A cybersecurity watchdog has reported a surge in the number of local phishing incidents, saying cyber criminals have been using AI tools to create phishing email content and malware.

The Hong Kong Computer Emergency Response Team Coordination Centre said on Tuesday that the number of phishing attacks surpassed 10,000 for the first time in the latest quarter, totalling 13,574.

It said in a report published earlier that over 80 percent of the phishing websites detected were credit card sites, while 6 percent had to do with the telecommunications sector. Another five percent, meanwhile, were related to the transportation industry.

“It is believed that hackers intend to defraud users’ credit card information or other personal information through the websites for illegal purposes,” the report wrote.

Meanwhile, the watchdog said cyber criminals have also been using ChatGPT to create phishing emails and write malware.

"Although the system developer has added a security mechanism to prohibit the generation of malicious content, cyber criminals have developed evasion methods and sold them as a Crime-as-a-Service (CaaS)," it wrote.

“It definitely lowers the barriers to launching the attack," said Alex Chan, the spokesman of the centre and general manager of the digital transformation division of the Hong Kong Productivity Council.

"For example, writing a phishing email, somehow you just ask the questions. It can generate a very genuine and formal-looking email. You can ask ChatGPT to generate the source code of malware or program with malicious content.

“Even though [ChatGPT] includes some protection mechanisms... cyber criminals have developed evasion methods and shared that in the dark market as a service."

Chan also said AI is rapidly improving, and it will become increasingly difficult to differentiate between text generated by machines and that created by humans.

“I would say the fundamental mindset would be zero trust, so you don't trust anything sent from anyone. So if you receive an email, try to use another channel to validate,” he said.

“Just don't believe an email to ask you to transfer money or provide some certain information without finding identity. Do call them or verify through their official telephone number or hotline to make sure they are receiving from a legitimate source,” he added.

The centre says it expects AI and CaaS attacks to pose serious security risks this year.