial Infrastructure
International Relations
Investment Products Related to Lehman Brothers
Monetary Policy
Notes and Coins
Renminbi business
Credit Card Lending Survey
Monetary Statistics
Residential Mortgage Survey
Year 2000
Guidelines and Circulars


Beware of Phishing E-mails and Fraudulent Bank Websites

Have you ever received e-mails purporting to be sent from your bank which urged you, due to urgent system upgrade, to click on an embedded hyperlink to access the bank’s Internet banking website and provide your sensitive personal and account information? These are what we called “phishing” e-mails. Phishing comes from the term fishing, but with fraudulent e-mails and websites acting as “baits” used in hopes to acquire sensitive information such as logon ID and password from potential victims. It is typically carried out by fraudsters through sending e-mails purporting to be coming from a legitimate institution such as a bank. Usually the e-mail recipient is prompted to click on an embedded hyperlink, which will take the recipient to a fraudulent website that looks very similar to the authentic website, thus tricking the recipient into disclosing sensitive information to the fraudsters.

Phishing e-mails and fraudulent websites are reported both locally and overseas. The number of phishing e-mail/fraudulent bank website reports received by the Hong Kong Monetary Authority (HKMA) reached a peak of 34 in 2004 and then declined after two-factor authentication was implemented in Hong Kong in 2005. Nevertheless, the HKMA still receives reports on phishing e-mails/fraudulent bank websites from time to time. For example, in 2010, we received 17 reports and in the first seven months of 2011, we received 14 reports.

It might not be too difficult to spot some dubious signs in phishing e-mails of earlier generations e.g. typing errors in the e-mails, having website addresses obviously different from the official ones. As fraudsters’ technique evolved, phishing e-mails have become more carefully crafted and the associated fraudulent websites could look almost indistinguishable from the official ones. In a recently reported case, it was also found that multiple channels were used by a fraudster to obtain sensitive information from a victim. An Internet banking customer firstly fell victim to a phishing e-mail and disclosed his sensitive information (including logon ID and password, and contact details, etc.). He later received an SMS one-time password (OTP) sent from the bank to his mobile phone and also a telephone call from a person who purported to be a bank staff. Unfortunately, the victim disclosed the OTP to the caller and later found that funds in his bank account were transferred to the fraudster’s accounts. It was believed that with the information obtained from the phishing e-mail, the fraudster was able to log into the victim’s account and then initiated a fraudulent Internet banking transaction which required two-factor authentication. The victim was then tricked into disclosing the OTP sent to his mobile phone to the caller (a fraudster) who in turn completed the fraudulent transaction using the OTP, causing financial loss to the victim.

Bank customers should be reminded that banks in Hong Kong will NOT send e-mails to their customers with embedded links to the transactional websites and will NEVER ask customers for sensitive information such as logon passwords or one-time passwords, by e-mail, over the phone or in person. If customers receive requests purporting to be from bank staff for such sensitive information, they should refuse the requests and notify their bank immediately. This is the most straightforward approach for protecting oneself from fraudsters.

Internet banking customers should also continue to observe the normal security precaution of never accessing bank websites through hyperlinks embedded in e-mails, Internet search engines or suspicious pop-up windows. This measure is also effective in safeguarding against cross-site scripting (XSS) attacks, which is the subject of a recent report in a local magazine. XSS attack is typically carried out by fraudsters through delivering an innocent-looking website address (i.e. a genuine address of a trusted website appended with some carefully crafted malicious code) to a victim through e-mails or posting it as a hyperlink on a dubious website. Upon clicking on the hyperlink, the malicious code could be executed at the victim’s web browser. As XSS attacks target at the end user’s browser (without compromising the trusted website), the malicious code may be crafted, for example, to display an authentic-looking fraudulent website at the victim’s browser to trick the victim into disclosing sensitive information to it, or to steal sensitive information (e.g. cookies) from the victim’s computer. To avoid falling into the trap of XSS attack, Internet banking users should NEVER click on hyperlinks to access their Internet banking account. Instead, they should connect to a bank website through typing the authentic website address in the address bar of the browser or by bookmarking the genuine website and using that for subsequent access.

Internet banking customers should also install personal firewall and anti-virus software in their computers and keep such software up-to-date. They should avoid visiting or downloading software from dubious websites, and be very careful about handling suspicious e-mails with attachments from unknown senders. There are some useful tips on Internet banking security on our website.

Bank customers are also strongly advised to make the best use of two-factor authentication provided by banks for the Internet banking services. In particular, one of the important security measures is that banks are required to notify their customers immediately via an effective means (e.g. SMS message) after completing an online high-risk transaction (e.g. transferring fund to an unregistered third-party account) with the transaction details. Bank customers should verify the transaction details and notify their bank immediately if they discover any suspected unauthorised transactions. If their banks use SMS OTP in the context of two-factor authentication for Internet banking, the customers should also verify the transaction details shown together with the SMS OTP and notify their bank immediately if any suspected attempt for unauthorised transaction is detected.

As the technological landscape relating to the provision of Internet services is ever changing and fraudster may become smarter over time, the HKMA will continue to monitor the development and trend of Internet banking services and to review and, if necessary, strengthen the relevant controls where appropriate

Nelson Man
Executive Director (Banking Supervision)
23 August 2011

Last revision date: 24 August 2011
Tender Invitations
Legislative Council Issues
The HKMA Information Centre
Monetary Stability
Banking Stability
International Financial Centre
Exchange Fund
Annual Report
Half-Yearly Monetary & Financial Stability Report
Quarterly Bulletin
HKMA Background Briefs
Reference Materials
CMU Bond Price Bulletin
Economic & Financial Data for Hong Kong
Monthly Statistical Bulletin
Monetary Statistics
Press Releases
Guidelines & Circulars
Forthcoming Events
Information in Other Languages (Bahasa Indonesia, हिन्दी, नेपाली, ਪੰਜਾਬੀ, Tagalog, ไทย, اردو)
Account Opening
Consumer Corner
Consumer Education Programme
Complaints about Banks
Complaints about SVF Licensees
Internet Banking
Fraudulent Bank Websites, Phishing E-mails and Similar Scams
Be Careful of Bogus Phone Calls and SMS Messages
Authenticate the Callers and Bank Hotline Numbers
Register of AIs & LROs
Register of Securities Staff of AIs
Register of SVF Licensees
Investment Products Related to Lehman Brothers
Photo Gallery