Phishing Alert
Current Status and Related Trends
Recently, scammers have been impersonating the Water Supplies Department (WSD), sending SMS messages or emails to the public under the guise of a “Water account information update notice.” These messages list alleged “arrears” to lure recipients into clicking links to phishing websites, where they are prompted to enter personal details or credit card information to make payment. The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) has received and handled multiple related cases in recent days. A review of case handling records shows that phishing impersonating the Water Supplies Department actually emerged as early as two years ago (see the relevant security alert). Recent cases indicate that this type of phishing attack conducted in the name of government public services has become active again lately.
These phishing messages commonly use phrases such as “Your water account’s recent billing information has been updated” and “Please log into the WSD service platform to review your account details and billing records.” They include hyperlinked text that leads to phishing sites designed to look like official pages, claiming to take users directly to the “WSD Service Platform” or the “WSD official website” to review account and bill information. Once the link is clicked, users are taken to a fake WSD login page. The phishing site uses genuine-looking logos and layouts to deceive users into entering their information unknowingly. The public should remain vigilant and not be rushed into clicking links or submitting personal data, such as credit card numbers, by messages mentioning “water supply suspension.”
Common characteristics observed in recent phishing messages (examples):
- Subject lines such as “Water Account Information Update Notice,” prompting users to log in to complete payment or provide information.
- Use of shortened URLs or hyperlinked text (for example, “WSD Service Platform”), turning specific words into clickable links that lead to phishing websites.
- Fake WSD login and payment pages that request sensitive data such as phone numbers and credit card details.
- Phishing URLs deliberately containing terms related to the WSD official website or similar spellings to confuse users, such as “wsdbg/wsdio/wsdde/wsdazx.”
Attack Flow of the Phishing Emails and Websites Impersonating the Water Supplies Department
- Scammers first impersonate WSD to send phishing emails or SMS messages, falsely claiming small outstanding amounts to entice victims to log in and resolve them.
(The images above showed two phishing emails with different contents.)
- After clicking the phishing link, the fake page closely mimics the official website in layout and design. It pretends to verify identity by asking for a phone number, but tests show that entering any number (e.g., 123456) will pass the verification.
- The fake page then indicates there is an overdue water bill.
- After clicking “Continue,” victims can even view detailed bill information.
- By presenting a small payment amount to lower the victim’s guard, the fake page prompts users to click “Pay Now,” after which it requests credit card details.
- After submission, the fake page remains on a perpetual loading screen, while the victim’s credit card information has already been transmitted to the scammers.
Fake tourist hotspot ticketing websites
In addition, scammers also impersonate the official ticketing websites of famous Hong Kong attractions, spreading claims of limited-time discounts or super low prices through search engine ads, social media platforms, and instant messaging tools to lure citizens into purchasing tickets and submitting their personal information.
(The image above showed a fake ticketing site of a well-known attraction)