Mobile Phishing: How to Spot and Avoid Attacks on Your Phone
Smishing, vishing, WhatsApp scams, and fake websites — a complete guide to recognising and defending against the phishing attacks targeting Hong Kong smartphone users.
Smishing, vishing, WhatsApp scams, and fake websites — a complete guide to recognising and defending against the phishing attacks targeting Hong Kong smartphone users.
Smishing (SMS phishing) is the most prevalent form of mobile phishing in to Do If Your Phone Is Lost or Stolen in Hong Kong">Hong Kong and has caused billions of dollars in losses to HK residents. Attackers send mass SMS messages impersonating trusted organisations — HSBC, Hang Seng Bank, Hongkong Post, DHL, the Immigration Department, and even the Hong Kong Police Force — creating false urgency to pressure recipients into clicking malicious links. The links lead to convincing clones of legitimate websites designed to harvest login credentials, credit card numbers, or one-time passwords.
Modern smishing campaigns use SMS spoofing technology to display the message in the same conversation thread as genuine messages from the spoofed institution. This means a fake HSBC message may appear directly in the thread containing your real HSBC transaction notifications — making visual verification extremely unreliable. The HKMA (Hong Kong Monetary Authority) has issued multiple warnings about this specific technique, known as "SMS insertion," where fraudulent messages are injected into legitimate sender threads.
The anatomy of a typical HK smishing attack: the message creates urgency ("Your account will be suspended in 24 hours"), provides a shortened or lookalike URL, and the destination site collects your username, password, and often prompts you to enter a one-time SMS code "for verification" — which the attacker simultaneously uses to complete a fraudulent transaction in real time. This process, known as a real-time phishing proxy, is highly sophisticated and happens within minutes of the victim providing their credentials.
As people become more suspicious of unsolicited SMS messages, attackers have shifted their operations to messaging apps where users may maintain a false sense of security from being in a "known" environment. WhatsApp and Telegram phishing attacks in Hong Kong take several forms: fake customer service impersonation, group chat infiltration, compromised account exploitation, and elaborate social engineering scenarios that unfold over days or weeks before a financial request is made.
The most financially devastating form is pig butchering (杀猪盘 — shā zhū pán), which typically begins with a WhatsApp message from an unknown number claiming to have the wrong contact. After establishing a friendly conversation over days or weeks — sometimes developing into an apparent romantic interest — the attacker introduces a "profitable" investment opportunity, often a fake cryptocurrency platform. Victims invest progressively larger sums, see apparent profits, then find they cannot withdraw their money. The HKPF reports that pig butchering is now the single most financially damaging scam type in Hong Kong, with individual losses frequently exceeding HK$1 million.
WhatsApp account hijacking is another significant vector. Attackers first obtain your phone number, then call you claiming to need to send a verification code for a legitimate purpose. The verification code you receive and share is actually the WhatsApp 2FA code that allows the attacker to register your WhatsApp account on their device. They then use your account — with your real contact list and message history — to scam your friends and family while impersonating you.
Fake phishing websites are significantly harder to identify on mobile devices than on desktop computers. The mobile browser's address bar is smaller and often hides the full URL; HTTPS padlock icons have become ubiquitous (including on phishing sites, which routinely obtain SSL certificates); and the full domain name is frequently obscured by the mobile browser's UI. Attackers specifically design phishing sites to be mobile-optimised, knowing that most victims will be viewing them on their phones.
The most reliable indicator of a phishing site is the domain name itself — not the padlock, not the appearance of the page, and not the presence of logos and branding. Attackers use several techniques to create convincing fake domains: typosquatting (hsbc-onlinebanking.com), subdomain spoofing (hsbc.com.hk.login.fake.com — where "fake.com" is the actual domain), IDN homograph attacks (using visually identical characters from other Unicode scripts), and legitimate services like Google Sites, Notion, and Netlify to host phishing pages under trusted domains.
To verify a website's domain on mobile: tap the address bar in Safari or Chrome to expand the full URL and read the actual domain carefully. The real domain is always the last two parts before the first single slash — for example, in "login.hsbc.com.hk/account", the domain is "hsbc.com.hk". If you're unsure whether a URL is legitimate, close the page and navigate directly to the known official website by typing it yourself.
If you suspect you've been phished — you clicked a link, entered credentials on a suspicious site, or provided a verification code to an unknown caller — act immediately. Time is the critical variable: most financial fraud occurs within minutes of credential theft, as attackers have automated systems that immediately attempt to use stolen credentials to transfer funds. Early action can be the difference between preventing a loss and trying to recover one.
Your first call should be to your bank. Most Hong Kong banks have 24-hour fraud hotlines (HSBC: 2233 3000; Hang Seng: 2822 0228; Bank of China HK: 3988 2388). Tell them you've been phished and ask them to immediately place a hold on outgoing transfers from your account. If you've already seen unauthorised transactions, ask for an immediate account freeze. While on hold, change your online banking password from a different, uncompromised device — do not use the same phone or computer you used when you were phished, as it may be compromised.
After securing your accounts, file a police report. The Hong Kong Police Force Cyber Security and Technology Crime Bureau can be reached at 18222, or you can report online at cybercrime.police.hk. Having a police report number is often required by banks when processing fraud claims. Keep all evidence — screenshots of the phishing message, the URL you visited, any receipts or confirmation messages from the fraudulent transaction — as these will be needed for the investigation and any insurance claims.
