Fake Hongkong Post page in Chinese detected

Posted byAnti-phishing Leave a comment on Fake Hongkong Post page in Chinese detected

These two screenshots show a phishing campaign impersonating Hongkong Post (香港郵政). The scam uses a fake delivery notification to trick victims into paying a small fee (HK$30.00) and, in the process, steals personal information and full credit card details.

Threat Analysis: Hongkong Post Phishing – Fake Delivery Fee & Personal/Card Data Harvesting

How it works:

  1. The victim receives an SMS, email, or messaging app alert claiming a package is awaiting delivery and a small fee is required to complete the shipment.
  2. Step 1 – Personal Information Page (First Screenshot)
    The victim is asked to provide:
  • Address, city, phone number, postal code
  • Date of birth
  • Email address
  1. Step 2 – Card Details Page (Second Screenshot)
    The victim is then asked for:
  • Cardholder name
  • Full credit card number
  • Expiration date (MM/YY)
  • CVV / CVC

A fake tracking number and Hongkong Post branding are used to appear legitimate.

The goal:
The attacker collects:

  • Personal information (name, address, DOB, phone, email) for identity theft
  • Full payment card details (number, expiry, CVV) for fraudulent transactions

Red flags to watch for:

  • Suspicious URL: The pages are hosted on a domain that is not hongkongpost.hk or an official government domain.
  • Request for date of birth and card CVV: A legitimate delivery service does not need your date of birth or card security code to collect a fee.
  • Small fee trick: HK$30 is a trivial amount meant to lower suspicion.
  • Fake tracking number: The tracking code cannot be verified on the official Hongkong Post website.
  • No personalization: The message does not reference a genuine package or tracking number the victim would recognize.

What to do if you encounter this:

  • Do not enter any personal or card information.
  • If you are expecting a package, track it directly on the official Hongkong Post website (hongkongpost.hk) using your real tracking number.
  • If you have already submitted card details, contact your bank immediately to block the card and dispute any unauthorized charges.
  • Report the phishing page to Hongkong Post and to the relevant authorities.

Protective measures:

  • Never click links in unsolicited delivery messages. Always go directly to the official courier website.
  • Never pay a “redelivery fee” via a link. Legitimate fees are collected at the point of delivery or through secure official portals.
  • Check the URL carefully: Look for misspellings, extra words, or unusual top‑level domains.
  • Enable two‑factor authentication on your email and banking accounts to reduce the impact of credential theft.

Leave a comment

Your email address will not be published. Required fields are marked *