According to the South China Morning Post, Hong Kong politician Regina Ip Lau Suk-yee revealed yesterday that her bank account was "taken over" and about HK$500,000 (US$65,000).
The SCMP reported that the breach occurred when Ip opened an attachment on an email purportedly from MTR Corporation chairman Dr Raymond Chien Kuo-fung. "I thought a friend needed help so I opened the attachment at once. I guess that's when I fell into the trap," said Ip, adding that Chien emailed her hours later, saying his account had been hacked and advising her to change her password, according to the SCMP story.
Theft is deplorable in any case, but there's an extra component when it occurs in cyberspace – without warning, your assets are depleted, and there's seldom any redress, or even indication what happened to them. Ip's loss is regrettable.
And it's a classic example of phishing: an email appearing to come from a trusted friend, whose account has been compromised. The email contains an attachment, which is similarly trusted. Ip said she opened the attachment "at once."
While countless security experts have warned against opening email attachments, if said email contains a message like: 'Regina, I need help. Urgent. Please open the attachment' (as Ip told the SCMP), here's some advice.
When emails urge you to panic, do not panic
An email dictating that an attachment be opened "urgently" is suspect, regardless of sender. Use your own "second factor of authentication": contact the sender by another means. Smartphones provide several avenues: SMS, an OTT service like WhatsApp, or even a phone call (yes, smartphones handle voice comms as well).
Contact the person who's claiming urgency. If in fact there is an emergency, the immediacy of the communication is appreciated. If, as in Chien's case, their email has been compromised (Ip told the SCMP that Chien emailed her hours later, saying his account had been hacked), the immediacy is appreciated even more.
The bad guys seek to instill a "panicked" state in their intended victims. Typical lines include "You won't believe the video I saw of you on social media" or "Your bank account will be suspended – act now!" When you're in "fight-or-flight" mode, you're likelier to make critical mistakes, like giving your password (or other private information) to someone. If you think that someone is a friend or colleague, then you let your guard down even further.
"Phishing happens," said Richard Stagg, managing consultant for Hong Kong-based security firm Handshake Networking. "Often phishing happens via compromised e-mail accounts, so the link to the phishing page comes from someone you know and trust. Neither the user community nor the service providers have any appetite for two-factor authentication, so assume it will continue."
The painful outcome
Apparently that's what happened to former HKSAR security minister Ip. According to the SCMP: "It is understood the money was moved out of Ip's account in Switzerland to an account in the US." In the article, Ip explained: "I believe they found … an instruction I once made to the bank to transfer a sum in US dollars to an account in the United States...they then forged a letter to instruct the bank to transfer US$65,000 out."
Had Ip been using a Hong Kong bank account, HKMA guidelines might have helped stop the fraudulent transfer. Here's the HKMA on two-factor authentication: "Two-factor authentication is required if you wish to conduct high-risk Internet banking transactions."
We live in an age where instant access to information is expected. When we're juggling multiple "conversations" on WeChat and Facebook, it's easy to get sucked into a whirling vortex of back-and-forth communication. Throw a phishing message into that mix and the dodgy missive may get more attention than it deserves.
Stay calm, stay safe. The email says your friend's in trouble? Send them an SMS, and don't open that attachment. A WhatsApp message says your bank account needs immediate attention? Call the bank. Any single form of digital communication can be compromised (on the day Ip announced the cybertheft, a friend sent me a message to let me know that one of his social media channels had been taken over by someone else).
One key (besides staying calm) is to use a separate communications channel to confirm. Yes, you still need strong passwords and don't use the same password for each site and all the usual precautions (see the above HKMA/HKP links). But don't forget that we now have mobile communication networks and devices that allow us to confirm information using different channels.