What is phishing email and how to avoid it?

Although the Central IT will try their very best to prevent malicious email from reaching our users, phishing email is hard to detect and you may still receive suspicious email (phishing email) claiming to be from "Admin", "IT Support", "Email Administrator", " IT Service Desk", etc. telling you that your computer account has problem/will expire/exceeds quota/needs to upgrade, etc. and requiring you (i) to reply to the email with your account password/personal details, or (ii) to verify your identity by clicking on a URL to a webpage, and then input your account password/personal details, or (iii) to lure you to open a file attached which results in a computer virus or spyware being installed on your computer to steal information or to launch attacks to other computers.

Some phishing email even fakes the identity of CityU’s Central IT, e.g. from Computing Services Centre (CSC), or the look of the login/verification webpages. To assist you to verify genuine email sent from the Central IT which is related to password matters for your CityU computer account(s), a personalized list of such email (if any) sent to you within the last 30 days is listed in a box at https://wikisites.cityu.edu.hk/sites/verifyemail. If the box is empty, meaning that no such email has been sent to you from the Central IT, and if you have received one claiming to be from the Central IT (i.e. the OCIO, the ESU or the CSC), it is likely to be fake and please: (i) do not provide your account password/personal details; (ii) do not reply to the email; (iii) do not click any URL in the email; (iv) do not click and open any file attachment; (v) report it immediately to the CSC Service Desk at 3442 8340 or forward it (with full email header) to reportspam@cityu.edu.hk, and then (vi) delete the email.

Except for forwarding the suspicious email to reportspam@cityu.edu.hk, please do not forward it to other colleagues.

The rule of thumb to safeguard your computer accounts from hackers is to always access the option for changing password on the CityU Portal from the CityU Homepage, and not from any unknown email or URL remembered in browser's favorite list of unknown computers.

Be a smart email user, and please find below more hints on identifying fake email and URL.

The Email Sender

The Central IT use their office email accounts to issue email (except for reminder/acknowledgement email that is auto-generated by systems which are un-monitored email aliases):

Office of the Chief Information Officer (OCIO) - cio@cityu.edu.hk
Enterprise Solutions Office (ESU) - esu@cityu.edu.hk
Computing Services Centre (CSC) - csc@cityu.edu.hk

If you received an email from a sender "Computing Services Centre" but the email address is, for example, <serwis@sakowicz.com.pl>, it is definitely a fake email. In most email clients, right-mouse click on the sender's email address will reveal the full email address of the sender (for more details, please visit "How can I display FULL HEADERS of incoming messages?"

Please note that reminder/acknowledgement email, same as other email from the Central IT, will not ask you to provide your account password by replying to the email or clicking on an URL within the email; instead, steps to navigate to the option, e.g. for accessing the option for changing account password on the CityU Portal via the CityU Homepage, will be provided because the CityU Homepage and the CityU Portal are websites that you are familiar with.

Phishing email may also be sent from people you know since their email accounts or their computers/mobile devices might have been hacked and used for sending phishing email, so please watch out for email from email acquaintances, however, with unusual content.

Verify the URL (Uniform Resource Locator)

  • You should make sure that the URL will lead to a trusted domain.
  • Take the City University of Hong Kong (CityU) as an example, all URLs of CityU web servers end with the domain “.cityu.edu.hk.
  • Web servers ending with domain not exactly the same as “.cityu.edu.hk/” (with a slash after ".cityu.edu.hk"), such as “.cityu.edu.hk.auus.ml/”, are NOT web servers of the CityU, and you must not provide your username and password to such web pages.
  • Be aware of hidden URL which is different from what is shown, and you can see the hidden URL by mouse-over the shown URL; if it reveals a URL which is different from the one shown and is linking to some suspicious domain/site, you must not click it .

URLS Are Secured by HTTPS, and Not Just HTTP, on Login Pages

  • ALL secured login pages have to be using HTTPS protocol, i.e. with URLs beginning with “https://”, to encrypt the data communication between user computing devices and the web servers.
  • If the URL begins with just “http://”, please do not provide your username/password. All Central IT services requiring user login are secured by the HTTPS protocol (https://) to encrypt the data communication between user computing devices and the servers.

Verify the Validity of a Login Page

  • If the URL begins with “https://”, you will see a lock icon in the address bar of your web browser (see pictures below), meaning that the connection to the website is secured.
  • But, if red/orange strip or exclamation mark is on the lock icon, it means that the connection is unsafe, e.g. the secure certification (SSL Certificate) is invalid, has expired, etc. Please do not provide your username/password to such websites and immediately report it (with full email header) to reportspam@cityu.edu.hk.

MS Internet Explorer
Lock Icon of MS Internet Explorer

Google Chrome
Lock Icon of Google Chrome

Lock Icon of FireFox

Safari for MacOS
Lock Icon of Safari MacOS


Return to University In-house Email Service FAQ page