Police have called on critical infrastructure operators to bolster their defensive efforts against cyber threats, after a number of firms were deemed to be vulnerable.

The force said it inspected 90,000 assets controlled by critical infrastructure firms last year and discovered more than 4,500 loopholes in their systems.

Officers identified three types of loopholes which are particularly risky.

"First of all it's the employees' log-in credentials, that they are leaked or stolen because they don’t have a very good mechanism in ensuring that these kind of credentials are in a high level [of protection]," senior superintendent Carmen Leung said.

"And second, some organisations did not properly manage their domain and subdomain, allowing attackers to hijack those unused subdomains and create highly convincing phishing or scam websites.

"And for the third part, we noticed some organisations having some misconfigured cloud storage service and unintentionally exposed their internal system in a web-phasing environment."

She said these organisations took remedial measures after being warned by the force, and no harm was done to their major services.

Police said they received 440,000 tip-offs regarding Hong Kong-related cyber threats last year.

The top three industries to be targeted were banking and finance, communication, and government departments.

Superintendent Baron Chan stressed that a "useful and powerful preventive mechanism" is in place.

"Luckily, under our protection mechanism, we collect these intelligence in a very earlier stage and we do analysis and then share [them] among our stakeholders, so that these intelligence can be used by different sectors, even though they are not the targets of these bad actors," he said.

Police said they recorded 7,680 technology crime cases from January to March, up 1.1 percent year on year.

The cases, most of which involved online shopping, inflicted losses of more than HK$1.43 billion.

Officers urged shoppers to make use police's Scameter app to check the validity of recipients before making financial transactions.

Police also issued their first ever cybersecurity report, which can be viewed online.

It covers SAR and global cybersecurity trends, together with predictions in the coming year.