The Securities and Futures Commission (SFC) today provided licensed corporations (LCs) with guidance on appropriate measures to prevent unauthorised trading in clients’ accounts, in light of a recent increase in attacks perpetrated by fraudsters through hyperlinks in phishing mobile text messages (commonly known as SMS phishing).
Several recent incidents of unauthorised trading resulted in financial losses borne by unwary clients of LCs. The SFC suspects that, after deceiving clients into clicking on hyperlinks embedded in mobile text messages and redirecting them to websites resembling the LCs’, fraudsters intercepted clients’ user names, login passwords and authentication data, thereby gaining access to the client accounts at LCs to conduct unauthorised trading.
As set out in its latest circular issued today, the SFC expects LCs to adopt the following measures, among others, in preventing and handling unauthorised trading incidents:
(i) Help their clients to verify the identity of text message senders and to prevent impersonation by fraudsters by signing up for the free SMS Sender Registration Scheme (Note 1);
(ii) Implement an effective monitoring and surveillance mechanism to detect unauthorised access to its client’s accounts, and report suspicious transactions promptly to the Joint Financial Intelligence Unit so that timely follow-up actions can be taken; and
(iii) Raise clients’ awareness by stepping up client outreach and engagement efforts, particularly if the LC has encountered unauthorised trading incidents or is on notice that such incidents are occurring within the industry, including encouraging them to make use of Scameter and the mobile application Scameter+ (Note 2).
“Our unwavering commitment to investor asset protection against all forms of misconduct is critical to upholding the public’s confidence in the integrity of Hong Kong as a leading international financial centre,” said Dr Eric Yip, the SFC’s Executive Director of Intermediaries. “To this end, LCs, including brokers, are expected to be proactive in protecting their clients by implementing robust and up-to-date fraud prevention measures amidst a rise in cyberfraud.”
The SFC reminds members of the public to stay alert to any mobile text messages purportedly sent by LCs, and not to click on the hyperlinks embedded in these messages. If in doubt, they should confirm with the LCs directly. Under no circumstances should they disclose their account login information to any unverified websites, even if they look genuine.
If members of the public have disclosed their account login details to unverified websites or have found unauthorised transactions conducted over their accounts, they should contact their LCs as soon as possible and report the case to the Police.
Notes:
- The SMS Sender Registration Scheme administered by the Office of the Communications Authority enables registered participants to send SMS messages with the prefix “#” to help recipients verify the sender’s identity and prevent impersonation.
- Users can check whether a website, phone number or email is likely fraudulent or not by running a search against Scameter’s database. Scameter+ enables users to report suspicious websites, phone numbers, email addresses and phishing links to the Hong Kong Police Force so that scams are identified and indexed in a publicly accessible database. It also alerts a user in real time if it detects the user trying to visit a potentially fraudulent website. For details, refer to https://cyberdefender.hk/en-us/scameter/.