Hong Kong police received more than 18,000 reports of cybersecurity attacks in the first quarter, with the number of incidents involving robot zombie computers seeing the greatest increase.

Phishing attacks accounted for nearly 46% of the 18,758 incidents logged in the first three months while malware reports made up another 29%, said Senior Superintendent Raymond Lam Cheuk-ho of the force’s cybersecurity and technology crime bureau.

The force said 25,510 attacks were reported in the same period last year.

Lam said the number of malware incidents dropped from the “significantly” high level of 15,131 in the first quarter of 2023 to 5,482 in the same period this year.

The cases, which involve victims being scammed by fake mobile apps downloaded from unofficial links, decreased after the police moved to take down those websites.

He emphasised that other types of cyberattacks were on the rise and were expected to only increase with time.

The number of botnet incidents – which involve attacks by a network of malware-infected computers – spiked by 44.5% year on year, the biggest increase among five types of cyberattacks.

The force said it recorded more than 10,000 cybercrime cases in the first four months of the year, involving over HK$1.8bil (RM1.08bil or US$230mil) in financial losses.

Among them were 14 hacking cases and 17 involving ransomware, involving HK$2.2mil (RM1.32mil) in total.

“Of the 14 hacking cases, three were related to hacking of a company’s email system and sending phishing links to high-level staff for monetary transactions,” Lam told a press briefing for this year’s “BugHunting Campaign”, a cybersecurity drive.

Lam said none of the companies hit by ransomware crimes paid out money.

“We don’t encourage companies to pay the ransom, as the aim of these syndicates is to defraud,” he said. “There is no guarantee that the syndicates will destroy the data they obtained once the ransom is paid. It does not solve the problem.”

He warned that with the proliferation of cybercrime technology, syndicates did not need advanced systems to carry out highly targeted attacks that were increasingly discreet.

“As Hong Kong companies keep up with the trend of digital transformation, they also need to update their software and make sure they secure loopholes,” he said.

The bureau’s Superintendent Baron Chan Shun-ching said syndicates set their sights on companies because of the large amount of data they handled, which endangered the personal information of their users.

“Like annual body checks, companies should also regularly check the health of their cybersecurity systems,” he said.

“But they usually lack resources or do not have enough knowledge about what protection their systems lack.”

Police collaborated with cybersecurity start-up Cyberbay to launch the second edition of the BugHunting Campaign on Monday to help protect local businesses and other institutions from harmful attacks on their websites.

The two-month initiative connects businesses with local cybersecurity talent, sometimes known as “bounty hunters”, to help them manage risks.

The troubleshooting service is free for organisations, while those who flag any vulnerabilities receive cash rewards.

Businesses also get a HK$10,000 (RM6,012) subsidy to hire talent to fix cybersecurity loopholes and are rewarded with a badge to show their system is robust.

“When the businesses earn this badge, this also gives their clients more confidence,” Chan said.

Sixty organisations signed up to the campaign last year. Half of them were start-ups and small and medium-sized enterprises, while another 30% were NGOs.

Organisers said 197 online security risks were discovered during the two-month programme, with 10% listed as “critical”. – South China Morning Post