First published: 26th February 2020
In a questionable move, Tai Yau Bank has published an active link to a fraudulent website on their website, contained in a warning about the fraudulent website. Fortunately, the site was blocked at the time of checking.
The warning was dated 21 February 2020 and posted on the home page of the bank (screenshot). The Hong Kong Monetary Authority issued a press release about the fraudulent website on 25 February 2020. Most organisations issuing warnings about fraudulent or dangerous websites present the URL without making it an active link, some take the extra step of replacing the scheme (http or https for a website) with an invalid variant, usually hxxp or hxxps. This prevents unwary users accidentally clicking on the link, and using an invalid variant avoids the problem of "helpful" software automatically making the plain-text an active link simply because it matches the pattern of a URL.
The fraudulent domain (tybhkibankonline.com) was registered in October 2019 at a Russian registrar in the name of an American company with an invalid Russian address, and an invalid contact email address.
Victims should contact Tai Yau Bank at 2522 9002 and the Cyber Security and Technology Crime Bureau of the Hong Kong Police Force at 2860 5012.