Verify a Website before Providing your Username/Password

by Wilson Wong
Phishing email spreads over the Internet from time to time. You may have received suspicious email telling you that your computer account has problems/will expire/has exceeded quota/etc. and requires you to verify your identity by clicking on a URL (Uniform Resource Locator) to a web page, and then input your username and password. This kind of email evolves quickly and auto-spam filtering and anti-virus scanning may not be enough to filter all such phishing email. It is therefore a good practice to check a website before providing your username and password. The following are some brief guidelines on checking if a website is genuine and secure:
1. Verify the URL

You should make sure that the URL will lead to a trusted domain. Take City University of Hong Kong (CityU) as an example, all URLs of CityU web servers end with the domain “”, such as “”, “”, etc. Web servers ending with domain not exactly the same as “” (with a slash after ""), such as “”, are NOT web servers of CityU, and you must not provide your username and password to such web pages. Be aware of a hidden URL which is different from what is shown and you can see it by mouse-over the shown/printed URL. If it reveals a URL that is different from the one shown and is linking to some suspicious domain/site, you must not click it.
2. Make sure URLs are secured by HTTPS (Secured Hypertext Transfer Protocol), not just HTTP

ALL secured login pages have to be using HTTPS protocol, i.e. with URLs beginning with “https://”, to encrypt the data communication between user computing devices and the web servers. If the URL begins with just “http://”, please do not provide your username/password.
3. Verify the validity of a Login Page

If the URL begins with “https://”, you will see a lock icon in the address bar of your web browser (see pictures below), meaning that the connection to the website is secured. However, if a red/orange strip or an exclamation mark is shown on the lock icon, it means that the connection is unsafe, e.g., the secure certification (SSL Certificate) is invalid, has expired, etc. Please do not provide your username/password to such websites.
MS Internet Explorer
Google Chrome
Safari of MacOS
If you have doubts on the validity of any URL or any website, please contact the CSC Help Desk at 3442 7658 or email to for assistance.