Be Vigilant to Phishing Email / Web Fraud

Recently, there have been some fraudulent (phishing) e-mails or websites sent to CUHK users that appear to be from ITSC or CUHK to request users to confirm, verify or provide their accounts or personal information.

The ITSC or CUHK never asks users for this information through e-mail. Do not reply or send any information to the senders or click any hyperlink of those e-mails and websites, until the authenticity of emails and websites can be verified.

  • Visit here OR
  • Click News in the top menu > Search from Category = Information Security

Phishing emails can come from any email addresses such as a compromised CUHK account. These emails generally urge you to log in or change password before a deadline.

Here are some common phishing email subject lines:

  • Are you available? / Are you at your office?
  • Quick Help / Assistance / Response Needed
  • Payment / Transaction Notification
  • Account Verification
  • ALERT! Office 365 Password About To Expire
  • Important Notice: Verify your account NOW!
  • Your account was under attack! Change your access data!
  • I own your information!
  • I was able to hack you, and stole the information!
  • [ITSC-CUHK] 你的OnePass賬戶正在被盜用
  • Phishing emails always appear to be sent from the University or Individual CUHK staff. These emails have links requesting you to confirm or verify your account information with key phases such as
    • Verify/Update/Confirm your account
    • If you don’t respond/reply within XX hours, your account will be closed
  • Check if the sender is related to the email content. For example, a student (i.e. xxx @link. cuhk. edu. hk) would not notify you about password expiry.
  • If you put your mouse over (NEVER click) these links, your browser will show an address that you are going to visit. For phishing emails, they indeed do not match with the legitimate website that mentioned in the email (example below)
  • Phishing website use legitimate webpage’s look and feel. They usually embed and install with virus, trojan or malicious software
  • You are suggested to follow the questions below whenever checking an email. If the answer is Yes, this probably is a phishing website or email! You are under a risk of identity theft if you act according to this phishing!
    • Does the email ask for your personnel information or account verification?
    • Does the email look so different from the mass mails you generally received?
    • Does the email have a hyperlink unmatched with the URL it displays to you?
    • Is there any spelling mistake, apparent grammatical mistake or meaningless subject?
    • Does the email ask you to open a file with a general message but without any description?
    • Is absent from the login website URL?
  • Contact ITSC if in doubt

The embedded link in the email does not match with the legitimate one


A typical phishing email requesting you to activate your account


If you have received a suspicious and strange e-mail asking for your account information, you should:

  • NEVER reply to the e-mail or click any link or open attachment in the e-mail.
  • Check whether it is a reported case on the ITSC homepage
    • If it is listed on the page, delete the e-mail at once.
    • If it is a new case, report to your LAN administrator or ITSC through or ITSC Service Desk with the original email attached.

To attached the original email, please follow the steps below:

In Microsoft Outlook, right click the email and click “Copy”.

Create a new email, in composing area, right click and then click “Paste”.


If you have received these e-mails and supplied your password, please take the following measures immediately:

  1. Change your OnePass password IMMEDIATELY with strong password on a Virus-free and Patch Updated Machine.
    You can use either methods stated at ITSC homepage to change your password. Remember that the change must be done on a virus-free and patch updated machine. Check our guidelines to safeguard your password.
  2. Perform a System Health Check.
    1. Scan your machine using Kaspersky anti-virus and/or malicious code detection software with most up-to-date signature.
    2. Apply the latest security patches onto your machine.
    3. [Office PC/notebook] Staff users please contact your department IT support to carry out a system health check onto your machine.
    4. [Highly Recommended] Reinstall the PC/notebook as phishing web site may have malware embedded.
  3. Check any unauthorized mobile devices connecting to your mailbox
    Go to Office 365 Portal > Outlook > Gear Icon at the top right corner > View all Outlook Settings > General > Mobile Devices > double click each mobile device to see the details.
  4. Check any unauthorized Windows / Macs connecting to your Office 365 account
    Go to Office 365 portal > User Name at the top right corner > My Account > App & Devices
  5. Check if your mails have been forwarded to other account.
    Please log into your Office 365 Mail/@Link to check and stop any email forwarding settings have been setup without your notice.
  6. Check if new rules have been setup in your Inbox.
    Please log into your Office 365 Mail/@Link to check and remove any new rules have been setup in your Inbox without your notice.
  7. Use 2FA to protect your account
    Visit DUO Two Factor Authentication (2FA) for further details.
  8. Contact ITSC so that we know you have taken above actions to re-secure your account.
    To stop hackers’ further actions, ITSC will reset your password if being compromised or misused. You will then fail to access other University services.


These phishing e-mails and websites are designed to look like the real ones. Fraudulent bank websites for example, are hosted to lure you to give your account information. The most common way is through e-mail and pop up instant messages, where “banks” or “distant relatives” ask for the user’s personal information and password.

Here are some guidelines to avoid falling victim to phishing scams:


  • Remember that legitimate companies will never ask their clients to send over sensitive information online. If you are unsure, you can phone the company to verify if they have sent such an e-mail.
  • Type the actual URL address (if they are safe to visit) yourself instead of clicking onto the link inside the e-mail. Sometimes, the scammers may send you a URL that looks proper but secretly links you to a fake website.
  • Lock your computers and mobile phones in case they fall into bad hands
  • Change your passwords regularly


  • Open any e-mails or follow any URL links from non-verified sources or e-mails.
  • Open attachments from unknown e-mails, as they may contain computer Trojans (a type of malware) that records your keystrokes when you enter your passwords and spies on your computer data without your knowing.
  • Have sensitive information such as ID-card number, credit card details, drivers licenses, or passwords saved in your computer. This makes you particularly vulnerable to Phishing


Protect Against Phishing Attacks (The Government of the Hong Kong SAR)