Hong Kong police have warned of a ninefold surge in hijacked instant messaging accounts in a month, with scammers later impersonating their targets to swindle money from online contacts. Superintendent Baron Chan Shun-ching of the force’s cybersecurity and technology crime bureau said police had noticed a sharp rise in scams arising from compromised online messaging accounts over the past two months. “Around four or five years ago, when online social media platforms rolled out stringent measures [against hacking], the situation calmed down for a while, but in August this year, we noticed and citizens have felt that account hijacking is back again,” Chan said. The force said it received 1,239 reports of online messaging account hacks last month, nine times more than the 127 cases recorded in August. Losses rose fourfold from HK$470,000 (US$60,110) in August to HK$2.3 million last month. Most of the cases involved WhatsApp accounts, with 107 hijacked in August and 1,204 infiltrated last month. Twenty cases over the past two months were related to Telegram accounts, while 35 involved other platforms. Police issued the warning less than two weeks after the city’s privacy watchdog revealed that more than 900 residents had their data compromised when a fraudster hacked into the WhatsApp accounts of five social welfare services and schools in an attempt to defraud people on the organisations’ contact lists. Hongkongers warned over WhatsApp con artists after 25 scam cases in week Chan said that while online account hacking was nothing new, fraudsters had changed tactics, with the latest method being to trick victims into granting access to cheats through sham login web pages. Senior Inspector Tyler Chan Chi-wing said scammers would first post sham login pages for popular online messaging platforms online, masquerading as “sponsored content” relevant to the platform concerned to appear at the top of search results. These pages could replicate the layout of the targeted login webpage, but Chan warned that the link to the sham version would be different from that of the actual website. But when unassuming victims scanned the QR code presented on the sham web page to log into their accounts, they would have automatically granted access to their contact list and chat records to scammers instead. “As the scammer successfully entered [the victim’s account], to avoid suspicion, the phishing site would then redirect the victim to the legitimate login website of the platform,” Chan said. “The victim would then mistakenly wonder if there were technical problems, thus scanning the QR code once again.” Swindlers would then pick contacts whose chat records were hidden near the bottom of the victim’s homepage to avoid detection, before archiving the conversation to mute all future notifications as they attempted to impersonate the victim to scam contacts on their phone. The largest recorded case of online account hijacking this year took place last month, when scammers impersonated a 37-year-old currency exchange store employee after hacking into his WhatsApp account. Bogus online job adverts used to cheat 200 Hongkongers out of HK$40 million Within a day, the scammer had persuaded a client of the victim to send a total of 1 million yuan (US$137,300) via two transactions to two bank accounts in mainland China. The employee only discovered the swindle when his client approached him in the shop later that day. Chan, the senior inspector, urged residents to enable two-factor authentication processes to enhance security for website logins, as well as to log out unknown devices connected to the account to discontinue scammers’ access. He said people should also avoid logging into personal accounts over shared computers or public networks, and be vigilant about spelling mistakes or mixing of traditional and simplified Chinese characters on webpages to tell sham versions from genuine ones. 4 Hong Kong jobseekers lose HK$1.25 million in online shopping scam Separately, police criminal psychologist Michael Fung Ho-kin warned about mental traps that victims could fall into if an online acquaintance was a scammer. A warehouse worker surnamed Lam, who lost 600,000 yuan in March from cryptocurrency investments on a sham platform, told Fung in an interview that he could not believe he was defrauded even after he checked the police’s fraud detector site, Scameter, which flagged an alert on the scammer. Lam went back to the online acquaintance who had recommended the platform to him for explanations. The acquaintance dismissed his concerns, saying they arose out of Lam’s ignorance on cryptocurrencies. Lam continued to transfer money to the scammer until the sham platform closed for good. Easy money or costly scam? Why you should ignore bogus job messages on WhatsApp Fung said it was common for victims to seek validation from scammers as suspicions arose on their investments as they could not bear the thought of their previous transactions being wasted. He said victims he had talked to were people who thought they were invincible. “They have an illusion of security, [they think], ‘I know everything about deception or scams,’” the psychologist added. “And that’s why they fall into traps … but you can never know too much about scams, they are ever-changing.”
Hongkongers warned to watch out for hijacked WhatsApp accounts after ninefold surge in cases in a month with scammers stealing HK$2.3 million
