Bite-sized bandits: AI raises the bar for scammers, but also helps Hong Kong residents fight back

Details of the deal began to emerge quickly. The friends contacted each other via WeChat, a Chinese messaging platform owned by Tencent Holdingsto ask about the strange messages they received from her on WhatsApp. She then discovered that her host and friends had been blocked on the popular Meta Platforms-had the app for an unspecified amount of time. It turns out the scam started with a phishing link that urged her to verify her WhatsApp account to avoid deactivation within 24 hours.

Lian’s case is not unique to Hong Kong. In 2023 alone, 39,000 fraud cases were reported to the Hong Kong police in the city, resulting in losses of about HK$9 billion (US$1.16 billion) – a significant increase compared with the HK$4.8 billion lost to fraud in 27,923 cases in 2022. The number of cases rose by 31% in the first half of this year, with losses of HK$2.66 billion, according to the Hong Kong police.

Lian, who posted her experience on the Chinese social media platform Xiaohongshu and asked to use only her English name, said the WhatsApp message she received looked exactly as if it had come from her host, including a history of previous messages. This scam wouldn’t necessarily require AI, but a growing threat is the way GenAI helps scammers take on the likeness and speech patterns of others.

“It’s well-known that GenAI makes it easier to create phishing (links) and access or steal data, which leads to an increase in fraud,” said Ho Ling, a partner at law firm Clifford Chance. As a result, hundreds of thousands of targeted messages like the one Lian received can be sent in a very short period of time.

One of the biggest threats to emerge in the past few years is deepfakes, which use GenAI to create videos, images, and sounds that mimic the likeness of a real person. Some high-profile cases involving the technology have put regulators on alert.

Arup, an international design and engineering firm headquartered in London, lost 200 million Hong Kong dollars to a deepfake scam in February, when an employee was tricked into transferring funds after participating in a video conference with people he believed to be company executives, including the CFO. The employee later discovered he was the only real person on the call.

“Deepfake videos are becoming increasingly common and pose a significant risk to users,” said Matthew Chan, chief business officer at Trend Micro Hong Kong, a US-Japanese cybersecurity firm that makes software to detect deepfakes.

“Deepfake videos can be created using AI applications and resources that are freely available, which opens up possibilities for using this technology,” he said.

To help users distinguish real people from fake ones during video conferences, Trend Micro has made Deefake Inspector available to the public for free. The tool analyzes pixel values and spatial frequencies to try to detect whether an image has been subtly manipulated, according to Trend Micro. It also analyzes elements of user behavior. Chan said he achieved an accuracy rate of 94 percent.

A less glamorous but more common way to impersonate someone is to steal what are known as machine identities. These are software or algorithms used as proof of someone’s identity online, such as persistent login cookies that keep someone logged into services like Google or Facebook after they close their browser.

“The machine identity needs to have access to the operating system, the database, the network to do all the automation,” said Billy Chuang, director of solutions engineering at CyberArk, a Nasdaq-listed information security provider. “So using one identity is very risky. If a hacker can compromise that identity, they have all the access.”

IN report published last monthCyberArk found that 98 of 100 Hong Kong companies surveyed as part of a larger study had experienced at least two identity breaches in the past year.

“We are receiving more and more queries about machine identity as (companies) move their infrastructure to the cloud,” said Sandy Lau, CyberArk’s district manager for Hong Kong and Macau.

Lau said the use of multiple cloud services means that sensitive data is often accessed by third and fourth parties, and it can be difficult to manage.

To address this, CyberArk launched an identity-focused secure browser in March. “This browser can secure both internal things and unmanaged devices,” Lau said. The browser separates work and personal apps and domains.

According to Lau, the browser is designed to detect and respond to unusual situations, and also help users automate operations while increasing productivity. This is how productivity can be boosted with the Cora AI assistant, which launched in May.

But no security solution is flawless, and that’s where white hat hackers come in. Companies offering this service will simulate attacks and provide cybersecurity assessments of the robustness of a company’s infrastructure.

