Hong Kong Police Highlight Rising Threat of Phishing Scams
In a recent development, police in Hong Kong have issued a warning to the public about the increasing prevalence of phishing scams. A separate exercise conducted by authorities revealed that 13 per cent of workers clicked on phishing email links sent as a test. This alarming statistic underscores the need for heightened awareness and vigilance among employees and individuals alike.
According to police reports, the number of phishing scams in Hong Kong fell by more than half last year. However, total losses suffered by victims doubled to HK$110 million (US$14 million). This significant increase in financial damage highlights a concerning shift in how scammers are operating.
The latest data shows that 1,093 phishing cases were recorded in 2025, a 60 per cent decrease from the 2,731 cases reported in the previous year. Despite this drop in the number of incidents, the total losses surged by 112.9 per cent to HK$110 million. The average amount stolen in each case also rose more than fourfold to approximately HK$100,000.
Acting senior superintendent Rachel Hui Yee-wai of the cyber security and technology crime bureau explained that the trend reflects a change in the methods used by scammers. “Previously, phishing links were sent aiming to obtain credit card information,” she said. “But in recent years, these links aim to take over accounts—such as securities accounts, online banking accounts, or even WhatsApp accounts.”
In one notable case, a scammer posed as a WhatsApp administrator and sent a message to a victim asking for a login verification code, which the victim provided. This allowed scammers to take control of the account, effectively handing it over to the criminals. The victim then lost HK$19 million in total, illustrating the severe consequences of such attacks.
Police emphasized that phishing attacks have evolved beyond simple scams into more complex schemes involving identity theft and social engineering. These tactics make it increasingly difficult for victims to distinguish between legitimate and fraudulent communications.
A large-scale phishing simulation conducted by police revealed that employees across Hong Kong remain vulnerable to such attacks, especially when messages appear to come from within their organizations. The exercise involved 301 organizations and more than 53,000 participants, with simulated phishing emails and SMS messages sent to staff without prior notice.
The results showed that 13.4 per cent of participants clicked on phishing email links, an increase from 11.5 per cent the previous year. Among those who clicked, nearly half went on to submit personal data, while 6.4 per cent uploaded data or downloaded files.
At the organizational level, 89 per cent of participating firms had at least one employee fall for a phishing email. Senior staff were found to be more likely to fall for such scams due to the high volume of messages they handle, making them less alert to suspicious ones. Data from the exercise indicated that employees at a manager level or above had a higher click rate of 15.5 per cent compared to 13 per cent among general staff.
Phishing attempts disguised as internal communications were more likely to be clicked. Emails purporting to be from IT departments offering gifts recorded the highest click rate at 6.7 per cent, followed by file download notifications. A separate SMS phishing simulation involving 3,620 participants recorded a lower click rate of 5.9 per cent, although 70 per cent of organizations still had at least one employee click on a malicious link.
Authorities noted that SMS remains a key channel for scammers in real-world cases, accounting for more than 90 per cent of phishing scams. These often impersonate government departments, banks, or courier companies.
Police also highlighted the growing use of artificial intelligence (AI) in phishing scams, which allows criminals to generate highly convincing messages and fake websites at scale. “They can use AI or other tools to make the website almost identical to the genuine one … even the logo is the same,” Hui said. This makes it more challenging for victims to identify fraudulent messages, particularly when combined with psychological tactics such as false security warnings.
To combat these threats, authorities plan to continue strengthening both prevention and enforcement efforts. This includes deploying AI tools to identify suspicious websites and working with telecommunications firms to block fraudulent messages. They also urge the public to remain vigilant, avoid clicking on unknown links, and verify any requests for sensitive information through official channels.
