Phishing Alert - Beware of Phishing Websites Impersonating Local Restaurant Reservation Platforms to Steal Personal and Payment Information

Release Date: 24 Apr 2026 4025 Views

Type: Phishing

Phishing Alert

Current Status and Related Trends

Recently, suspicious websites have been identified that appear to impersonate local online restaurant reservation platforms. By using designs similar to those of legitimate restaurant websites and booking pages, they may mislead users into believing that the websites are genuine. 

 

 

These websites appear to imitate the brand identity and reservation process of well-known restaurants in Hong Kong, and may thereby deceive users into entering personal information, reservation details and credit card information. 

 

 

Characteristics of Suspicious Websites 
Based on the screenshots provided, the suspicious websites display a number of characteristics commonly found in phishing or impersonation websites, including: 
 

  1. The use of domain names that are similar to, but different from, those of legitimate websites, including the use of less common top-level domains such as .biz instead of .com, .com.hk or .hk. 

  2. Some of the suspicious domains are newly registered. 

  3. The fraudulent reservation process may, under the pretext of “confirming a booking” or “paying a deposit”, request users to provide credit card information, personal information or other payment details. 

  4. The websites appear to be shown through search engine adverts or sponsored results, increasing the risk that users may click on them before carefully checking the full URL.  (Please refer to the screenshot as below)

 

Security Advice for the Public

HKCERT reminds members of the public to: 

 

  • Carefully verify the full URL. The URLs of phishing websites are often very similar to those of official websites, but may differ slightly in spelling, word order or top-level domain. Users should carefully verify that the URL is correct before entering any information. 

  • Avoid clicking on unknown or unverified links. Whether a link comes from email, text message, social media, instant messaging platforms or search engine adverts, users should not click on it unless its authenticity has been confirmed. 

  • Do not enter personal or payment information on suspicious websites. If the source of a website is unclear, or if the domain name does not match the official website, users should not enter their name, telephone number, email address, credit card information, verification code or other sensitive information. 

  • It is advisable to enter the official website address directly in the browser. When making a restaurant reservation, users are advised to type the restaurant’s official website address directly into the browser, or to use a previously verified bookmark to access the relevant page. 

  • If in doubt, verify through the contact details listed on the official website. If users are unsure whether a reservation page belongs to an official website, they should first contact the restaurant using the contact details listed on its official website before deciding whether to proceed with the reservation or payment. 

If Information Has Been Submitted, the Following Actions Should Be Taken Immediately 

If members of the public suspect that they have entered personal information or credit card information on a suspicious website, they should take the following steps as soon as possible: 

 

  • Immediately contact the relevant bank or credit card issuer to report the incident and request appropriate protective measures; 

  • Closely monitor bank account and credit card transaction records to check whether any unauthorised transactions have occurred; 

  • Call the Hong Kong Police Force Anti-Deception Coordination Centre hotline “Anti-Scam Helpline 18222” for assistance; 

  • Retain relevant records, including website screenshots, text messages, emails, payment notifications and transaction records, for future follow-up or reporting purposes; 

  • Contact the Office of the Privacy Commissioner for Personal Data (the PCPD) for assistance.

 

Businesses or members of the public who wish to report to HKCERT on information security related incidents such as malware, phishing, denial of service attacks, etc. can do so by completing the online form at: https://www.hkcert.org/incident-reporting, or calling the 24-hour hotline at +852 8105 6060. For further enquiries, please contact HKCERT at [email protected].

Related Tags

PhishingRisk Alert

Share with

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY