WhatsApp accounts hijacked

People are being urged to strengthen their WhatsApp security after five schools and social welfare organizations reported that their accounts had been hijacked in the past month, resulting in the information of more than 900 individuals getting leaked.

The hackers, according to the Office of the Privacy Commissioner for Personal Data, hijacked the WhatsApp accounts used for communication with service users, students and parents.

"The fraudsters then impersonated the organizations and used the compromised WhatsApp accounts to send messages to the contacts in the address books, attempting to swindle them," the privacy watchdog said.

The names and mobile phone numbers of around 900 students, parents, social welfare organization service users and school staff were leaked.

The watchdog explained that fraudsters would impersonate victims' friends and relatives and send messages requesting them to forward their WhatsApp account registration codes or use fake websites to obtain their phone numbers and registration codes.

"The fraudsters then gain access to the victims' WhatsApp accounts and impersonate them, sending messages to contacts in the account's address book to swindle money or other personal data," it said.

The watchdog advised the concerned organizations and schools to notify the affected people.

It also shared seven tips for the public to step up security of their WhatsApp accounts, including enabling two-factor authentication.

People should regularly check linked devices in WhatsApp settings and log out unused or unknown devices, the watchdog said, adding that people should never disclose their passwords or registration codes to others.

When searching for the web version of WhatsApp, it said to be careful with the links and be vigilant to avoid clicking on fake web versions. People should also download and use the instant messaging app from official sources and should authenticate the identity of the senders when receiving messages about borrowing or remittance requests, the office said.

"Be alert when you receive unsolicited or suspicious text messages. Do not click on the links or disclose personal data arbitrarily," it said.

The watchdog said people who suspect their personal data has been leaked may contact the PCPD through its personal data fraud prevention hotline at 3423-6611 or e-mail them at communications@pcpd.org.hk.

Last month, Cyberport suffered a data leak of over 400 gigabytes of information after it refused to pay a HK$2.35 million ransom demanded by hackers.

The Consumer Council fell victim to hackers two weeks later after its computer server was hacked, followed by demands for a HK$5.5 million ransom.

Sensitive data including ID numbers of staff and their family members, as well as the credit card information of some 8,000 subscribers of the council's Choice magazine were believed to be leaked.

Hong Kong Computer Emergency Response Team Coordination Centre urged the public to be vigilant of phishing traps targeting instant messaging platforms.

Fraudsters would create fake login web pages with QR codes allowing them to access victims' accounts, photos, videos, documents, chat records and contact details, it said.

People should always verify the hyperlinks of instant messaging platforms before logging in and avoid clicking on links from unknown sources, it added.

Lawmaker and former teacher Lillian Kwok Ling-lai urged authorities to enhance anti-fraud education.

"Charities and schools should advise against uploading sensitive personal data to relevant group chats, and pay attention to cyber safety," she said.

Law enforcement agencies can team up with care teams in different districts to organize anti-fraud talks, she added.

eunice.lam@singtaonewscorp.com