Scammers use fake résumés and email viruses to infiltrate international businesses and steal US$42 million, Hong Kong police reveal
In largest case, a European construction material supply company was duped into transferring US$7 million into a Hong Kong bank account.
A construction material supply company based in Europe has been duped into transferring US$7 million (HK$55 million) into a Hong Kong bank account in the latest case of email fraud that is rife in the city.
The scammers hacked into the company’s email accounts and pretended to be one of the international corporation’s senior managers from its United States branch, contacted the accounts department at the firm’s headquarters and made the money transfer request.
According to multiple police sources this is the largest commercial email scam this year and comes amid a 164 per cent surge in the amount of money involved in such cases in the first three months of 2018.
The sting was among 191 commercial email fraud cases in the first three months of this year, in which crooks got away with US$42 million (HK$330 million) – compared with the US$16 million (HK$125 million) lost in 124 cases for the same period last year.
Hackers will typically gain access to a company’s sensitive information by sending a virus inside an email disguised as a job application with a résumé attached. Opening the document allows the virus to infect a company’s servers, giving the crooks access to information about the business, the chief executive officer, other senior staff, and the firm’s clients.
They will use that information to impersonate someone, and convince the company to transfer money to accounts that are then cleared out within a matter of days.
“If the chief executive officer is taking a flight during a business trip and is unable to contact his staff, the fraudsters will take this opportunity to pretend to be him and send a fictitious email instructing his staff to transfer money,” a police source said.
The source said the investigation into these types of fraud showed that gangs from the United States, Europe and mainland China were behind the scams, targeting individuals and companies worldwide.
A second source said police had noticed an increasing number of overseas companies falling victim to commercial email frauds this year.
Of the 191 cases, about 60 per cent were companies from overseas. Hong Kong police were involved because the swindled money was transferred into bank accounts in the city.
The Post has previously reported that underground money changers had been helping international fraudsters set up accounts in the city, and laundering the proceeds of these email scams.
“Investigations show mainlanders have been recruited by underground money changers to open bank accounts in Hong Kong to collect the swindled money,” the second source said.
He said the money was usually funnelled into different accounts and moved around the world within days after the transfer.
The second source said it was difficult to track down the thieves because they were based overseas, and their operational centres moved around the world.
“Some of their emails were sent from the United States, but that did not mean their operational base was in this country,” he said.
Hong Kong police were notified of this year’s biggest case in January, but sources said the money had been transferred in December.
In the whole of last year, the force handled 680 reports of email scams involving the loss of US$126 million (HK$990 million). The biggest loser was another international corporation, that was conned out of US$63.7 million (HK$500 million) in 2016.
Multiple sources said the police had enhanced the exchange of intelligence with mainland Chinese and overseas law enforcement agencies in an effort to combat such activities.
Latest figures show there were 2,429 reports of deception cases, including commercial email scams, in the first four months of this year, up 5 per cent compared with the same period last year.
As a result, police have again urged individuals and companies to verify the identities of people they are in contact with, and to ensure a request is legitimate before making money transfers.
Police advise companies to set up confirmation procedures, multiple approval mechanisms, and issue guidelines for the transfer of funds between accounts.
“Multiple approval mechanisms should be set up to stipulate the work procedures of all levels of staff, so as to verify the identity of the recipient of funds and the genuine purpose of remittance,” the force said on its website.