Recently, there have been some fraudulent (phishing) e-mails or websites sent to CUHK users that appear to be from ITSC or CUHK to request users to confirm, verify or provide their accounts or personal information.
The ITSC or CUHK never asks users for this information through e-mail. Do not reply or send any information to the senders or click any hyperlink of those e-mails and websites, until the authenticity of emails and websites can be verified.
Actions While Receiving Suspicious Email Asking for Account Information
If you have received a suspicious and strange e-mail asking for your account information, you should:
- NEVER reply to the e-mail or click any hyperlink in the e-mail.
- Check whether it is a reported case on the ITSC homepage
- If it is listed on the page, delete the e-mail at once.
Actions If Suppled Password to Phishing Emails
If you have received these e-mails and supplied your password, please take the following measures immediately:
1. Reset your OnePass password IMMEDIATELY with strong password on a Virus-free and Patch Updated Machine.
You can use either methods stated at ITSC homepage to change your password. Remember that the change must be done on a virus-free and patch updated machine.
Recommendation for a Strong Password
- Set your passwords with at least eight characters composed of random letters, digits and symbols
- Use different sets of password in different systems
- Never use dictionary words and personal related information such as name, date, telephone number, HKID and user ID, etc.
2. Perform a System Health Check.
- Scan your machine using Kaspersky anti-virus and/or malicious code detection software with most up-to-date signature.
- Apply the latest security patches onto your machine.
- For staff users, please contact your department IT support to carry out a system health check onto your machine.
3. Check if other identities were added to your CUHK Webmail.
Please log into CUHK Webmail > Options > Personal Information. Sometimes, the hacker might have added identities to your webmail account, please check according to the steps as attached to make sure no new identities were added.
These phishing e-mails and websites are designed to look like the real ones. Fraudulent bank websites for example, are hosted to lure you to give your account information. The most common way is through e-mail and pop up instant messages, where "banks" or "distant relatives" ask for the user's personal information and password.
Here are some guidelines to avoid falling victim to phishing scams:
- Remember that legitimate companies will never ask their clients to send over sensitive information online. If you are unsure, you can phone the company to verify if they have sent such an e-mail.
- Type the actual URL address (if they are safe to visit) yourself instead of clicking onto the link inside the e-mail. Sometimes, the scammers may send you a URL that looks proper but secretly links you to a fake website.
- Lock your computers and mobile phones in case they fall into bad hands
- Change your passwords regularly
- Open any e-mails or follow any URL links from non-verified sources or e-mails.
- Open attachments from unknown e-mails, as they may contain computer Trojans (a type of malware) that records your keystrokes when you enter your passwords and spies on your computer data without your knowing.
- Have sensitive information such as ID-card number, credit card details, drivers licenses, or passwords saved in your computer. This makes you particularly vulnerable to Phishing
Protect Against Phishing Attacks (The Government of the Hong Kong SAR)