Stay Vigilant When Shopping Online During the Festive Season

Highly Convincing Fake Shopping Platforms and Phishing Sites

During festive periods, cybercriminals often create fraudulent online shopping platforms that closely resemble legitimate websites such as Taobao. These fake sites replicate authentic layouts, domain names, and logos, making them difficult to identify. Users may be prompted to enter login credentials, credit card details, and delivery addresses, which can then be exploited for malicious purposes.

Phishing website impersonating Taobao to lure users to contact fake support, then scam the users

Telephone Scams Impersonating E-Commerce Platform Staff

Scammers may impersonate staff from well-known platforms such as HKTVMall, alleging that victims were automatically enrolled in additional services during account registration. Victims are then instructed to contact supposed customer service representatives via messaging apps or visit designated websites to “cancel” these services. These interactions are designed to harvest personal and banking information through social engineering techniques. Users should verify any account-related claims through official channels and avoid following instructions provided via unsolicited calls.

Emerging Threat: Fake Delivery Company “Parcel Notification” Scams

Reports indicate an increase in scams impersonating delivery companies such as SFExpress. Victims receive SMS messages, emails, or instant messages claiming that a parcel is awaiting collection, often accompanied by warnings of potential storage fees. This tactic creates a false sense of urgency, compelling recipients to act immediately.

Common variants include:

Phishing websites impersonating SF Express, to lure users to input personal information on the fake payment pages.

Phishing Links Exploiting Browser and System Vulnerabilities

Phishing threats are not limited to credential theft. Recently disclosed vulnerabilities, including CVE‑2025‑14174 affecting Google Chrome on macOS and CVE‑2025‑43529 impacting multiple Apple operating systems, demonstrate that attackers can compromise devices simply by luring users to visit malicious websites. These sites are often distributed via phishing emails, fake advertisements, or fraudulent delivery notifications. Users who have not applied the latest security updates are particularly vulnerable. HKCERT suggests users to update immediately to patch the vulnerabilities.

To learn more about these vulnerabilities, the public can visit https://www.hkcert.org/tc/security-bulletin/google-chrome-multiple-vulnerabilities_20251211

Safe and Secure Holiday

The year-end festive season is a peak period for cybercrime. By remaining vigilant and adopting recommended security practices, users can significantly reduce the risk of falling victim to online scams and data breaches. To learn more about phishing attacks and how to prevent them, HKCERT has introduced a thematic page, “All-Out-Anti-Phishing”. The public can visit the page with all essential information about phishing, including attack techniques, prevention, identification, and handling procedures for suspicious messages, as well as highlighting some important points to note.

Security Best Practices

To have safer shopping with less worries in the digital era, people should consider following the security best practices below.

1. Regularly install security updates and patches for operating systems, web browsers, and applications to reduce the risk of exploitation when visiting malicious websites or clicking phishing links. 
2. Use secure and trusted Wi-Fi connections, especially when making bookings or payments online. Avoid connecting to public Wi-Fi hotspots with low security settings, as they may be vulnerable to interception. 
3. Enable anti-phishing features in web browsers to help block phishing attacks. 
4. Access shopping platforms by entering the official URL directly or using saved bookmarks. Avoid clicking on links from unknown sources. Avoid clicking on links from unsolicited emails, messages, or social media posts, as they may lead to phishing sites. 
5. Carefully verify the legitimacy of websites before entering personal or payment information. Check for signs of phishing, such as unusual URLs, spelling errors, missing security certificates, or design inconsistencies. 
6. Do not disclose sensitive information, such as gift card numbers, credit card details, or personal information, to unverified websites or unknown parties. 
7. Do not handle account settings, service cancellations, or refund requests through external websites or messaging applications. Such actions should only be performed on the platform’s official website or mobile app. 
8. Be cautious of unsolicited phone calls claiming to be from online shopping platforms. Do not act immediately on such requests, even if the caller appears to know personal details. Always verify through official channels. 
9. Use “CyberDefender” to identify fraud and cyber traps by checking email addresses, URLs, and IP addresses, or call the Hong Kong Police Force Anti-Deception Coordination Centre “Anti-Scam Helpline 18222” for assistance. 
10. Regularly monitor online accounts and payment records for suspicious activities. Set up transaction alerts and review bank statements to detect unauthorised transactions promptly. 
11. In case you are suspected of falling victim to a phishing scam, immediately change your passwords, notify your bank or service provider, and report the incident to HKCERT for further assistance.