Combating cyber fraud crimes on all fronts is crucial to promoting digital economy and smart city development. The Government should focus on assisting resource-lacking small and medium enterprises (“SMEs”) and individuals, and continuously improve prevention and oversight.

The Government stated that the number of fraud cases in the first 10 months of 2023 increased by 52.1% compared with the same period in 2022, with the amount involved reaching about HKD7.2 billion. The increase was staggering. Nearly 70% of the cases were of cyber fraud. Not only individuals, but well-known organizations such as Cyberport and the Consumer Council were also among the fraud victims, which shows that there is still huge room for improvement in prevention and oversight in Hong Kong.

SMEs frequently hit by attacks and suffer serious losses

The Government has adopted a range of measures to combat cyber fraud crimes, including setting up Scameter and introducing a bill in relation to cybersecurity of critical infrastructure to the Legislative Council in 2024. However, I think the Government should focus on enhancing the assistance provided to SMEs and individuals with relatively limited resources.

Fraudsters often obtain personal information for extortion or fraud. When hackers invade the networks of enterprises and organizations, SMEs are inevitably the first to suffer as they invest less in cybersecurity due to limited resources. Some data indicate that 43% of the Hong Kong SMEs surveyed have experienced attacks such as malware in the past year. 39% of them indicated that cyber-attacks had resulted in a loss of USD500,000 or more and another 10% reported a loss of USD1 million or more.

Inadequate security management makes it hard to plug security loopholes

Thanks to the concerted efforts of the Government and enterprises over the years, SMEs are generally comparable to large enterprises in terms of firewalls set up. However, many SMEs believe that having anti-virus software installed can solve the problem once and for all. This practice creates security loopholes. Moreover, due to resource constraints, there is still a big gap between SMEs and large enterprises in areas involving engaging cybersecurity experts and providing staff with information technology security training or guidelines.

In view of this, I think the Government can consider working with cybersecurity companies to provide SMEs with targeted support in areas with weaker cybersecurity. For example, such support can include providing SMEs with standardized training guidelines or materials to enhance their cybersecurity training, and engaging cybersecurity experts to conduct security vulnerability assessment and remediation for SMEs. At the same time, rights should come with obligations. In the process of legislating for cybersecurity, the authorities may require SMEs to formulate certain levels of personal data protection measures and take their due responsibilities.

Identify new forms of fraud and enhance early warning and assessment

Cyber fraud is characterised by fast-changing methods and being very deceptive. From publishing fraudulent advertisements to “cast a wide net”, cyber fraud has shown a trend toward being more focused and directed to gain the trust of victims.

In light of the ever-evolving forms of fraud, I think that the Government should strengthen early warning and assessment, and use big data models and the assistance of AI to identify publishers of suspicious information on the Internet and accounts with abnormal income. At the same time, it should improve relevant cybersecurity laws and regulations as well as strengthen law enforcement to complement prevention. In addition, the Government can consider using data models to identify groups that are vulnerable to deception so that it can formulate a more targeted strategy for publicity and enhance the effectiveness of public education.