Cyberfrauds and cyberattacks have been on a steep rise in the past 12 months, possibly attributable to the uncertain environment under the pandemic and an increase in remote working arrangements. Cybercrimes, email frauds and online investment scams are becoming more frequent with perpetrators taking advantage of the lack of IT support and less than robust remote IT security arrangements to defraud individuals and corporations.
In 2019, the FBI reported a combined loss of USD3.5 billion suffered by cybercrime victims in the US, with business email and email account compromise constituting about half of the loss at USD1.7 billion. This year, the loss is expected to be even more significant. Among the top targeted industries were health, consumer markets, financial services, and technology, media and telecommunications (TMT).
Hong Kong and China continues to be top targets for cybercrime activities. Hong Kong reported 34,551 cybersecurity compromise incidents in the first three quarters of 2020, while having suffered a total loss of HKD2.9 billion due to cybercrimes in 2019. The figure for 2020 is likely to be much higher. In China, the PRC Ministry of Public Security announced in July 2020 that it prosecuted over 100,000 cases of cybercrime (largely concerning online loans frauds) and arrested 92,000 cybercriminals in the first half of 2020, an increase of 73.7% and 78.4% respectively compared to 2019.
Cybercriminals are becoming more sophisticated in the ways they facilitate cyberfrauds, with the increasing use of personalised messages on instant messaging platforms such as WeChat or WhatsApp and socially engineered phishing emails to deceive recipients to transfer funds, disclose sensitive information or click on malicious links. Corporations have suffered substantial losses as a result. Corporations thus need to continue to be vigilant and should regularly remind their employees of the types of schemes commonly deployed by cybercriminals, which include:
- Corporate and business compromise schemes - fraudsters impersonating senior executives of a corporation or counterparties in a contract (often suppliers) asking for an urgent transfer of funds to an overseas bank account. The volume of these attacks are much higher in the healthcare and e-commerce industries.
- Phishing emails - hackers, by using spoofed email addresses of reputable organisations or corporations, send out mass emails with links containing malicious codes. We have seen spoofed emails sent from addresses deceptively similar to those of health organisations in the guise of COVID-19 guidance. Spoofed emails typically contain look-alike domains with characters that appear similar to the original characters of a legitimate domain (e.g. "rn" instead of "m") and using trusted brand names in the email header.
- E-shopping scams - fraudsters disseminate links containing fabricated deals on products, and once the recipients click on those links, malware is released to their system. With individuals spending more time on e-shopping while working remotely, such scams have enabled cybercriminals to obtain victims' personal data and also gain access to their company email accounts to carry out further frauds.
- Professional advice scams - fraudsters impersonating professional advisors of financial institutions or law firms sending out emails containing offers for services such as investment advisory. These emails contain false contact details or professional license numbers to add to the fraudsters' credibility and are usually followed up by phone calls to the recipients.
What can corporations and their employees do to mitigate the risk of falling victim to cyberfrauds?
- Education is key - send regular reminders and provide regular trainings to employees of the company's procedures, guidelines and protocols, particularly those handling financial transactions and confidential information.
- Keep IT security up-to-date at office and home - ensure that your company's IT team has updated anti-virus and detection software and are performing regular checks on the company's IT systems. Your company should ensure there are adequate IT security arrangements in place (such as a secured VPN) given the increasing use of working from home arrangements.
- As individuals, adopt best practices for cybersecurity - always check whether the sender's email address is different from the usual one. Do not download attachments from unknown or suspicious emails. Always report cyberattacks to your company's IT team.
What should you do if you suspect that you have become a victim of an attack?
- Notify the banks handling transfers to the fraudsters' bank accounts immediately to request cancellation or reversal of the relevant transfer.
- Report to the police. If the receiving bank account is located in Hong Kong, report the fraud to both the local police (if funds were transmitted from outside Hong Kong) and the Hong Kong police via an online cybercrime reporting platform. Alternatively, you may instruct lawyers in Hong Kong to file a report to the Hong Kong police.
- Instruct local lawyers who are specialists in this area. They can help to take urgent recovery actions before the courts and seek assistance from local regulators before the fraudsters take flight with the lost funds (e.g., before funds are transferred out to other overseas accounts).
- Report to insurers if you have insurance that covers fraud and find out the scope of coverage.
To learn more, please contact our Hong Kong based specialists regulatory and disputes lawyers.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.