Self Help Guide for Security Incidents


ScenarioCauseImmediate Action
Web Mail Account Theft
  • You cannot login your web mail account.
  • You can login but found that "sent" folder contains messages not sent by you.
  • Your friends or business partners have received your email messages, but you have never sent those messages before.


  • Your account being stolen to send message.
  • Scammer configuring email message "sender" field to your email address.
  1. If you cannot login your email account, use "Forget Password" feature to reset your password.
  2. After login, check any messages in "sent" folder not sent by you.
  3. Check any security settings (e.g. security question, secondary email address) not changed by you.
  4. Find a clean computer to change password and revert original account settings (e.g. security question, secondary email address).
  5. Alert your family/friends/business partners about the scam message by phone call or other trusted channels.

* If you decide to report to police, click here.

* For remedial actions, click here.

Email Scam
  • An email from bank / online auction / shopping requested you to click a link to verify your information. You did so and see the login page. You input login name and password, but you were told the login is unsuccessful.
  • Your business partner sent email to request you to transfer money to a new bank account. You transfer the money as instructed.

  • What you visited is a fake webpage (i.e. phishing webpage), which is used to steal your login name and password.
  • The email is sent by scammer to disguise as your business partner. The said account is actually owned by the scammer.
  1. If you have provided any online service login information to suspicious party, change the password and check the security settings of all related accounts immediately.
  2. If you suspect that the incident may incur any financial loss, e.g. online banking / shopping / auction account information stolen, inform your bank immediately.
  3. Alert your family/friends/business partners about the scam message by phone call or other trusted channels.

* If you decide to report to police, click here.

* For remedial actions, click here.



If you decide to report incident for police/authority investigation

  1. You should preserve the following as evidence:
    • Any email message in your account. Not only the content but also the email header should be preserved.
    • Any log in your server/router/computer, e.g. firewall log, anti-virus application log.
  2. How to report:
    • Provide examples of email messages related to the incident when reporting.
    • Report to nearby police stations or via web form.

Further information: Considerations in the collection of evidence (OGCIO)




  • Check any infection of your server/computer:
    • Clean your computer with anti-virus application if there is any.
    • Apply any software update of your OS and applications.
  • There may be a chance that other online services are also affected. Use a clean computer to check the access of these services. Also use different passwords for different services.
  • Banks and most online services would not request users to provide their login information via email.
  • Also advise your business partner involved in the incident to check their computers. It is possible that their computers or network are infected which lead to the scam email message.


Related Information

  1. Security Defense Tools (HKCERT)
  2. Malware Defense Guideline / Document Malware Defense Guideline (HKCERT)
  3. Police Appeal : Beware of Email Scam "Verify Suspicious E-mails Uncover Online Swindlers" (HKCERT)
  4. Legal and Contractual Considerations of a Security Incident Response (OGCIO)
  5. Security Incident Handling for Individuals / Companies (OGCIO)
  6. Related Ordinances (OGCIO)
  7. Recent Phishing Attacks (OGCIO)
  8. Rights of Victims and Witnesses of Crime (Hong Kong Police Force)
  9. Fraudulent Websites, E-mails and Telephone System, and other fraud cases (Hong Kong Monetary Authority)