The number of fraudulent banking websites reported in Hong Kong has surged this year. Cybercriminals are targeting the financial market as digital banking gains momentum.

Hong Kong has experienced a surge in fraudulent banking websites this year. In August alone, there were 15 reports of such incidents, compared with only two cases of fake websites or phishing attempts in the same month a year ago, according to the Hong Kong Monetary Authority (HKMA). In September, seven incidents were reported, up from one a year ago.

And the trend seems to continue, with eight cases reported in October so far. Customers of DBS, Hongkong and Shanghai Banking Corporation, as well as Dah Sing have been among the targets of the criminals. With the rise of financial technology firms and mobile banking apps, experts predict that novice mobile banking users will become prime targets.

Digital Banks Attract Attackers

While the use of digital banking tools is spreading quickly, the technology is also attracting the attention of cybercriminals, said cybersecurity specialist Securelist in a report earlier this year. «We are sure that the world of cybercrime will see increasing attacks against this type of banks and their customers,» Securelist said in its report

Fraudsters have long tried to trick users to visit fake bank website via e-mail messages pretending to be from the bank. On these fake websites, they try to trick account holders into revealing their access credentials. On mobile devices, the connection with the bank is typically via an application, rather than a website.

Tricks Of Criminals

Banks' usage of chat applications increases the possibility that criminals could try impersonating the bank in social media chats and try to trick users into downloading and installing an «updated» version of the bank’s app. In reality, such an app would be malicious and could help attackers steal credentials from the phone.

«Other social engineering scams have emerged which try and trick the genuine user into revealing the authentication code for their chat app and hence lose control of the account. Even if this is only temporary, it may allow enough time for a fraud to be perpetrated,» Jackson said in an interview with finews.asia.

Attacks Focused On Smaller Vendors

Experts predicts there could be more attacks on fintechs or payment providers going forward. This is due to lower investments into cybersecurity versus traditional banks, and criminals' evolving technological skills.

«Large financial organizations invest considerable resources in cybersecurity, thus the penetration of their infrastructure is not an easy task. However, a threat vector that is likely to be actively used by cybercriminals in the coming year is attacks on software vendors supplying financial organizations,» Securelist said. Most of these vendors have a lower level of protection compared with the financial organizations themselves.

Attacks Via Software

For the coming year, the cybersecurity experts expect criminals to stage attacks via software for the finance business, including such for ATMs and PoS terminals. «A few months ago we registered the first attempts of this kind, when attackers embedded a malicious module into a firmware installation file, and placed it on the official website of one of the American ATM software vendors,» Securelist wrote. 

Based on a 2017 study by Accenture, the financial services industry posted annual costs of nearly $18.3 million per firm from cyber attacks.