Circular to licensed corporations - Prevention and handling of unauthorised trading incidents

On June 06, 2025, the Securities and Futures Commission ("SFC") has observed a notable increase in unauthorized trading incidents at licensed corporations ("LCs"), leading to financial losses for several clients. This circular outlines the SFC's regulatory expectations concerning the prevention and management of such incidents.

The SFC suspects that recent unauthorized trading incidents were facilitated by man-in-the-middle attacks. Perpetrators sent phishing SMS messages with embedded links to clients, tricking them into revealing user credentials and two-factor authentication ("2FA") information on fake websites. This resulted in unauthorized access to client accounts and subsequent trading activities.

In response to these incidents, the SFC expects LCs to implement the following measures: signing up for the SMS Sender Registration Scheme; raising client awareness; and enhancing procedures and controls to detect unauthorized access and transactions in client accounts.

The importance of the SMS Sender Registration Scheme, administered by the Office of the Communications Authority ("OFCA"), is highlighted. LCs can send SMS messages with a prefix ‘#’ to verify their identity, thereby preventing fraudsters from impersonating legitimate businesses.

LCs must send SMS messages to clients exclusively using the prefix ‘#’ and notify them about the use of this prefix. Electronic messages should not contain embedded hyperlinks redirecting clients to websites or mobile applications. Clients are advised to be cautious about entering sensitive personal information into redirected websites or applications.

Registered participants in the Scheme are listed in a register established by OFCA, allowing clients to verify the sender's identity by referring to the register or directly contacting their LC.

Raising client awareness is crucial. LCs should periodically remind clients of the risks associated with clicking on embedded hyperlinks in SMS messages. Prominent warnings and reminders should be placed on LCs’ websites and mobile applications, and clients should be instructed to review notifications for unusual activities and report any suspected unauthorized trading immediately to their LC.

LCs should educate their clients about cybersecurity threats and scams, providing links to reputable resources such as CyberDefender, the Anti-Deception Coordination Centre, the Investor and Financial Education Council, and the SFC’s Alert List. The use of Scameter and Scameter+ is encouraged to help verify the legitimacy of websites, phone numbers, emails, and more.

Enhancing procedures and controls for detecting unauthorized access and transactions is mandatory. LCs should implement effective monitoring and surveillance mechanisms tailored to their business size and complexity, focusing on red flags such as unusual transaction patterns, trading in small-cap stocks, frequent login IP address changes, and multiple logins from similar devices.

Internal control procedures to protect against financial loss should be established, including prompt contact with clients to verify unusual activities and prevent further unauthorized activities, such as account suspension if necessary.

LCs are obligated to report unauthorized trading or suspected criminal proceeds to the Joint Financial Intelligence Unit ("JFIU") via suspicious transaction reports ("STR") and inform the SFC of any system failures or defects. Additionally, they should stay updated on the latest cybersecurity threat landscape by subscribing to cyber threat intelligence.

The senior management of LCs, particularly the Manager-In-Charge of Information Technology, is responsible for identifying, monitoring, and mitigating cybersecurity risks. They should enhance cybersecurity defenses, adopt more robust client authentication methods, and implement other protective measures to safeguard clients from unauthorized access and transactions.