Unmasking the "phishy" business for SPOs. (From left) Wilson Tang, our Co-Owner and Chief Information Security Officer; Dr. Wan Lap Man, Executive Director of Hong Kong Playground Association; and Li Tin Lun, Administrative Head of Hong Kong Christian Service.

Dear Friends of HKBN

HKBN Empowers SPOs with Free Phishing Email Assessment

Results showed 10% failure rate, nearly double the global benchmark for NGOs

In response to the surge in phishing attacks over recent years, we have collaborated with Green Radar, a leading cybersecurity and innovation technology company, to conduct free phishing email drills for ten social profit organisations (SPOs). Our initiative aims to enhance SPO employees’ alertness, equipping them with the skills to identify and mitigate the potential risks from suspicious phishing attempts.

Conducted in February, our phishing email assessment simulated the most prevalent hacking tactics as we engaged and targeted nearly 10,000 employees from ten participating SPOs with highly realistic “gift giveaway” phishing emails.

The results revealed that employees from all ten SPOs were vulnerable. Notably, about one-tenth (10.7%) of the approximately 10,000 employees failed to identify the phishing emails, a figure that is nearly twice as high as the global average failure rate of 5.5%¹ for non-profit organisations. Alarmingly, 43.6% of those who failed also clicked on spam links and submitted sensitive personal information, including their names and email addresses. Overall, our findings underscore the need for heightened vigilance among Hong Kong's SPO community regarding phishing emails.

Among the ten SPOs that participated in our assessment, four indicated that they had suffered losses due to phishing attacks, while eight acknowledged that their employees lacked adequate technical knowledge in cybersecurity. Although most SPOs have implemented cybersecurity measures internally, (for example, eight SPOs said they have an alert mechanism in place for cyberattacks, and seven SPOs had updated their cybersecurity measures in the past year), more than half of them (six SPOs) admitted that they had either not provided any cybersecurity awareness training or had only provided one session in the past year.

“The rapid advancement of AI has sparked a surge in phishing attacks. Last year² , the Hong Kong Computer Emergency Response Team Coordination Center (HKCERT) recorded the highest number of phishing incidents in the past five years, indicative of the urgent need for all sectors to prioritise cybersecurity. Shockingly, all participating SPOs in our assessment fell victim to phishing. When just one employee opens a malicious email, he or she becomes ensnared in the hacker’s trap, risking financial losses and other damaging consequences.”

"Cybersecurity is critically important, but most SPOs are often constrained by budgets as they prioritise resources on operations and community care. We are grateful to HKBN for stepping up its support through this programme, which will go a long way to enhancing cybersecurity awareness and know-how in the social sector. Furthermore, we would also like to call on the industry to allocate more resources to safeguarding the personal data and interests of different stakeholders.”

As part of our commitment to foster digital inclusion, we established the HKBN SPO IT Club in 2023, offering voluntary services such as cybersecurity and IT training to the community. For those who are interested in receiving free support in cybersecurity, please register to join our HKBN SPO IT Club. We will be organising a complimentary seminar on phishing prevention and mitigation, scheduled for 15 April 2024. Click here for more details.

¹ Source: Phishing Benchmarking Analysis Center | KnowBe4
² Source: HKCERT Releases Annual Information Security Data and Forecasts

19 March 2024

HKBN