How to stay safe online as fraudsters target Hong Kong users of Instagram, other popular social media platforms

According to police, the biggest loss in a single case amounted to HK$30,000.

Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said hackers were likely to have gained access to the accounts through the email addresses individuals had used to register with Instagram.

“Once they had hacked the email address, they could use it to reset the account’s password,” Fong said.

Anthony Lai Cheuk-tung, a malware analyst and security incident responder at Hong Kong-based cybersecurity firm VX Research, said swindlers would also send messages via Instagram in an attempt to access personal data.

But he said users could identify scammers to keep themselves safe.

“First, identify their profile build up history. The context of travel, location and timeline of activities are not consistent [on these accounts]. Meanwhile, check out their followers, as most of them are fake accounts,” Lai said.

Fong said users should immediately change their password upon discovering access by scammers or contact the platform provider to recover the account by identity verification.

2. What about other platforms?

Police also warned about a resurgence of hijacking of WhatsApp accounts for fraud last month. The force recorded 864 cases of messaging platform hacks in the first quarter of the year, 90 per cent of which were WhatsApp accounts. Losses totalled HK$20.4 million

Fong said that while all major social media platforms ran the risk of exploitation by scammers, he had noticed a drop in WhatsApp scams where fraudsters lured their victims with a sham website login page.

The IT expert said the drop mainly came from stricter checks by Google on applications for advertisement placements linked with search keywords.

But Lai warned there was a rising trend of SMS messages asking owners to reset passwords to allegedly hacked accounts, while fraudsters would also contact potential victims with links to sham apps or online coupons for discounts via the messaging platform.

“Victims simply made a payment via FPS, and the fraudster simply did not show up again,” Lai said, referring to the Faster Payment System for bank transfers. “We need to verify whether the offer exists by calling them.”

3. What are the other major online scams?

According to police data, internet shopping scams accounted for the largest number of online fraud cases last year, at 8,950 reports. That was followed by online investment fraud at 5,105 cases and online employment scams at 3,518 reports.

Fong said sham online investment groups were still a common tactic. Scammers impersonate famous market commentators on Facebook pages, luring potential victims to join messaging groups that claim to offer exclusive investment advice.

An IT expert says he has noticed a drop in WhatsApp scams where fraudsters lure their victims with a sham website login page. Photo: Reuters

However, the advice leads investors to minor stocks or sham investment platforms, with victims unable to withdraw any profits or their initial outlay from the platform.

Some online adverts for odd jobs offering quick cash for minimal work with no skills required could also be scams. Care should also be taken over online shopping platforms offering significant discounts, with buyers not receiving goods they paid for.

4. Is artificial intelligence being used to trick people?

Companies have also fallen prey to fraudsters, losing millions from sophisticated scams tricking employees into transferring large sums.

A recent high-profile case concerned UK-based multinational engineering firm Arup, which lost HK$200 million when a Hong Kong-based employee was tricked into transferring money after the firm’s chief financial officer was impersonated in a bogus video conference call.

The employee was tricked by a deepfake scam, where images or videos created with artificial intelligence (AI) alter a person’s face or voice to the creator’s wishes.

Fong said it was “easy” to use AI for scams nowadays due to the proliferation of the technology but that such videos were more often deployed to swindle firms in sophisticated scams.

“I think it’s used in targeted scams, instead of random attempts,” Fong said.

Lai cautioned that deepfake could be used in conference calls, with scammers disguising themselves as senior management staff instructing victims to transfer money, easily evading online police trawls.

“I suggest if one has doubts about the identity of joiners, you can see whether there are polygons or irregularities in the shape when putting the video in an original 100 per cent proportion,” Lai said.

“[Attendees] can try to call the joiners and even ask them to show a piece of paper or a book in front of them to delay the deepfake image from being generated.”

5. How can we stay safe?

Both Fong and Lai emphasised the importance of enabling two-factor authentication, which requires two forms of evidence such as a password and a one-time code or biometric data, on one’s online accounts to reduce the chance of unauthorised access.

Fong said internet users should also set up strong passwords for their email accounts, as an overwhelming number of data leaks over the past decade exposed many email addresses and passwords to hackers without the owners’ knowledge.

Leaked email accounts could allow swindlers to access social media accounts linked to the address, or attend online conference calls from information sent to mailboxes.

Lai advised users to pay attention to details in messages they received online to spot a scammer from a friend, especially those asking for personal information or insisting on speaking on a chat app of their choice.

For phone calls, Fong urged users to be vigilant at all times to avoid falling into traps when deepfake technology could convincingly replicate a loved one’s voice.


This website uses cookies. By continuing to use this site, you accept our use of cookies.