Hong Kong recorded a significant drop in the number of email phishing cases in the first five months of this year, but police have warned public awareness of cybersecurity is still lacking as employees at most companies that took part in an anti-scam drill clicked on dubious links.

The city logged 71 email phishing cases in the first five months of 2023, a 54.2% drop compared with the same period last year, police revealed on Monday.

The amount lost totalled HK$50.9mil (RM29.66mil), accounting for an 87.4% decline over the same period in 2022.

The drop follows a downward trend recorded since 2019, when 816 incidents were reported to authorities, representing an 8.7% decline compared with 2018. Losses amounted to HK$2.54bil (RM1.48bil) in 2019, marking a 48% rise over the previous year.

Only 391 cases surfaced in 2022, with losses totalling HK$750mil (RM437.13mil).

Senior Superintendent Raymond Lam Cheuk-ho at the police’s cybersecurity and technology crime bureau attributed the downward trend to improved mail filtering tools, better public awareness and stricter requirements for opening company bank accounts.

“Phishing emails targeting firms will pretend to be from the receivers’ managers or business partners, and tell them to send money to bank accounts controlled by scammers,” he said.

“To make it more trustworthy, scammers tend to open some company accounts, but banks have tightened the requirements for opening company accounts and stepped up inspections on applicants, which has made it more difficult for scammers to have accounts, and in return, decreased the number of phishing email scams.”

The force and the Hong Kong Internet Registration Corporation, the government-designated domain registration service provider in the city, co-organised a phishing email drill involving 10,326 employees from 186 companies which took place between May and June this year.

During the drill, police sent five fake phishing emails to each employee that involved online meeting invites, an AI chatbot subscription, passcode and email verification requests and questionnaires from food delivery platforms.

Participants were notified about the drill and cybersecurity resources after clicking on the “phishing links”.

A total of 1,645 participants, or 15.9%, clicked at least one of the links, while at least one employee at 114 companies, or 61.6%, opened them.

Most of the duped participants fell for the online meeting invites, with 7.3% clicking on them, followed by the AI chat bot subscription and passcode verification requests from IT, which both had a click rate of 5.6%.

“We found there was still some room for improvement when it came to cybersecurity awareness, as 61.6% is not a small figure,” said Wong Ka-wai, chief executive officer of the Hong Kong Internet Registration Corporation.

Wong added some companies saw more than half of their employees falling for the fake scam, while the worst-performing participant clicked on all five emails.

In a drill held last year that involved 3,175 employees from 61 firms, 34.6% of participants and 78.9 % of firms were “phished”, according to the force.

Police reminded the public not to click links in emails from unidentified senders and to check for discrepancies in email addresses, such as replacing the lower case letter “l” with the number “1” or using “0” for “O”.

The force also urged residents to use its “Scameter” to check for phishing risks embedded in a URL.

When a URL is pasted into the Scameter, the system will check it against the force’s database of phishing links.

But police acknowledged that the database relied on cases reported by victims, adding that it would try to develop an upgraded system with the use of AI to check the credentials of email addresses and registration of URLs.

“With an upgraded Scameter app, when users visit some suspicious websites, an alert will pop up to warn them of the risks of those websites,” said Lester Ip Cheuk-yu, chief inspector at the bureau.

“Residents may find it troublesome to report a suspicious link or message to police. We are also trying to develop a reporting platform by the end of this year, where they can conveniently report links and messages to us.” – South China Morning Post