Phishing incidents in Hong Kong declined sharply last year, yet the financial damage caused by such scams rose significantly, according to police. While fewer cases were reported, the total amount lost by victims climbed to HK$110 million (US$14 million), highlighting a shift in cybercrime tactics.
Authorities recorded 1,093 phishing cases in 2025, a 60 per cent drop from 2,731 incidents the previous year. Despite this decline, overall losses jumped by 112.9 per cent, with the average loss per case increasing more than four times to around HK$100,000. Police attributed this rise to increasingly sophisticated methods used by scammers, who are now focusing on gaining control of victims’ accounts instead of merely collecting credit card details.
“Previously, phishing links were sent aiming to obtain credit card information,” said acting senior superintendent Rachel Hui Yee-wai of the cyber security and technology crime bureau, adding that scammers would then simply use the information to make unauthorised purchases
“But in recent years, these links aim to take over accounts – they could be people’s securities accounts, online banking accounts or even WhatsApp accounts to go on and scam friends and family.”
In one example shared by authorities, a fraudster impersonated a WhatsApp administrator and asked a victim to provide a login verification code. The victim complied, unknowingly giving the scammer full access to the account.
“This effectively allowed scammers to take control … the victim basically handed the account over and let others view all the activity and content,” she said.
The attacker then leveraged the compromised account to conduct further scams, ultimately causing the victim to lose HK$19 million. Police noted that such incidents demonstrate how phishing schemes have evolved into more complex operations involving identity theft and social engineering.
Separately, a large-scale phishing simulation conducted by police revealed that employees across Hong Kong remain vulnerable to these attacks, especially when messages appear to originate internally. The exercise, carried out between October and January, involved 301 organisations and more than 53,000 participants who were unknowingly sent simulated phishing emails and SMS messages.
Results showed that 13.4 per cent of participants clicked on malicious email links, up from 11.5 per cent a year earlier. Among those who clicked, nearly half submitted personal information, while 6.4 per cent uploaded data or downloaded files. At least one employee in 89 per cent of participating organisations fell for a phishing email.
Senior staff were found to be more susceptible, with a click rate of 15.5 per cent compared with 13 per cent among general employees. Messages disguised as internal communications proved particularly effective. Emails posing as IT department notifications offering gifts had the highest click rate at 6.7 per cent, followed by file download alerts.
A separate SMS phishing test involving 3,620 participants showed a lower click rate of 5.9 per cent, though 70 per cent of organisations still had at least one employee engage with a malicious link. In real-world scenarios, SMS remains a dominant channel for scammers, accounting for over 90 per cent of phishing attempts, often masquerading as government agencies, banks, or courier services.
Police also highlighted the increasing use of artificial intelligence in crafting phishing attacks, enabling criminals to produce highly realistic messages and fake websites.
“They can use AI or other tools to make the website almost identical to the genuine one … even the logo is the same,” Hui said.
Officials warned that such advancements make it harder for individuals to identify fraudulent communications, particularly when combined with psychological tactics like urgent security alerts designed to lower suspicion.
Authorities said they will continue enhancing prevention and enforcement measures, including using AI to detect suspicious websites and collaborating with telecom providers to block scam messages. The public is advised to stay cautious, avoid clicking on unknown links, and verify requests for sensitive information through official sources.
