of about HK $ 1.9 million ( US $ 242,000 ) in a WhatsApp scamAttack.Phishingin Hong Kong this year , police said on Wednesday . According to police , swindlers pretended to beAttack.Phishingfriends of WhatsApp users and invented different excuses to lureAttack.Phishingthem into revealing their account verification codes . The con men then accessed the accounts with the codes and , posing asAttack.Phishingthe users , sentAttack.Phishingtext messages to deceiveAttack.Phishingthe account holders ’ contacts . Mohammed said genuine account holders were unable to use WhatsApp at least 12 hours after their accounts were hijacked . “ All the scam victims were asked to buy MyCard points cards for online games , ” he said . MyCard is a digital payment platform . Users can buy credit to spend on the platform from convenience stores across the city , Mohammed said . After getting passwords for the cards , scammers sold them online . Police said the age range of the victims was between 17 and 72 and losses went from a few hundred dollars to thousands . No arrests had been made . The Post reported in February that officers believed fraudsters from Taiwan were behind the scam because the points cards they requested were used for the Taiwanese versions of online games . Police advised residents to safeguard their personal data and verify the identity of those who contact them . If in doubt , people should call the Anti-Scam Helpline at 18222 . In the first three months of this year , there were 270 reports of deception through instant messaging platforms , accounting for HK $ 2.6 million in losses . That exceeds the figure for the whole of last year , when there were 266 cases , in which scammers bagged HK $ 2.1 million .
It ’ s still the first week of 2017 , and we ’ ve already had a WhatsApp scamAttack.Phishingwarning from a keen Naked Security reader . This one tries to draw you in by claiming you ’ ll get free Wi-Fi service , promising to keep you connected even if you don ’ t have 3G airtime or a Wi-Fi connection of your own . It sounds too good to be true , and that ’ s because it is ! Here ’ s what the message looks like : The suffix .ML visible in the link above stands for Mali , which started giving away domain names for free a few years ago . ( It ’ s not the only country to do this , but it claims to have been the first African nation to do so . ) The use of a free domain isn ’ t always a reliable indicator of a scam , not least because even mainstream-looking .COM domains can be had for a dollar these days , but you don ’ t need the link to make you suspicious in this case . There ’ s a lot that ’ s visually wrong with this message , such as the inconsistent spellings Whatsapp and whatsapp , both of which are incorrect ; the poor spacing and punctuation ; and the rather casually confused way that Wifi ( which is , in fact , properly written Wi-Fi ) and 3G are mixed into the story . Nevertheless , scams propagated on social media services ofter pass the “ why not try it ? ” test , because they generally come from people you know and communicate with regularly . Spelling mistakes , shortened URLs , casual language and other inconsistencies might very well seem suspicious in an email claiming to beAttack.Phishingan official message from a well-known brand… …but not in what looks likeAttack.Phishinga quick message from a friend . You can probably imagine what happens if you click through : you enter the murky world of bait-and-switchAttack.Phishing. That ’ s where you are drawn in with the promise of something that sounds both useful and interesting , but quickly find that there are a few hoops to jump through first . As with many scams of this sort , where you end up and what you have to do to “ qualify ” may differ from what we saw and are reporting here . That ’ s because cloud-based scams of this sort , where the content isn ’ t delivered in the original message but via a series of web URLs , can vary their form over time . Crooks can tailorAttack.Phishingthe content they serve upAttack.Phishingin just the same way that legitimate sites do , based on many factors such as : where you are ; what browser you are using ; what time of day it is ; what operating system or device you have ; which ISP you ’ ve used to connect ; whether you ’ ve visited before ; and much more . We encountered two rather different bait-and-switch campaignsAttack.Phishing– we ’ re guessing that the crooks were using the device type to choose how to hit us up . When we used an ( old ) iPhone , we quickly ended up with a chance to win a brand new iPhone for free : When we clicked through , we found out how this scam is spread . Instead of using malware to push out messages furtively behind your back , the crooks use you as their propagation vector by telling you send the message to eight other recipients on WhatsApp : When we used an ( old ) Android device , the crooks were even pushier , insisting that we forward the scamAttack.Phishingto fifteen new recipients first : Cheekily , the buttons marked [ About ] , [ FAQ ] and [ Blog ] take you to genuine WhatsApp pages , thus adding a veneer of legitimacy . We didn ’ t invite anyone , of course , but a little bit of digging revealed the page that we ’ d have ended up on if we ’ d done what the crooks wanted : Amusingly , if cyberscamming can ever be considered funny , the [ App2 ] button downloaded an Android Package ( APK ) file , while the [ App3 ] link took us to a free app on Apple ’ s App Store . No devices exist that can run Android and iOS apps side-by-side – it ’ s one or the other , or neither , but never both – so we couldn ’ t have complied with the demands of the crooks even if we ’ d wanted to . The crooks had rigged up the buttons to redirect through various affiliate programmes , which are online marketing services where you get paid some sort of referral fee for generating clicks to , or downloads from , someone else ’ s site . In fact , this page refuses to let you use the [ FINISH ] button at first , popping up a message to warn you very ungrammatically that You have not installed All Apps in your mobile . For what it ’ s worth , the Android app was what seems to be the official front-end to an alternative Android app store aimed at the Indian market ; the iOS software was a shopping app for a popular Chinese web service . When it comes to freebies , special deals and other innocent-sounding web offers , especially when they are apparently recommended by your friends , it ’ s easy to fall into the “ no harm in taking a look ” trap . After all , this scamAttack.Phishingdoesn ’ t actually try to trigger any exploits to implant malware on your phone , or trickAttack.Phishingyou into installing malware , so it ’ s easy to think of it as mostly harmless . But it ’ s a scam nevertheless , and even if all you do is to take a look , you ’ re taking part in something with potentially harmful side-effects on the community around you , from bombarding your friends with unwanted messages to helping crooks to earn affiliate revenues fraudulently .