Phishing is a term used to describe identity theft scams involving fake websites and emails or other information. The purpose of a phishing attack is to gain access to your accounts and sensitive information. Attackers can create their own website, imitate a trusted website, or send you a message that appears to come from a trusted source. A phishing message may come from a fake account or an account that has been hacked.
A phishing message might ask you to complete the following tasks:
- Visit a link.
- Download a file.
- Open an attachment.
Malware — malicious software such as worms, trojans, bots, and viruses — can infect your computer or mobile device if you take any of these actions. After your device is infected, an intruder can gain access to your personal information.
Phishing scams can also include direct requests for personal information, such as your bank account credentials.
Phishing scams might ask you to provide the following personal information:
- By email or another messaging system.
- Through a form.
- At a fraudulent phone number.
- At a phony physical address.
Even a request for you to enter your email address and reset your password can be dangerous.
On this page
Know the warning signs
You can protect yourself from phishing by being aware of the warning signs. Read messages carefully, no matter who they appear to be from, and examine websites carefully, no matter how familiar they may seem.
Overly general language
While phishing can be well researched and tailored to you and your business, generalized language is a sign of a phishing scam. Beware of emails that appear to come from organizations you trust, but start with a vague statement like "Dear Account Holder.
Again, if a message promises an important business or financial opportunity but doesn't contain enough details for you to confirm that the sender knows you, it may be a scam:
Dear customer, we are sorry but your Debit Card is locked. Go to Link for details.
Business messages from personal accounts
Sophisticated attackers can gather enough information from your online presence to create a message that could plausibly come from a real contact:
Hi John, I just wanted to update you. Here is the reference of membership subscription fees: 2022-SUBCRIPTION-SHEET.
I hope you were satisfied with our services! Please let me know if you have any questions or concerns.
To send an attack, they can hack into your contact's business account or create a phony personal account. For example, if the username for your contact Tina's personal email is tinawang1996, then an attacker might send an email from an account with the username tinawang2665. This form of attack depends on two factors:
- People send emails from the wrong account by mistake.
- Even if you know Julia's personal email address, then you might not look too closely.
Misspellings, poor grammar, and style variations
Criminals don't take content style guides as seriously as professional web content writers. As well as typos and grammar errors, variations in the following categories within a single page can show that a website is fraudulent:
Alarmist or overexcited tone
Watch for time-sensitive requests that try to scare you into acting without thinking. For example, Shoplazza won't send you a message saying:
We've had a catastrophic server failure. Respond with your username and password in the next 24 hours or you'll lose access to your store permanently.
Similarly, watch for messages making offers that seem too good to be true, such as a 90% discount from a travel company available only if you act now.
URLs that don’t look right
Phishing attempts can include URLs that appear legitimate if you don't look too closely. Many phishing attempts use URLs that have been deliberately chosen to resemble a URL that you're already familiar with. As shown in the table below, if you normally buy swimming attire from Example Apparel at the legitimate URL and you receive an email with a link to the fake URL, then you can tell that it's a phishing attempt.
The real URL directs you to a site at the domain example-grocery.com, which is owned by Example Apparel, and the phony URL directs you to a malicious site at the domain com-grocery.net, which is likely owned by criminals.
Raise concerns using another mode of communication
Speak to the supposed sender of a suspicious message in person or over the phone and resolve concerns about a webpage by talking to someone at the organization.
If you contact the sender by phone, then use a number you have on file or that appears on multiple reputable online sources. For example, if you receive a suspicious request for information from your tax agency by email, then call the agency at the number on last year's tax return. Don't call a number that appears on a suspicious website or email.
Make sure your connection to a website uses HTTPS
When you connect to any website where you could be asked to enter a username and password or other sensitive data, check that a lock icon appears beside the URL in your browser.
The lock icon tells you that the connection to the site is encrypted using the HTTPS protocol. URLs for encrypted connections start with https:// rather than http://. Connections that use http:// send data in plain text, meaning it can be intercepted en route and read.
Before clicking a link to anywhere you expect to enter information, make sure that the URL starts with https://.
Open only attachments or links you expect
Don’t interact with attachments, links, or forms unless you are expecting them and know what they contain. Not only can they redirect you to a malicious site designed to steal your information, but they can also infect your device with malware.
When link text is a URL, make sure that it matches the URL in the link itself. For example, a link written out as https://helpcenter.shoplazza.com in the body of an email might direct you to a phishing page at another URL.
Many phishing attacks try to take advantage of online banking. If you receive a suspicious email from your bank with a special offer for a line of credit, then don't click the link. Instead, enter your bank's URL manually in a new window and see if the offer shows up in your account dashboard.
Be careful with public wi-fi
Public wi-fi is convenient when you're on the go, but it provides many different ways for criminals to gain access to your information. You can reduce your risks by taking steps to protect yourself and your data.
Verify hotspot names
An attacker can create their own unencrypted wi-fi hotspot that is named like a reputable one in the same area, such as the network in a coffee shop. If you connect to the phishing hotspot, the attacker can direct you to their own page, where you can be exposed to malware or asked to enter private information.
Before connecting, make sure that the hotspot you plan to use is legitimate. If you can't see the hotspot name posted in an obvious place, then ask an employee.
Disable access points to your device
Even if you have connected to a legitimate public wi-fi hotspot, then you can still be at risk by being on the same network as an attacker. Public wi-fi networks are much less secure than private networks like the one at your home or office.
Protect yourself by turning off file sharing within your network and enabling your firewall before connecting. Even with these precautions, it's still not a good idea to send or receive any sensitive content using a public wi-fi network.
Send and receive sensitive data over a VPN
A virtual private network establishes a secure connection between your device and the VPN company's servers. From there, the VPN servers relay your information to the internet. If an attacker gains access to the data you are transmitting and receiving through a public wi-fi hotspot, then the data is encrypted and not useful to them.
Without a VPN, the most secure option is to avoid transmitting sensitive information over public wi-fi.
Follow government guides if your personal information is compromised
Personally identifiable information (PII) consists of data that could be used to identify a particular person, or even impersonate them. Types of PII include.
- full name.
- email address.
- street address.
- telephone number.
- credit card number.
- national identity number (such as SIN, SSN, or passport).
- driver's license.
- date of birth.
If you provided personally identifiable information through a suspicious channel, or your Shoplazza account was compromised, then refer to guides from your government, such as this information from the United States government and Hong Kong SAR government.
Hong Kong SAR
What to do-：
File a report：
What to do:
File a report: