Hong Kong’s de facto central bank has ordered an investigation into a sudden surge of suspected credit card fraud cases, after affected account holders complained on the social media pages of local lender Standard Chartered for two days in a row.

Angry users flooded Standard Chartered’s Facebook page with complaints about allegedly unauthorised transactions in foreign currencies, mostly involving the US dollar, on their credit cards this week, with one type of Mastercard account affected.

Many accused Standard Chartered of failing to sufficiently staff its hotline as their calls were not answered despite long waiting times, while the bank’s mobile app was also not functioning.

A spokesman for the Hong Kong Monetary Authority on Thursday said it was aware of the issue and had demanded Standard Chartered take measures to protect its customers and investigate the cause of the incident.

Later on the same day, Standard Chartered said that refunds linked to the suspected fraud cases would be issued from Monday, with all such transactions expected to be completed within a week.

The spate of allegedly unauthorised transactions was the result of a random test by hackers, with no evidence indicating that customers’ personal details had been leaked, the lender said.

It added that only 1 per cent of its credit card account holders were affected by the incident, insisting the cards issued were still safe to use. The number of problematic transactions had also been effectively reduced with new measures in place, it said.

Police said they had received a total of 159 reports of related incidents, which were being followed up by the force’s commercial crime bureau.

Recalling his experience, Ivan Lam Pak-hin, 29, told the Post he first saw a warning on a Facebook group where people claimed that details of many Standard Chartered credit cards had been stolen, and that users should beware as no one was answering calls on the bank’s hotline.

“I then logged into my e-banking account, only to find out that there were three [unauthorised] transactions, but the hotline number on the back of my card never went through when I called,” the customer service professional said.

Lam was not alone, with hundreds of complaints posted on the bank’s Facebook page.

Kalvin Wong, an engineering company owner in his mid-30s, became aware of the problem after a TV programme mentioned one case on Wednesday.

He then discovered more than 10 unauthorised transactions on his card between Wednesday and Thursday. The transactions were each for US$9.28 and recorded under unrecognisable website domains.

“It took me two hours [to reach their hotline], but their way of handling the matter was to cancel your credit card immediately and register a new one for you,” Wong said, adding that staff did not mention how he could retrieve the unauthorised payments.

Standard Chartered sent out a text message to all its clients on Wednesday evening promising to arrange refunds once transactions were confirmed to be unauthorised, while appealing to customers to refrain from calling the bank to follow up on the matter.

But Wong was unconvinced by the bank’s message. “I got the text after my call, but what’s the point … I’ve already been scared to death,” the businessman said.

Lam, whose hotline call was not answered, opted to visit a Standard Chartered branch in Mong Kok for help on Wednesday. But he was only told to leave his personal details for further contact and had not received any calls from the bank by Thursday afternoon.

“We are following up these cases proactively, while so far there is no evidence of personal data leakage. Customers are protected by the chargeback mechanism,” the spokesman said.

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said the victims’ credit cards could be under BIN or bank identification number attacks. These involved fraudsters taking the first six numbers of a card and then using software to automatically generate the remaining figures and test these combinations to see which were correct.

He said another possibility could involve fraudsters buying stolen credit card information from hackers and conducting transactions.

“This is unavoidable. What people can do is report suspicious transactions to banks or police,” Fong said.

He also suggested e-commerce websites improve the security of transactions, including adding one-time password authentication for extra protection.

Police statistics showed there were 339 cases of online credit card theft from January to September, with total losses of HK$5 million. The Monetary Authority received 348 cases about unauthorised credit card transactions this year.