A 65-year-old accountant became this year’s phishing victim who lost the most money when he clicked on a hyperlink sent to his mobile phone, allowing scammers to take more than HK$700,000 (US$89,371) over several days, Hong Kong police have said.
The man received a text message in January that warned him the points he had collected had almost expired and urged him to exchange them for souvenirs and rewards.
He entered his credit card information on the bogus reward platform he was directed to after he saw a pair of earphones he liked, said Chief Inspector Lester Ip Cheuk-yu of the police’s cybersecurity section.
The man was among the 1,408 victims that fell prey to phishing scams in Hong Kong between January and March, collectively losing HK$26.1 million. Local law enforcement is paying attention to these types of cases because of the increasing prevalence of such technology crimes.
Victims ranged from 18 to 78 years old. Almost a quarter were people between 51 and 60.
Scammers used text messages and emails to communicate with their victims in more than 90 per cent of the cases. About 1,000 messages claimed to be from telecoms companies, with the rest from customer loyalty programmes and postal services, Ip said.
Acting senior superintendent Baron Chan Shun-ching of the cybersecurity and technology crime bureau said: “Phishing scams usually involve cross-jurisdictional syndicates. We have difficulties identifying suspects as they are not in Hong Kong.”
Chan added that most of the time, the victims did not notice their losses for several weeks or even a month, making it more difficult to trace the funds.
Dennis Leung Chui-choi, a principal regulatory affairs manager at the Office of the Communications Authority, said it was negotiating with police, the banking sector and mobile network operators about registering text message senders to help residents check their authenticity.
Leung added that the rules and regulations had yet to be finalised, but they were aiming to begin implementation trials by the end of this year.
Since May, all mobile service providers in Hong Kong have started sending voice or text alerts to customers for incoming calls from outside the city using “+852” as the prefix to make it appear as though they are local numbers.
“This is to alert call recipients to the calls coming from outside Hong Kong, even though they disguise themselves as local numbers,” Leung said.
He added that telecoms operators have also started suspending those local mobile numbers and websites believed to be involved in phishing scams.
Chan said, through reports received by police, intelligence from telecoms operators and cyber patrol, authorities had blocked nearly 3,000 URL links from public access this year.
Police also arrested 34 people from January to March. They were believed to be linked to five crime syndicates and involved in 246 cases.
Chan added that phishing scams were “faced by police forces all over the world”. Malaysia has banned the inclusion of URL links in text messages, while Singapore has started tagging text messages from unregistered senders as “likely scam”.
Overall, Hong Kong police recorded 7,361 technology crimes in the first quarter of this year, involving about HK$833 million.
Ip said one of the victims was a local master’s student who lost HK$2.5 million worth of USD Coin, a digital currency pegged to the United States dollar, after he saw a post advertising free distribution on Twitter in January.
His cryptocurrency wallet details were leaked after he clicked on the advert and installed a web browser extension on Google Chrome, Ip added.
“The student did not even give out his personal details,” he said.
Police reminded the public not to click hyperlinks embedded in suspicious text messages and emails and never log on to unverified websites.
Residents should also be extra cautious when websites ask for personal or credit card information and report to police as soon as possible if they suspect they have been scammed.
Hong Kong’s four mobile network operators – China Mobile, HKT, Hutchison Telecommunications and SmarTone – said they had strengthened public messaging and collaborated with authorities to fight phishing scams by regularly removing fraudulent links and taking down suspicious websites.
3 Hong Kong, the mobile telecoms arm of Hutchison Telecommunications, said it had started an automatic call-blocking anti-scam service, with a monthly fee of HK$9.
CSL, the consumer mobile arm of HKT, said it only used verified WhatsApp accounts to communicate with customers, and that a 24-hour “scam prevention support” hotline was available for verifying the authenticity of the company’s promotion calls.
SmarTone said it had implemented one-time passwords for secure account logins and to prevent unauthorised access.
All Hong Kong phone users have to register their SIM cards with their full name, date of birth and identity card number. Authorities said the move could thwart scammers and personal data thieves.