Global email scams con nearly HK$760 million out of more than 400 companies in Hong Kong and overseas in first half of 2018
As fraudsters impersonate firms’ actual business partners, city sees 72 per cent surge in the amount of money involved in such crime
International email scammers duped more than 400 companies in Hong Kong and overseas out of almost HK$760 million (US$96.8 million) in the first six months of this year, a 72 per cent surge in the amount of the money involved in such crime.
A firm in the United States was this year’s biggest victim of commercial email fraud after being conned out of US$8 million. Hong Kong police got involved because the swindled money was transferred into a bank account in the city.
The engineering company fell prey in May after fraudsters pretending to be its business partner sent emails asking that money be transferred into a designated bank account for the payment of goods.
Initial information showed the email address looked authentic. “Compared with the genuine email address, it only had one extra punctuation mark, a full stop,” a law enforcement source said.
As instructed, the company transferred US$8 million into a Hong Kong bank account in several transactions within about 10 days. It realised it was a scam when contacting its actual business partner several days later.
Hong Kong police were notified when the firm appointed a lawyer in the city to file a report in the same month. But no money was recovered.
“All the money had been transferred out of the account a few days after the last transaction,” the source said.
The scam was among 402 commercial email fraud cases involving HK$759.4 million in total losses the force handled in the first six months of this year. That compared with HK$440.7 million lost in 311 cases in the same period last year.
Police said the number of commercial email fraud cases whose losses totalled at least HK$10 million had increased to 14 in the first half of this year, up from eight in the same period last year.
Of the 402 cases, 140 involved local firms, the force noted.
The surge came as scammers were found earlier this year to have used new tactics to gain access to their targets’ sensitive information, such as sending a virus inside an email disguised as a job application with a résumé attached.
Police said opening the attachment would allow the virus to infect a company’s server, giving the criminals access to information about their business, senior management staff and clients. The information is used to impersonate someone and convince the firm to transfer money to accounts that are then cleared out within days.
In the whole of last year, the force handled 680 reports of email scams involving the loss of HK$990 million. The biggest victim of this kind in the city’s history was an international corporation conned out of HK$500 million in 2016.
A force spokesman said no arrests had yet been made in the HK$500 million case, which the Yau Tsim district criminal investigative unit was handling.
Commercial email fraud included fake CEO and business partner scams, police noted.
Fraudsters typically hack into the computer servers of targeted companies to learn about their clients and businesses before using the information to impersonate senior executives and eventually order money transfers. They instruct victims, who think they are dealing with their senior executives or business partners, to send payments or make transfers to their designated accounts.
The emails used to cheat victims were sent from Africa, Europe and the US, but that does not mean they operated in those countries.
The city’s latest figures showed there were 3,671 reports of deception, including commercial email fraud and online romance scams, in the first six months of this year. That was up 3.1 per cent compared with 3,561 in the same period last year.
Police have called on individuals and companies to verify the identities of people they are in contact with and to ensure a request is legitimate before making money transfers.
They also advise firms to set up confirmation procedures and multiple approval mechanisms as well as issue guidelines for transferring funds between accounts.
“Multiple approval mechanisms should be set up to stipulate the work procedures of all levels of staff, so as to verify the identity of the recipient of funds and the genuine purpose of remittance,” the force said on its website.
Police said the cyber security and technology crime bureau had strengthened its capacity to combat such scams.