Hong Kong experienced a record surge in cyberattacks last year, marking the highest number of incidents in five years. Hackers are increasingly using artificial intelligence (AI) to strengthen their methods, according to the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT).
The agency reported a spike of 12,536 cybersecurity incidents in 2024, a dramatic increase of 62% from 7,752 cases in 2023. Phishing attacks dominated these incidents, with cases more than doubling from 3,752 in 2023 to 7,811 last year.
AI is aiding in improving phishing campaign effectiveness. Attackers can now use AI tools to create extremely realistic fake emails and websites that even the most skeptical eye cannot easily distinguish from their legitimate counterparts.
Alex Chan Chung-man, a digital transformation leader at HKCERT, commented that phishing attacks targeted the majority of cases for banking, financial, and payment systems, almost 25% of the total cases. Social media, including WhatsApp and messaging apps, was another main target, 22% of the total cases.
AI allows scammers to create flawless phishing messages and generate fake website links that mimic trusted services," Chan explained. This efficiency has led to a sharp rise in phishing links, with over 48,000 malicious URLs identified last year—an increase of 1.5 times compared to 2023.
Hackers are also targeting other essential services such as healthcare and utilities. A notable case involved Union Hospital in Tai Wai, which suffered a ransomware attack. In this case, cybercriminals used a malware called "LockBit" to demand a $10 million ransom. The hospital did not comply with the ransom demand but the incident illustrates the risks critical infrastructure providers face.
Third-party vendors involved with critical sectors are emerging vulnerabilities for hackers to exploit. Leaks through such third-party partners have the potential to cause heavy damages, ranging from legal to reputation-related.
New Risk: Electronic Sign Boards
Digital signboards, once left unattended, are now being targeted by hackers. According to HKCERT, 40% of companies have not risk-assessed these systems. These displays can easily be hijacked through USB devices or wireless connections and display malicious or inappropriate content.
Though Hong Kong has not been attacked this way, such attacks in other countries indicate a new threat.
Prevention for Businesses
HKCERT advises organizations to take the following measures against these threats:
Chan emphasized that AI-driven threats will develop their methods, and thus robust cybersecurity practices are needed to protect sensitive data and infrastructure.
In the past year, 49% of Hong Kong respondents faced online threats, up from 40% previously, according to Norton. Scams were the most common, impacting 34% of respondents, with nearly two-thirds losing money or time. Phishing and malware each affected 28% of respondents.
Cyber scams have become the most prevalent online threat in Hong Kong. These scams range from phishing emails and fraudulent websites to sophisticated social engineering tactics.
Phishing attacks, where cybercriminals disguise as legitimate entities to steal personal information, have seen a marked increase. These attacks often come in emails or messages that appear to be from trusted sources, such as banks or government agencies. Once the victim clicks on a malicious link or downloads an attachment, their personal data is compromised.
Malware attacks are another growing concern. These malicious software programs can infiltrate systems, steal data, and cause extensive damage. The SCMP survey indicates that a considerable portion of the population has been affected by malware, leading to data breaches and financial losses.
In June, police arrested 10 individuals for impersonating mainland security officials and defrauding a 70-year-old businesswoman of HK$258 million (US$33.2 million) in a phone scam.
By August, local authorities, including the police and the Hong Kong Monetary Authority (HKMA), instructed 32 banks and 10 stored-value-facility operators to broaden their anti-fraud alerts to cover suspicious transactions at bank counters and online.
Despite advancements in technology, human vulnerabilities remain a significant risk factor. Cybercriminals often exploit the lack of awareness and vigilance among users. For instance, clicking on suspicious links, using weak passwords, and failing to update software are common mistakes that can lead to security breaches.
The Hong Kong College of Technology, which offers a government-subsidized Higher Diploma in Cybersecurity, announced last week that it was the victim of a ransomware attack by hackers in late February, during which several internal papers were taken and encrypted.
This was not a normal cyber attack; it was very targeted and distinctive. HKCT strongly opposes all forms of cybercrime and sincerely apologizes for the annoyance and disruption caused by this event, according to a Chinese statement.
It stated that victims would receive a free six-month "credit monitoring service" and "dark web monitoring service," but refused to identify the number of students or staff affected. According to media sources, the information first leaked on the dark web this week.
The Privacy Commissioner for Personal Data informed HKFP that the data breach affected around 8,100 students, whose personal information including names, identity card numbers, addresses, email addresses, and phone numbers were disclosed.
The commissioner stated that it was investigating the infraction. It encouraged all victims to change their passwords for online accounts, enable two-factor authentication, and be wary of any unusual phone calls or links sent to their email or phones.
Cyberattacks have increased on locals, including the technology park Cyberport and the private Union Hospital.
In April, the hospital's computer system was infected with LockBit ransomware, which caused partial operational paralysis, according to local media sites.
Last year, a hacker got Cyberport's network and maliciously encrypted server files. The hackers sought a ransom of $300,000. Cyperport failed to pay, and 400GB of stolen data was eventually leaked on the dark web, according to TVB.
The Consumer Council's computer system was hacked in September of last year, resulting in a data breach that included information on 289 people who had filed complaints with the council and some personnel and former staff.
After the Union Hospital hacking, Francis Fong, honorary president of the Hong Kong Information Technology Federation said that victims should not pay ransoms since hackers may still make stolen material public regardless of payment.
Fong advised all public and commercial institutions to upgrade their computer systems regularly to address vulnerabilities and improve security.