The public Thursday were reminded not to access their Internet banking accounts through hyperlinks after a number of customers of a local bank fell victim to a syndicate and had HK$660,000 siphoned off from their accounts over the past three weeks.

The victims were customers of the Hong Kong and Shanghai Banking Corporation. They are believed to be the first known local cases to have fallen prey to a syndicate purporting to be a Hong Kong bank.

General Manager of the bank Raymond Or said they would study the cases individually. He told a television station that while the bank was willing to compensate the customers for the losses, they would expect to apportion the liabilities with those customers found to have failed to protect their account information properly.

Police said the incidents happened from September 17 to October 6. A total of 12 bank customers received "phishing" emails purporting to be sent by their bank. The emails required the victims to click on an embedded hyperlink connected to a fraudulent website.

"Phishing" is a form of fraud in which the victims receive fake emails allegedly sent from banks asking them to provide sensitive personal and account information to a bogus bank website accessed through a hyperlink embedded in the email.

When the hyperlink was clicked, a window popped up on the screen and asked the victims to verify their account information by keying in their user name and password of their Internet banking accounts.

On the other hand, police said, the syndicate recruited their agents through ICQ, email and job seeking websites. Those recruited were asked to use their own bank accounts to receive the money stolen by e-banking of the victims' accounts. After the money was stolen, they retained five to 10 per cent of the sum as a reward and remitted the remaining to overseas bank accounts.

Police said 11 persons -- eight men and three women aged 21 to 58 -- had been arrested so far in connection with the cases. The police operation is still underway.

A spokesman said three of the arrested were already charged with theft and will appear before the court in the near future. For the others, three are still detained and the other five have been bailed pending further investigation.

According to the police, the syndicate, besides emailing to local bank customers, has also been sending similar emails to Internet users worldwide.

"The public is reminded not to access their Internet banking accounts through hyperlinks embedded in emails or Internet search engines. They are advised to access their e-banking accounts by keying in or book-marking the genuine website," the police spokesman said.

So far this year, a total of 23 bogus bank websites have been found.

The Hong Kong Monetary Authority (HKMA) also alerted the public to the growing number of reports about bogus bank websites and emails, asking anyone who received suspicious emails of such kind to report them to their bank, the police and the HKMA.

"Millions of 'phishing' emails are sent out worldwide by criminals every day with the aim of duping unsuspecting members of the public," an HKMA spokesman said.

"Members of the public should exercise the highest degree of caution in handling emails that purport to come from banks. On no account should they access bank websites through links embedded in emails. No bona fide bank in Hong Kong will ask you to access its website through an email link, and any email asking you to do this should be treated with suspicion," he said.

In light of online scams getting more serious, the HKMA issued a circular to banks last month emphasizing the importance of measures against Internet fraud and in particular, the circular reminded banks not to send emails to customers with embedded links to transactional websites.

By mid 2005, local banks are also expected to implement two-factor authentication for high-risk retail Internet banking transactions. Under this arrangement, banks will adopt a second factor for customer authentication in addition to the password such as a digital certificate and a one-time password generated by a security device, the spokesman added.

(China Daily HK Edition October 8, 2004)