Phishing attacks lead to a surge in account hijackings in HK, defrauding HK$11.6 million in March alone


22nd April 2024 – (Hong Kong) Hong Kong has witnessed a sharp rise in online scams involving phishing attacks targeting user accounts. The latest data reveals that the number of cases involving phishing text messages used to hijack accounts has surged from 99 incidents in January to a staggering 558 cases in March, marking a staggering increase of 4.5 times. The financial losses incurred during these incidents have also soared from HK$3.3 million in January to HK$11.6 million in March, with the largest individual loss reaching HK$1.48 million. Furthermore, multiple account hijackings have been reported this month, highlighting the growing severity of the issue. Law enforcement agencies are urging citizens to exercise caution and refrain from clicking on links contained within text messages. They emphasize the importance of verifying transactions through multiple channels before proceeding. Cybersecurity experts are advising individuals to remain vigilant and double-check website domain names for any typographical errors. Additionally, enabling two-factor authentication within communication applications is strongly recommended.

According to law enforcement authorities, there was a significant surge in online account hijacking cases between August and December of the previous year, with a total of 3,137 incidents and losses exceeding HK$65 million. However, after intensified crackdowns and awareness campaigns, the number of related cases dropped to double digits by the end of last year. Unfortunately, recent developments indicate a resurgence in these scams, with fraudsters once again employing phishing text messages disguised as official notifications to deceive users into believing that their accounts have been compromised. Among the 558 online account hijacking cases reported last month, a staggering 99.8% occurred through WhatsApp, with the remaining cases involving the use of Telegram. This trend can be attributed to the widespread usage and popularity of these communication platforms among citizens.

One of the most significant online account hijacking cases of the year occurred in February when a restaurant industry businessman had his WhatsApp account compromised. The fraudster sent a message to a business associate from the victim’s contact list, requesting payment for a supposed business transaction. Unaware of the deception, the associate transferred a total of US$190,000 (approximately HK$1.48 million) to the account provided by the scammer.

Law enforcement agencies recently encountered a new type of multiple account hijacking fraud. In this case, a man received a WhatsApp message from someone posing as his friend, requesting him to forward a one-time verification code received via text message. After complying, the man discovered that he had been logged out of his own account. Subsequently, when he contacted his friend through a phone call, he learned that his friend’s account had also been hijacked on the same day. Later that afternoon, the man received another call from a different friend, inquiring about the receipt of a gift card’s serial number. It was then that he realised his own account had been compromised, and the scammer had attempted to defraud his acquaintances. As a result of this incident, the man’s friend suffered a loss of HK$2,500 in gift card value.

The frequency of changes in phishing links has also increased significantly. Due to the low cost of domain registration, scammers are able to register multiple domains to facilitate their criminal activities. In the first three months of this year, there have been over 300 variations of phishing links reported. Law enforcement agencies have reached out to communication platform providers and individual service providers, urging them to enhance their security systems.