For individuals and organisations alike, cybersecurity threats come from all angles
Cybercrime transcends all platforms, from university admission boards to airport security units to state-election committees, and affects victims ranging from large financial institutions to mid-sized service providers to individuals. The recent 'WannaCry' ransomware attack, which has raised serious concerns about cybersecurity, infected an estimated 230,000 computer systems worldwide, including hospitals systems and transport networks. Cybercrime also conceals itself in increasingly sophisticated forms, including cyber surveillance, Trojan viruses, phishing emails and even malicious QR codes. Regulatory bodies and law enforcement around the world regard cybercrime as a rising security issue, and in May 2016, this concern prompted the Hong Kong Monetary Authority to implement the Cybersecurity Fortification Initiative, which assists Hong Kong banking institutions in improving their cyber resilience capabilities.
As the scope and number of cyber threats continue to grow in Hong Kong, organisations and individuals outside of the banking industry should also adopt more robust cybersecurity measures. This Alert emphasises the importance of vigilance on the cyber domain by drawing on two examples of recent cyberattacks.
Falling hook, line and sinker for a 'phishing' scam
'Spear-phishing' (a technique in which fraudsters impersonate trusted senders to send spoof emails which induce recipients into revealing confidential information) has become so advanced that even a cybersecurity services company has fallen prey to a spear-phishing scam. In March 2017, Defense Point Security, a company in Virginia which provides cybersecurity services to the US Government, announced that it was the victim of a targeted spear-phishing email that resulted in the external release of its employees' confidential tax information. Unfortunately, the sensitive information disclosed by Defense Point Security contained essentially all of the data the culprit needed to fraudulently file the employees' taxes and request a large refund in their names.
In Hong Kong, the HK Police Force's Commercial Crime Bureau has also reported an increase in the number of unauthorised fund transfers resulting from phishing email scams. In these situations, the fraudsters often purport to be reputable companies (such as well-known financial advisors) in order to deceive victims into transferring money into the culprits' own bank accounts.
Can you differentiate between a legitimate and malicious QR code?
A QR code (quick-response code) is a bar code which contains information that can be conveniently deciphered by smartphones. In recent months, China has seen an upsurge of transactions whereby individuals make payments by scanning QR codes with their smartphone cameras. As QR codes are composed of a seemingly random arrangement of black and white squares and cannot be verified as genuine by the naked eye, they can be manipulated. This has allowed cybercriminals to gain access to the confidential information of unsuspecting purchasers.
China's multibillion dollar bike-sharing industry is particularly susceptible to QR code scams and fraudsters have tricked purchasers into transferring money into their own bank accounts simply by replacing the original QR code on the share-bikes with fake ones. This problem is compounded by the fact that fraudsters can easily create fake QR codes via do-it-yourself websites. In the face of a lack of regulation governing the use of QR codes in China, Alipay and WeChat Pay (popular third-party payment processors in China) have frequently shouldered the loss whenever QR code scams have occurred.
Prevention is key in staying a (virtual) step ahead of today's cyber criminal
In 1993, Hong Kong passed legislation to combat the increasing role of technology in crime. The legislation amended criminal provisions under the Telecommunications Ordinance, Crimes Ordinance and Theft Ordinance by extending the definition of certain crimes to the virtual domain. For instance, burglary under the Theft Ordinance was expanded to include "unlawfully causing a computer to function other than as it has been established" and "unlawfully altering or erasing" or "unlawfully adding" any computer program or data held in a computer. In recent years, the HK Police's Cyber Security and Technology Crime Bureau and the Joint Financial Intelligence Unit ("JFIU") have also stepped up its efforts in handling cyber security issues. Where fraudulent transfers are discovered at an early stage, lawyers and the JFIU can collaborate to freeze the fraudster's bank account and recover the victim's assets.
In spite of concerted attempts to counteract cybercrime in Hong Kong, the reality is that prosecuting cybercriminals is difficult. Even where there is an effective legal regime and a progressive regulatory framework in place, identifying and apprehending cybercriminals is a complex task. Furthermore, where the fraudster did not carry out the fraud in the victim's resident country, jurisdictional issues appear. In an environment where the nature and methodologies of cybercrime are constantly evolving, individuals and organisations should adopt and implement updated IT security applications and risk-management protocols, which are crucial to avoid falling victim to cybercrime.
Our key practice areas are corporate/commercial and corporate finance; commercial and maritime dispute resolution; clinical negligence and healthcare; insurance, personal injury and professional indemnity insurance; employment; family and matrimonial; property and building management; banking; financial services/corporate regulatory and compliance.
As an independent law firm we are able to minimise legal and commercial conflicts of interest and act for clients in every industry sector. The partners have spent the majority of their careers in Hong Kong and have a detailed understanding of international business and business in Asia.
Disclaimer: The information contained in this article is intended to be a general guide only and is not intended to provide legal advice. Please contact firstname.lastname@example.org if you have any questions about the article.