Police say figure doubles sum for all of 2015 as criminals use new tactic of flooding victims with junk text messages to distract from transactions
Police uncovered more than HK$126 million in unauthorised share trading in the first three quarters of 2016 – double the 2015 full-year total – with hackers employing new tactics designed to distract victims while taking control of their accounts.
The number of cases relating to unlawful trading in the city also surged year-on-year from 24 during the first nine months of 2015, to 61 last year.
Although some victims may not have incurred financial losses, police said cyber criminals had used “pump and dump” tactics while controlling their victims’ trading accounts so as to profit from market rigging.
Otto Wong Yue-to, a senior inspector with the cyber security and technology crime bureau, said he received two separate reports of unauthorised share trading from a man and a woman in November.
Both victims said they received more than 500 junk text messages within 10 minutes. They realised their accounts had been hacked to purchase stocks when they received an email notification of the transactions.
“The contents of the rubbish SMS’ included soccer news,” Wong said. “The receipt time was close to the time when their accounts were hacked.”
He said the tactic aimed to distract victims from transaction notifications sent by their bank or security firm, “and therefore delay their reporting of the hacking”.
The inspector declined to disclose the amount of money, number of transactions or whether the victims were clients of banks or securities firms. But he said investigations were underway and urged the public to set up multiple notification settings for online trading.
Wong said the perpetrators were based overseas and had first bought Hong Kong penny stocks with their own accounts, then used their victims’ hacked accounts to purchase the same shares over a short period of time to drive up the price. They then sold the shares for a profit. The whole process would take just 10 minutes.
In the city’s biggest case in September last year, criminals hacked a man’s account and spent HK$32 million on purchasing shares in several transactions.
“The con men even sold the victim’s own shares,” he said. “The victim did not receive a junk text message.”
The Monetary Authority earlier said banks would compensate victims for losses incurred from share price changes. Banks are required to restore balances if account holders are proven innocent, but clients of securities firms are not assured similar protections, with compensation dependant on each company’s policy.
Financial losses from unauthorised computer access jumped year-on-year by 57 per cent to HK$1.5 billion in the first three quarters of last year.