HK$660,000 stolen in e-bank scam
The public yesterday were reminded not to access their Internet banking accounts through hyperlinks after a number of customers of a local bank fell victim to a syndicate and had HK$660,000 siphoned off from their accounts over the past three weeks.
General Manager of the bank Raymond Or said they would study the cases individually. He told a television station that while the bank was willing to compensate the customers for the losses, they would expect to apportion the liabilities with those customers found to have failed to protect their account information properly.
Police said the incidents happened from September 17 to October 6. A total of 12 bank customers received "phishing" emails purporting to be sent by their bank. The emails required the victims to click on an embedded hyperlink connected to a fraudulent website.
"Phishing" is a form of fraud in which the victims receive fake emails allegedly sent from banks asking them to provide sensitive personal and account information to a bogus bank website accessed through a hyperlink embedded in the email.
When the hyperlink was clicked, a window popped up on the screen and asked the victims to verify their account information by keying in their user name and password of their Internet banking accounts.
On the other hand, police said, the syndicate recruited their agents through ICQ, email and job seeking websites. Those recruited were asked to use their own bank accounts to receive the money stolen by e-banking of the victims' accounts. After the money was stolen, they retained five to 10 per cent of the sum as a reward and remitted the remaining to overseas bank accounts.
Police said 11 persons - eight men and three women aged 21 to 58 - had been arrested so far in connection with the cases. The police operation is still underway.
A spokesman said three of the arrested were already charged with theft and will appear before the court in the near future. For the others, three are still detained and the other five have been bailed pending further investigation.
According to the police, the syndicate, besides emailing to local bank customers, has also been sending similar emails to Internet users worldwide.
"The public are reminded not to access their Internet banking accounts through hyperlinks embedded in emails or Internet search engines. They are advised to access their e-banking accounts by keying in or book-marking the genuine website," the police spokesman said.
So far this year, a total of 23 bogus bank websites have been found.
The Hong Kong Monetary Authority (HKMA) also alerted the public to the growing number of reports about bogus bank websites and emails, asking anyone who received suspicious emails of such kind to report them to their bank, the police and the HKMA.
"Millions of 'phishing' emails are sent out worldwide by criminals every day with the aim of duping unsuspecting members of the public," an HKMA spokesman said.
"Members of the public should exercise the highest degree of caution in handling emails that purport to come from banks. On no account should they access bank websites through links embedded in emails. No bona fide bank in Hong Kong will ask you to access its website through an email link, and any email asking you to do this should be treated with suspicion," he said.
In light of online scams getting more serious, the HKMA issued a circular to banks last month emphasizing the importance of measures against Internet fraud and in particular, the circular reminded banks not to send emails to customers with embedded links to transactional websites.
By mid 2005, local banks are also expected to implement two-factor authentication for high-risk retail Internet banking transactions. Under this arrangement, banks will adopt a second factor for customer authentication in addition to the password such as a digital certificate and a one-time password generated by a security device, the spokesman added.
The suspected mastermind behind a large online theft from a Chinese bank was arrested after eight months on the run.
Police in Guiyang, capital of Southwest China's Guizhou Province, arrested Song Chenglin, a 23-year-old Harbin college student. He is accused of stealing 770,000 yuan (US$93,000) by hacking into the Industrial and Commercial Bank of China (ICBC).
Song was caught on September 20 and handed over to police in Harbin, capital of Northeast China's Heilongjiang Province, two days later.
At the beginning of this year, Song opened an account at the ICBC with a forged identity card.
On January 7, working from an Internet cafe in Harbin, he accessed the computer system of the ICBC's online arm and hacked 158 accounts.
He immediately told his roommate Lu Guoxing and together the pair transferred 770,000 yuan to Song's new account.
Song then told two other classmates who may have once financially helped Song, who is from a poor family in Zunyi of Guizhou Province.
The next day, the four went to 10 branches of the ICBC separately and withdrew 530,000 yuan (US$63,900) in total.
Song took the first share, the odd 30,000 yuan (US$3,600). The four then divided the remaining 500,000 yuan (US$60,300).
Song fled to Guizhou on the same day but did not return to his hometown. Instead, he rented a house in the suburb of Guiyang, the provincial capital.
His three accomplices were caught soon after the bank examined the unusual transactions and identified them through surveillance cameras.
Lu Guoxing, Bu Yijun and Zhang Yulong have already been tried and sentenced to 12, 13 and 10 years' imprisonment respectively.
Experts warned that a security loophole in online banks may cause huge losses.