Recommendations for Organisations
Inform users directly (e.g. disseminate information
through monthly statements, leaflets, publications
or websites) about the preventive measures
that your organisation has implemented e.g.
Keep websites certificates up to date so
that users are assured the legitimacy of the
Provide telephone number for users of the
websites to verify and report for any suspicious
email requests for information that claimed
to be sent by the organisation, which shall
be available for all time.
Consider to register domain names that are
similar to the one that is currently used
by the organisation e.g. in addition to the
original domain name "www.abcbank.com.hk",
domain names "www.abcbank.com",
can also be registered.
Develop a trademark for the domain name of
the organisation and register it to minimise
the risk of being misused or duplicated.
Strengthen the security controls of the websites,
applications and email systems of the organisation
e.g. using technological solutions such as
SSL, two-factor authentication, digital certificates,
firewalls, anti-virus solutions, enhancing
fraud monitoring or reporting mechanisms and
Strengthen the operational controls such
as setting a lower limit on the maximum amount
of transaction or fund transfer per day or
pre-registration before authorised to perform
certain types of online transactions via Internet.
Educate users about the best practices that
they should follow and observe when using
your Internet services.
Monitor the Internet for fraudulent variations
of your organisation's name, trademark, seal
or website address.
Monitor the Internet for phishing emails
related to your organisation.
Monitor the websites of your organisation
for any suspicious activities.
Identify and notify management of any reports
of suspicious activities on websites or phishing
Issue promptly alerts to the users, related
parties or even the public through press releases,
website or postal emails about the fraudulent
website and warn them not to respond to the
suspicious or phishing emails.
Report to the police and relevant organisations
such as Hong Kong Monetary Association about
the suspicious website.
Advise users, who suspects to be defrauded,
to change their passwords immediately and
to contact the organisation or report to the
police as soon as possible.
Issue alerts to staff, administrators or
service providers of the website of the organisation
to strengthen security measures and to watch
out for any suspicious activities.
Stop further use of the secret code or device
immediately when a loss, theft or possible
compromise of a secret code or a device, is