Phishing in China: How To Protect Your Business
By Zolzaya Erdenebileg and Weining Hu
In August 2016, Bank of China Hong Kong alerted its customers of a phishing scam targeting client bank account and card information. Using the domain, bochk.orbisfn.net, the phishing attack sent users to a fraudulent website designed to look similar to the official Bank of China Hong Kong online banking login page, and stole the information that was entered into the inputs. That same month, Hang Seng Bank issued a similar warning to its customers.
In recent years, phishing schemes have become a frequent headache for companies in China. According to a 2017 cybersecurity survey, security incidents in China and Hong Kong in 2016 increased by more than 900 percent year-on-year. Additionally, phishing attacks have become more sophisticated in how they elicit information.
As businesses transform and introduce more digital platforms to interact with clients, phishing risks have increased in tandem.
What is phishing?
Phishing is fraud through electronic channels to try and trick people out of information or any kind of knowledge that has value, usually monetary. With so many forms of communication methods, phishing can take multiple forms – for example, ‘smishing’ is through text messages – but in the past, e-mail has been the channel of choice.
The most comical, if not notorious, example is that of a rich noble or person of influence in some developing country who wishes to transfer their vast funds out into the victim’s bank account, and promises to grant the victim a handsome sum as a reward.
According to Michael Mudd, Managing Partner at Asia Policy Partners, phishing has become the preferred method for cybercriminals as it is often able to bypass the first line of electronic network defenses by pretending to be from a legitimate source.
These days, the ‘phishers’ have become smarter in how they select their targets. ‘Spear phishing’ takes aim at specific individuals and companies, ‘angler phishing’ impersonates customer help lines, and ‘whaling’ targets the C-suite.
Attacks can redirect the victims to false websites to collect their personal information, like in the case of Bank of China Hong Kong and Hang Seng Bank, or they can contain malware in an attachment to the e-mail. Cybercriminals also use steganographic techniques, explained Mudd, whereby the malware is hidden within a file, message, image, or video.
Phishing in China
The Chinese economy, with the popularity of such platforms like Alipay and WeChat Wallet, has found itself particularly vulnerable to the new age of phishing.
In 2016, there were over 125 billion non-cash payment transactions in China, amounting to RMB 3,687.24 trillion. Mobile payments increased by 85.8 percent year-on-year, for 25.71 billion transactions totaling RMB 157.55 trillion. Online payments increased by 26.96 percent, for 461.7 billion transactions totaling RMB 2,084.95 trillion.
Industry watchdogs estimate that RMB 195 million was lost to internet fraud in 2016, an increase of over 53 percent compared to 2015. More than half of the loss – about RMB 110 million – was due to phishing. Beijing had the highest number of cases and amount of monetary loss, but Shenzhen, Shanghai, and Guangzhou also ranked high.
Protections against phishing scams
In order to protect against phishing, businesses must be vigilant about updating their systems and applications. Thomas Zhang, Director of IT at Dezan Shira & Associates, recommends installing security devices or systems that can automatically detect and filter out phishing e-mails. Updating systems and application patches, particularly browsers, can be effective as newer versions have more up-to-date blocks on flagged phishing websites.
However, the best protection is greater awareness. “[Ultimately], it is the end user behavior that needs to change through education,” Mudd said.
“Security awareness training for all staff is critical as the forms of phishing keep changing,” Zhang said. “IT needs to teach users how to recognize dangerous links or attachments in the email, and provide quick responses to staff queries when forwarded uncertain e-mails to facilitate knowledge sharing.”
China Briefing is a publication produced by Asia Briefing, a subsidiary of Dezan Shira & Associates. Our full range of titles covers ASEAN, China, India, Russia, the Silk Road and Vietnam. Please click here to obtain a complimentary subscription and here to contact our editorial team.
Dezan Shira & Associates is a specialist foreign direct investment practice, providing corporate establishment, business advisory, tax advisory and compliance, accounting, payroll, IT, due diligence and financial review services to multinationals investing in China, Hong Kong, India, Vietnam, Singapore and the rest of ASEAN. We maintain a specialist IT operations unit that can assist with IT issues in China.
Dezan Shira & Associates Brochure
Dezan Shira & Associates is a pan-Asia, multi-disciplinary professional services firm, providing legal, tax and operational advisory to international corporate investors. Operational throughout China, ASEAN and India, our mission is to guide foreign companies through Asia’s complex regulatory environment and assist them with all aspects of establishing, maintaining and growing their business operations in the region. This brochure provides an overview of the services and expertise Dezan Shira & Associates can provide.
An Introduction to Doing Business in China 2017
Doing Business in China 2017 is designed to introduce the fundamentals of investing in China. Compiled by the professionals at Dezan Shira & Associates in January 2017, this comprehensive guide is ideal not only for businesses looking to enter the Chinese market, but also for companies who already have a presence here and want to keep up-to-date with the most recent and relevant policy changes.
Internet Challenges & Solutions When Doing Business in China
In this special edition of China Briefing magazine, we highlight how and why foreign companies will be negatively affected by China’s internet, and provide methods to help solve these problems. We discuss ISP selection, internet connection types, CDNs and VPNs, and internal control systems. Finally, we examine the importance of network security in China and how it can help augment a company’s internet connection.