Hong Kong records drop in email phishing cases, but scam drill shows cybersecurity awareness ‘still lacking’


City reports 54.2% drop in cases compared with same period last year. But police say more public awareness is needed, as participants in anti-scam drill fell for fake online meeting invites, AI chatbot subscriptions. — SCMP

Hong Kong recorded a significant drop in the number of email phishing cases in the first five months of this year, but police have warned public awareness of cybersecurity is still lacking as employees at most companies that took part in an anti-scam drill clicked on dubious links.

The city logged 71 email phishing cases in the first five months of 2023, a 54.2% drop compared with the same period last year, police revealed on Monday.

The amount lost totalled HK$50.9mil (RM29.66mil), accounting for an 87.4% decline over the same period in 2022.

(From left) Wong Ka-wai, Hong Kong Internet Registration Corporation CEO; Senior Superintendent Raymond Lam; Sean Lee, CEO of China Mobile Hong Kong; and Senior Inspector Ng Pak-wai. Photo: Yik Yeung-man

The drop follows a downward trend recorded since 2019, when 816 incidents were reported to authorities, representing an 8.7% decline compared with 2018. Losses amounted to HK$2.54bil (RM1.48bil) in 2019, marking a 48% rise over the previous year.

Only 391 cases surfaced in 2022, with losses totalling HK$750mil (RM437.13mil).

Senior Superintendent Raymond Lam Cheuk-ho at the police’s cybersecurity and technology crime bureau attributed the downward trend to improved mail filtering tools, better public awareness and stricter requirements for opening company bank accounts.

“Phishing emails targeting firms will pretend to be from the receivers’ managers or business partners, and tell them to send money to bank accounts controlled by scammers,” he said.

“To make it more trustworthy, scammers tend to open some company accounts, but banks have tightened the requirements for opening company accounts and stepped up inspections on applicants, which has made it more difficult for scammers to have accounts, and in return, decreased the number of phishing email scams.”

The force and the Hong Kong Internet Registration Corporation, the government-designated domain registration service provider in the city, co-organised a phishing email drill involving 10,326 employees from 186 companies which took place between May and June this year.

During the drill, police sent five fake phishing emails to each employee that involved online meeting invites, an AI chatbot subscription, passcode and email verification requests and questionnaires from food delivery platforms.

Authorities have recorded a downward trend in the number of phishing cases since 2019. Photo: Shutterstock Images

Participants were notified about the drill and cybersecurity resources after clicking on the “phishing links”.

A total of 1,645 participants, or 15.9%, clicked at least one of the links, while at least one employee at 114 companies, or 61.6%, opened them.

Most of the duped participants fell for the online meeting invites, with 7.3% clicking on them, followed by the AI chat bot subscription and passcode verification requests from IT, which both had a click rate of 5.6%.

“We found there was still some room for improvement when it came to cybersecurity awareness, as 61.6% is not a small figure,” said Wong Ka-wai, chief executive officer of the Hong Kong Internet Registration Corporation.

Wong added some companies saw more than half of their employees falling for the fake scam, while the worst-performing participant clicked on all five emails.

In a drill held last year that involved 3,175 employees from 61 firms, 34.6% of participants and 78.9 % of firms were “phished”, according to the force.

Police reminded the public not to click links in emails from unidentified senders and to check for discrepancies in email addresses, such as replacing the lower case letter “l” with the number “1” or using “0” for “O”.

The force also urged residents to use its “Scameter” to check for phishing risks embedded in a URL.

When a URL is pasted into the Scameter, the system will check it against the force’s database of phishing links.

But police acknowledged that the database relied on cases reported by victims, adding that it would try to develop an upgraded system with the use of AI to check the credentials of email addresses and registration of URLs.

“With an upgraded Scameter app, when users visit some suspicious websites, an alert will pop up to warn them of the risks of those websites,” said Lester Ip Cheuk-yu, chief inspector at the bureau.

“Residents may find it troublesome to report a suspicious link or message to police. We are also trying to develop a reporting platform by the end of this year, where they can conveniently report links and messages to us.” – South China Morning Post

Follow us on our official WhatsApp channel for breaking news alerts and key updates!

Phishing scams

   

Next In Tech News

Apple said to offer US$100mil to undo Indonesia iPhone 16 ban
Long delayed Ukrainian survival video game sequel set for release amid war
Keppel DC REIT secures full ownership of key data centres in Singapore
Opinion: Suing to recover billions, FTX's receiver discloses the stunning scale of its grift – and stupidity
European tech funding stalls in 2024 but IPO window to open, report says
Trump may be planning to attend SpaceX launch in Texas
Super Micro Computer names BDO as auditor, files Nasdaq compliance plan
DOJ to ask judge to force Google to sell off Chrome, Bloomberg News reports
AI startup Perplexity adds shopping features as search competition tightens
Teens see conspiracy theories on social media weekly, a new study shows

Others Also Read