All documents
PDF ESG-v1.0

Staff Guideline

Email Security Guideline

For all office users (tree.com.hk) · Related: User Access · Computer Operations

Prepared by Max.chan@mediaworld.com.hk · ESG-v1.0 · 2026-01-15

Golden rules

1

Do not open dirty / suspicious links

2

Do not open unexpected attachments

3

Do not share your password with anyone

4

Verify the sender address — especially for unusual requests

5

If unsure → stop and ask Admin

Email sender verification

Always check the real From address (not only the display name). Display names can be faked.

When to double-confirm

If the email asks for something unusual or unexpected, stop and double-confirm the sender before acting, for example:

  • Urgent payment, bank transfer, or Visa / card details
  • Password, OTP, or account login request
  • Change of bank account / supplier details
  • Request to buy gift cards, or send money “right now”
  • Unusual instruction from a boss / manager / colleague you were not expecting

How to confirm: check the full email address carefully, then confirm by another channel (phone / in person / known chat) — do not use a reply, phone number, or link inside the same suspicious email.

Watch for misspelled email addresses

Attackers often use addresses that look almost right. Check every character:

Look forExample of fakeReal
Wrong domainname@tree.com or name@tre.com.hk@tree.com.hk
Extra / missing letterLook-alike letters in the domain@tree.com.hk
Extra word / hyphen@tree-hk.com / @secure-tree.com.hk@tree.com.hk
Wrong personDisplay name “Boss” but address is unknownKnown colleague @tree.com.hk
  • Open / expand the sender details and read the full address
  • Compare it to an address you already trust (previous real email, company directory)
  • Any misspelling or almost-correct address → treat as suspicious and report to Admin

What is a “dirty” / suspicious email?

Be careful if the email:

Do

Do not

Reminder — Tree systems

  • Visa card payment info is handled by the payment gateway — Tree systems do not store card details
  • Nobody from IT / Admin will ask for your password by email
  • Software install requests go to Admin / IT — do not install from email links

If you clicked a bad link or opened a bad file

  1. 1 Stop using the PC for sensitive work
  2. 2 Disconnect from network if Admin asks
  3. 3 Tell Admin immediately (Level 1)
  4. 4 Change password if Admin / IT instructs
  5. 5 Do not hide the incident — early report reduces damage

How to report

  • Contact: Admin (Level 1)
  • If needed, Admin escalates to outsourced IT (Level 2)
  • Optional: fill Incident Report Form
Incident Report Back to index