Business email compromise and wire transfer fraud cost Hong Kong organisations millions annually. Understanding the mechanics and implementing verified procedures protects both companies and individuals.
Published: March 29, 2026
Business Email Compromise (BEC) is among the highest-loss cybercrime ↗ categories affecting Hong Kong organisations. Unlike technical hacking attacks, BEC relies primarily on social engineering — fraudsters impersonating company executives, vendors, or business partners to manipulate employees into initiating fraudulent wire transfers. The FBI's Internet Crime Complaint Center consistently ranks BEC among the top cybercrime categories by total losses globally, and Hong Kong's role as a major financial centre and trade hub makes it a prime target.
The most common BEC variant in Hong Kong involves the fraudulent impersonation of a company's CEO or CFO sending an urgent, confidential wire transfer instruction to an accounts payable employee. The email appears to come from the executive's genuine address — often through account compromise, domain spoofing, or registering a lookalike domain (e.g., companyname-hk.com vs companyname.com.hk). The message creates urgency and secrecy ("do not discuss with anyone", "this must be done today for a confidential acquisition"), bypassing normal approval processes. By the time the fraud is discovered — often when the real executive is contacted about the payment — funds have been transferred internationally.
Supplier payment diversion is a closely related variant. Fraudsters monitor business email accounts (often through a previously compromised mailbox) and insert themselves into ongoing payment discussions at the moment when payment details are being confirmed. By sending a message that appears to be from the legitimate supplier — from a compromised account or convincing lookalike domain — they redirect an expected payment to a fraudster-controlled account. The genuine supplier then follows up about the unpaid invoice, revealing the fraud after the payment is irrecoverable.
Organisations that maintain strict payment verification procedures are dramatically more resistant to BEC fraud than those that process payment requests based on email instructions alone. The fundamental preventive control is a mandatory secondary verification requirement for all wire transfers above a defined threshold — a verbal or in-person confirmation with the payment requester through an independent channel (a known phone number, not one provided in the request email) before processing any transfer. This simple procedural control, consistently applied, defeats the vast majority of BEC attacks.
Payment procedure standardisation removes the attack surface entirely for many BEC variants. If your organisation's policy is that bank ↗ing details for vendors can only be updated through a formal supplier onboarding or change process — requiring written authorisation, management approval, and verification against independently held contact information — then a fraudulent email requesting a bank ↗ detail change has no pathway to succeed regardless of how convincing it appears. Documented, enforced procedures are the key; ad-hoc exceptions are where fraud enters.
Technical email security measures reduce the success rate of domain spoofing and email account compromise. DMARC, DKIM, and SPF configuration for your organisation's email domains prevents spoofed emails claiming to be from your domain being accepted by major mail providers. Enabling multi-factor authentication on all business email accounts removes the account compromise vector. Deploying advanced email security solutions that flag external-origin emails visually, highlight lookalike domain detections, and provide warnings for first-contact senders creates friction that prompts human review of suspicious messages.
While BEC primarily targets businesses, individuals in Hong Kong are targeted by wire transfer fraud through several distinct mechanisms. Real estate transaction fraud is particularly costly — fraudsters monitor property transactions, then send conveyancing solicitors or estate agents forged instructions or impersonated communications diverting deposit payments or completion funds to fraudster accounts. Given that Hong Kong property transaction amounts are among the highest globally, a single successful fraud can result in losses of millions of HK dollars.
Impersonation of government authorities is another prevalent individual wire fraud. Fraudsters posing as HKPF officers, Customs officials, IRD representatives, or court bailiffs claim the victim is under investigation for money laundering, tax evasion, or other serious offences. They instruct victims to wire funds to a "safe government escrow account" while the investigation proceeds or to avoid asset freezing. These calls often use authentic-sounding terminology and are backed by fake warrant numbers, case references, and officer badge numbers. The genuine authorities in Hong Kong do not conduct investigations this way — any instruction to wire money to resolve a government investigation is fraud without exception.
Romance fraud leading to wire transfers is also significant in Hong Kong. After cultivating an online relationship over months, fraudsters claim a personal emergency — medical, legal, or financial — requiring an urgent wire transfer. The victim, believing they have a genuine relationship with the requester, complies. Unlike the investment variant (pig butchering), pure romance fraud focuses on extracting wire transfers for supposed personal emergencies rather than investment returns. The emotional investment created by the scam ↗mer makes victims reluctant to believe the relationship was constructed entirely for financial gain.
Wire transfer fraud recovery is a race against time. Once a transfer reaches the beneficiary bank, it may be withdrawn in cash, transferred to another account, or converted to cryptocurrency within hours. International transfers are particularly difficult to recover because they traverse multiple correspondent banks. However, if reported within minutes or hours of discovery, banks can sometimes recall transfers that have not yet been credited to the final beneficiary — particularly for transfers to other Hong Kong banks where the HKPF can apply for court orders to freeze suspect accounts swiftly.
The immediate response sequence: call your bank's fraud hotline as soon as the fraudulent transfer is identified. Request a SWIFT recall if the transfer was international, or request the receiving bank be notified if the transfer was domestic. Simultaneously, call the HKPF Cyber Security and Technology Crime Bureau at 2527 7177 — police can liaise with the receiving bank to apply for a court-ordered account freeze, which is the most effective tool for domestic wire fraud recovery. Provide police with all available information about the fraudulent transaction: reference numbers, receiving account details, the fraudulent email or call that prompted the transfer, and the amounts.
For organisations that have suffered BEC-related wire fraud, engaging a cyber forensics firm in parallel with police reporting is advisable. Forensic investigation of the compromised email accounts can reveal the attacker's full access period, any other data accessed or exfiltrated, and the entry point — information essential both for the police investigation and for remediating the underlying security weakness to prevent recurrence. Reporting to the HKMA is also appropriate if the fraud exploited weaknesses in a bank's payment systems or processes. Reviewing and strengthening payment procedures in the aftermath is essential to prevent a repeat attack.
