Introduction
- According to the “Law and order situation in Hong Kong in 2021” published by the Hong Kong Police, deception cases in Hong Kong during 2021 have significantly increased by 24% compared with the previous year, within which more than 70% are cyber fraud cases.
- Further, according to a speech delivered by the Commissioner of Police, Mr Siu Chak-yee, Raymond, at the opening ceremony of “Cyber Security Expo 2022”, as at the first half of 2022, the Hong Kong Police has already recorded 10,600 instances of cyber and technology crimes (including but not limited to phishing attack, romance scam, online investment fraud and online employment fraud), constituting one-third of the overall crimes in Hong Kong and resulting in monetary losses amounting to HKD 1.5 billion.
- In light of the increasing number and variety of cyber fraud cases, we will through two articles set out some common types of the same while integrating our previous case experience, with a view to raising public awareness on cyber fraud.
Phishing Attack
Modus Operandi
- Fraudsters would normally launch phishing attacks by taking the following two steps:
- Fraudsters would first try to cast a wide net by sending numerous emails containing fake hyperlinks. If a staff of a company clicks on the hyperlink, it will be redirected to a fraudulent website whereby the visitor’s sensitive personal information, for instance the staff’s login ID and password, may be copied. Pausing here, it is worth noting that in April 2022, the Hong Kong Police has organized an email phishing drill with 61 organizations (including small and medium enterprises from various industries as well as government departments), among which, worryingly, at least one employee from nearly 80% of the organizations had clicked on simulated phishing emails produced by the Hong Kong Police.
- Next, fraudsters would, by using sensitive personal information, hack into the email systems of a target company and its business partners to spy on business emails, and then sends emails using fake email addresses that are very similar to the real email addresses of someone within the target company, pretending to be a senior member of the company and instructing his subordinates to transfer money to a specific bank account on the pretext of an urgent business transaction.
- Very often, by replacing letters with numbers or vice versa, the fraudster would generate fake emails that are nearly identical to a known email address. For example:
- Real: horace.lam@fakeltd.com; Fake: h0race.1am@fakeldt.com
- However, the sender display name displayed in the victim’s email system is the same for both: Horace Lam
Given the above characteristics, it is often too late for the victim when it finds out it has been scammed.
- As at 30 June 2022, the Hong Kong Police has recorded 193 instances of phishing attack, resulting in an aggregate monetary loss of over HKD 452 million. One of the victims, an American investment company, was even defrauded of approximately HKD 75 million in one go. A small email has brought huge losses to the victims.
- To ease readers’ understanding of the modus operandi of cyber fraud, our firm selects two typical phishing attack cases (i.e. Case 1 and Case 2) from our recent relevant experience as examples.
Case 1
- In this case, the fraudster hacked into the target company’s email system and learned that the target company might make a payment to a business partner in the near future. The fraudster then impersonated the business partner’s representative as well as the target company’s director respectively to send fake emails, creating a false impression that the target company’s director had approved the said payment to the fraudster’s designated bank account and instructed the company’s accounting manager to arrange the payment as soon as possible.
- As the company normally adopts a rather flat organizational structure, its accounting manager made multiple confirmations with the director via email, telephone and instant messages before arranging the payment. The director sensed that something was off and immediately instructed the company staff to contact the business partner’s representative by phone to verify whether the business partner had ever issued a payment request, which it never did and the fraud was thus uncovered. In this case, the prudent operation within the company effectively prevented it from suffering huge losses.
- Afterwards, the company’s investigation revealed that the IP addresses used by the fraudster to hack into the company’s email system were scattered across Europe and Africa (e.g. the Netherlands and Nigeria), where the company had no presence or business.
Case 2
- In this case, a client operating an offshore business was developing a restaurant project with its business partner. During the process, the business partner would send payment requests to the client from time to time, and the client would remit money to the business partner pursuant to the payment instructions on the payment requests.
- After hacking into the client’s email system, the fraudster generated fake emails by impersonating the client’s senior management and business partners (written in the same style and tone as the client’s senior management and business partners), asking the client’s accountant to remit two “project payments” to two Hong Kong bank accounts designated by the fraudster. The accountant wrongly thought that he received authentic instructions from the senior management and arranged to send the “project payments” accordingly.
- On the following day, the fraudster instructed the accountant to make a third payment, after which the accountant started to harbour suspicions. Thereafter, the accountant clarified with the company’s senior management by phone and discovered that the remittance instructions received earlier were all false. The client then contacted the bank to try to stop the transfer, but was only able to stop one of the three payments.
- According to an investigation conducted by an IT company engaged by the client, a very likely reason for the fraudster to have succeeded in hacking into the client’s email system was that the client’s employees received emails from the fraudster containing fake links which they inadvertently clicked on.
Case 2 – Remedy
- Upon engagement by the client, our firm actively liaised with the Hong Kong Police and, at the same time, successfully obtained the relevant bank records by applying for a third-party disclosure order in the Hong Kong Court to trace the flow of the defrauded proceeds, thereby successfully identifying the companies designated by the fraudster to receive the money, which became the defendants in the client’s subsequent civil recovery action.
Case 2 – Takeaways
- Phishing attack is relatively easier to prevent compared with other types of scams. Apart from continuous upgrades of software and hardware (e.g. upgrading the spam filtering settings of the email system), corporate clients should establish a comprehensive internal policy on the safe use of the Internet, especially requiring employees to stay alert when they receive emails from unknown sources and strictly forbidding them from clicking on suspicious links in emails.
