Number of Phishing Cases Drops in Hong Kong but Victims Lose More Money

The Hong Kong cyber‑crime landscape is undergoing a stark transformation. While the Hong Kong Police Force recorded a 60 percent drop in reported phishing cases in 2025—down to 1,093 incidents—the financial fallout has more than doubled, reaching HK$110 million (roughly US$14 million). The average loss per breach has surged to about HK$100,000 (≈US$12,800), reflecting a shift from simple credit‑card theft to full account takeover. Scammers now aim to hijack online banking, securities, and even messaging platforms, turning compromised identities into gateways for larger fraud schemes.

A recent police‑run simulation involving 301 organisations and more than 53,000 staff members highlighted persistent human weaknesses. Overall, 13.4 percent of participants clicked on a phishing link, up from 11.5 percent the previous year, and nearly half of those who clicked proceeded to submit personal data. Senior employees were the most vulnerable, with a 15.5 percent click rate, likely because they handle higher‑volume communications. The exercise also showed that internal‑looking emails—especially those masquerading as IT notices or gift offers—achieved the highest engagement. Meanwhile, AI‑generated messages and fake websites are making detection increasingly difficult, and SMS remains a dominant vector, accounting for over 90 percent of real‑world attacks.

The escalation in loss severity forces businesses to rethink their cyber‑risk strategies. Traditional awareness training must be complemented by continuous phishing simulations, real‑time AI monitoring, and strict verification protocols for account‑related requests. Law enforcement has pledged to deploy its own AI tools to flag fraudulent sites and to collaborate with telecom providers to block malicious messages. For firms operating in Hong Kong, the cost of a single compromised executive account can run into millions, making proactive defense not just a compliance issue but a critical component of financial resilience. Investing in layered security now can curb the growing tide of sophisticated phishing attacks.