Your Peace of Mind is our Commitment

Contact Us English Recent Articles

Hong Kong Taxpayers Targeted with Fake Refund Phishing Email

First published: 01st March 2018

A fake tax refund email linking to a website imitating the Hong Kong Inland Revenue Department (IRD) style and requesting personal data has been received by a number of Hong Kong recipients.

The message informed the recipient that they were eligible to receive a tax refund and should follow a link to receive the tax return[sic] online. The webpage, hosted on a Korean shopping mall website and still accessible at the time of writing, uses the Inland Revenue Department logo and style, and asks for personal and credit card information, including the CVV number. This could be used to make fraudulent charges against victims' credit cards.

There are many clues that this is a fraudulent message:

More technical recipients might note further clues:

Could the Hong Kong Government do more to block similar fraudulent emails?

The message was sent with the envelope From of, from the host []. The Government has published SPF records for OGCIO:	text = "spf2.0/pra ~all"	text = "v=spf1 ~all"

And IRD:	text = "spf2.0/pra ~all"	text = "v=spf1 ~all"

These records clearly specify which servers are permitted to send email for those departments, and they do not include the server the fraudulent message was sent from. Therefore, receiving email servers can check the SPF record and decide to reject the connection.

However, the Government has chosen to specify '~all' in the SPF records. This is a policy recommendation for the recipients of softfail: i.e. to allow mail whether or not it matches the parameters in the record. A softfail policy is usually implemented for a transitional period, while an organisation is still working on ensuring all its email users are following its policy.

Perhaps it is time for the Hong Kong Government to change its SPF policy to '-all', a hard fail.


Fake email announcing tax refundFake email announcing tax refund hi-res
Fake IRD webpage demanding personal dataFake IRD webpage demanding personal data hi-res

More Information

Related Articles