Romance Scam (also known as “Pig-butchering Scam”)
Modus Operandi
- Have you ever received a WeChat friend request from a stranger? Is this really fate? “I’m very grateful to have come across you, which city are you based in?”, “I have been hurt in my previous relationship like you, and I am so lucky to meet you.”, “I miss you so much, what have you been doing these days?” If you have just added a friend on a social media site/dating app whom you have never met in person, and that person abnormally chats with you frequently and shares with you his/her life, as well as showering you with affectionate messages, you should be alert.
- A fraudster in a romance scam usually fabricates profiles on social media sites/dating apps (including WeChat, WhatsApp and Line) to impersonate young professionals, elite investors or lovelorn women to target and lure potential victims. The fraudster then strikes up romantic relationships by professing feelings in a relatively short period of time with the victim to build trust and attachment. Eventually, the fraudster would steer the conversation toward finances and offer to teach the victim how to invest or suggest investing in a particular product together. Once the relationship develops and the victim starts to let its guard down, the fraudster would provide the victim with an investment opportunity. At the beginning, the fraudster would let the victim make small profits, after which the victim would be immersed in the joy of investment gains. When the victim starts investing more money, its “romantic partner” would vanish (e.g. the fraudster deletes its social media account/blocks the victim). As a result, the victim loses money and is emotionally betrayed.
- Notably, in a romance scam, the fraudster and victim would never meet in person throughout. Whenever the victim suggests to meet face-to-face, the fraudster would come up with different excuses to avoid compromising its fake persona like “I’m currently not in the country so I could not meet up with you. Unfortunately, my webcam is broken as well.”
- As at 30 June 2022, the Hong Kong Police has recorded 793 instances of romance scams, resulting in aggregate monetary loss of over HKD 369 million.
Case 3
- In one of the recent publicly-known cases, a 65-year-old retired wealthy lady in Hong Kong “encountered” a purportedly handsome man on an online rental platform. The man alleged that he was returning to Hong Kong from Canada and started to romantically pursue the lady. The lady “fell in love” and was swindled out of HKD 178 million in investing Bitcoin. After a month into the “romance”, the lady wanted to withdraw her investment “gains”, upon which the investment app accused her of money laundering. It was only by then did the lady realize that the man she was in love with is a fraudster and she has been duped out of money.
Case 4 – Background
- Case 4 is a typical one among the numerous cases involving fraud we have recently handled to illustrate how a romance scam operates to progressively lure a victim. Victim Mr M encountered a Miss A on Facebook. They then exchanged their Line accounts and communicated daily through Line. Miss A claimed that she was working in the fashion industry (who had a physical store in downtown Hong Kong) and had experience in finance and investment. Through a constant stream of daily messages, Mr M became emotionally attached to Ms A and started to trust her.
- Around a month after Mr M and Ms A got acquainted, Ms A tried to persuade Mr M to invest in an oil project through a specified “investment platform”. Ms A claimed that it was a high-yield investment with quick returns. Since Mr M appeared to have reservations about the investment, Ms A then encouraged Mr M to make small investments first and see if any returns would ensue. Upon Ms A’s persuasion, Mr M opened an account with the “investment platform” and shared the login credentials of the account with Ms A to try to win her heart.
- As shown on the website of the “investment platform”, Mr M’s initial small investments appeared to be “profitable”. Therefore, upon Ms A’s encouragement, Mr M increased his investments. After a few rounds of investment, Mr M wanted to withdraw the principal and returns from his account on the “investment platform”. A “business operator” of the “investment platform” informed Mr M a transaction fee (being 10% of the amount of the withdrawal) had to be paid before Mr M could withdraw his money from the account. Otherwise, Mr M’s account on the “investment platform” would be frozen and the money therein would be forfeited.
- Ms A and Mr M had never met in person, and Ms A started becoming indifferent once she knew that Mr M did not want to increase his investments. Accordingly, Mr M started to suspect that he had been scammed. Mr M tried to visit the purported office of the “investment platform”, but was told that he had the wrong address. Mr M then engaged our firm for help. We then swiftly conducted a background investigation against the “investment platform” and Ms A, whereby we uncovered that the “investment platform” had already been listed in the Alert List maintained by the Hong Kong Securities and Futures Commission (the Alert List is a list of entities which have come to the attention of the SFC because they are unlicensed in Hong Kong and are believed to be, or to have been, targeting Hong Kong investors or claim to have an association with Hong Kong), and there was no such person as Ms A. It was until then a cyber fraud was finally uncovered. By then, Mr M had already invested more than USD 400,000 in total.
Case 4 – Remedies
- On behalf of Mr M, we applied to the Hong Kong Court for an injunction against the “investment platform”, the company designated to collect relevant funds and Ms A, with a view to prohibiting the fraudster from transferring or concealing the defrauded proceeds. After the Court had granted an injunction, we immediately commenced a civil action against the fraudster to recover the defrauded proceeds that belonged to Mr M, alongside an application for a disclosure order against the banks receiving the relevant funds at the same time in order to trace the proceeds. As the fraudster did not acknowledge the service of the writ of the civil action within the legally prescribed time, we were able to swiftly obtain a default judgment and commence enforcement proceedings. In the end, within around half a year, we were able to recover more than 60% of the defrauded proceeds for Mr M.
Mini-conclusion
- As can be seen from above, even if a victim encounters cyber fraud, as long as the victim takes appropriate follow-up actions in time, it is still possible to prevent or at least minimize losses. What does it mean by “appropriate follow-up actions”? We will explain these in detail in our next article.
Disclaimer
The above contents by no means constitute any legal advice or recommendation by LT Lawyers. Please contact KM Liew at LT Lawyers if you have any inquiries about this article. You should seek professional advice before taking any action in relation to the matters dealt with in this article.
Copyright
If reprint of the above contents or any part thereof is desired, please specify at the forefront of any and all such reprint the source of such contents, namely “LT LAWYERS”.