“When a company claims that its entire network, system and data are secure, it is necessary to verify this claim with simulated cyberattacks,” said Lai Qian, deputy president of Integrity Technology, a Chinese cybersecurity firm.

Founded in Beijing, the four-year-old company opened its international headquarters in January at Cyberport, a government-backed high-tech hub in southwestern Hong Kong.

An investigation by the Office of the Privacy Commissioner for Personal Data (PCPD) found that Cyberport has weak security and protection infrastructure.

According to PCPD, the park protected its extensive network with a single antivirus program, without any multi-factor authentication that would require users to provide two pieces of information, such as a one-time code sent to their phone and a password.

“Cyberport is our owner… At the same time, it is also our customer,” Lai said. “After the incident, we provided Cyberport with security services such as security checks.”

Integrity Technology offers a variety of technical means and tools to investigate security threats and vulnerabilities in enterprise Internet systems.

“Simulated cyberattacks and testing are among the most important criteria for assessing the effectiveness of an enterprise’s security,” Lai said. “We do not use destructive behavior against the system, but we fully utilize the latest technical measures, including known vulnerabilities, to test our customers’ digital systems continuously.”

Integrity Technology has served about 30 clients in Hong Kong, most of them government institutions such as the newly established Digital Policy Office, the Hong Kong Police and the Hospital Authority. Lai said Integrity aims to expand its “digital family doctor” services to the financial sector, universities and tech start-ups.

The growing use of cryptocurrencies has also created new vulnerabilities—often with irreversible damage. While Lian and the Arup employee were tricked into handing over the money, cryptocurrencies can be stolen in the blink of an eye with a bad online click, creating a need for more cryptocurrency security solutions.

“The cryptocurrency industry not only faces the challenges that the traditional financial sector faces, such as office networks, cloud server threats… it has unique blockchain security issues related to cryptocurrencies,” said Yu Xian, founder of blockchain security firm Slow Fog.

Yu pointed to delays in transaction confirmation and security flaws in smart contracts as issues that could be exploited to steal funds.

According to SlowMist’s Hacked Database, there were 223 cryptocurrency security incidents worldwide in the first half of 2024, causing losses of $1.43 billion. That’s a 55% increase compared to the same period a year earlier.

As the adoption of so-called Layer 2 solutions and other tools built on top of Layer 1 blockchains like Ethereum grows, hackers are constantly looking for vulnerabilities in new technologies in Web3 ecosystem, especially on cryptocurrency exchanges.

In June 2024, a shocking incident occurred when a user of OKX – one of the world’s largest cryptocurrency exchanges by trading volume – claimed that a hacker had breached his account and stolen over $2 million worth of cryptocurrencies using an AI-generated deepfake video that bypassed the company’s security system.

Yu said emerging technologies pose new concerns. Crypto companies should operate on a “zero trust” basis, he said, meaning they should use multiple layers of access controls and records for key visits.

Companies have responded to these threats by developing tools to help law enforcement and exchanges improve their cybersecurity. For example, SlowMist offers a library of malicious blockchain addresses and services to track and recover stolen cryptocurrencies using artificial intelligence.

One low-tech solution to all of these problems that may prove helpful in the long run is education, helping people become aware of new avenues for attack.

“I encourage every company to recognize that this is a very likely event for them,” said Dave Russell, vice president of corporate strategy at Veeam, a data backup and recovery company. “It’s not determined by location, size or anything else—it could happen to your bank in Hong Kong, a disgruntled customer, or even an internal employee.”

For some, however, help may come too late.

Lian reported the incident to police but never got her money back. The more than 250 comments under Xiaohongshu’s post included recommendations for tools like Whoscall, a Taiwanese app that filters spam phone numbers. Others suggested she call the Hong Kong police’s anti-fraud hotline at 18222.

Lian said it was the first time she had heard of such tools and added that she hoped the government could better publicize them in the future.