The Hong Kong threat landscape in 2025–2026 is characterised by AI-enhanced phishing, expanded pig butchering campaigns, job scam operations, and sophisticated deepfake fraud. Here is what is active and how to recognise each threat.
AI-generated phishing campaigns Hong Kong Bank Customers">targeting Hong Kong bank customers represent the most significant phishing evolution in 2025–2026. AI language models are being used to generate large volumes of personalised phishing emails that reference accurate personal and professional details about individual targets — name, employer, bank, and recent relevant context — at a scale that was previously possible only for elite state-sponsored attackers. The resulting emails are grammatically flawless, contextually appropriate, and visually identical to genuine communications from the impersonated organisation. The HKPF CSTCB and HKCERT have both issued advisories noting the degraded reliability of traditional phishing indicators (poor grammar, generic greetings) against this new generation of AI-generated attacks.
Deepfake video fraud has emerged as a significant new threat in Hong Kong's financial and corporate sector. The first large-scale documented case involved a finance employee at a Hong Kong multinational who was deceived into transferring HK$200 million after attending a video conference call in which all participants — including the apparent CFO — were deepfakes generated from publicly available video footage. This case, widely reported internationally in early 2024, established deepfake fraud as a real and active threat in Hong Kong's corporate environment. Similar attacks have since been reported by smaller organisations, and the technology required to execute them has become significantly more accessible. Any video call that involves unusual payment requests or extraordinary instructions should be verified through an established independent channel before action is taken.
Telegram and Signal-based investment scam recruitment has escalated significantly in 2025. Scammers recruit victims via unsolicited Telegram messages offering part-time work or investment opportunities, transitioning to increasingly large "investments" on fraudulent platforms. The use of encrypted messaging apps complicates investigation and presents attribution challenges for law enforcement. Simultaneously, QR code scam activity at Hong Kong restaurants and parking facilities has continued at elevated levels — HKPF has issued multiple advisories about tampered payment QR codes in Kowloon and Hong Kong Island dining districts. Physical inspection of QR codes before scanning remains the recommended response.
Job scams targeting Hong Kong job seekers and young professionals have grown substantially in 2025, with fraud operations increasingly using LinkedIn, Indeed, and WhatsApp to distribute fake job offers. The typical job scam scenario involves an offer of well-paid remote work — often described as data entry, product rating, or social media management — that initially appears legitimate. Victims are directed to complete "tasks" on a platform that requires them to make deposits to unlock earning levels. The pattern mirrors the pig butchering investment scam structure: initial small apparent earnings followed by escalating deposit requirements before the platform disappears. These operations are typically run by organised crime groups operating from Southeast Asia, with significant documented activity targeting Hong Kong and mainland Chinese professionals.
Romance scams — where fraudsters develop romantic relationships online before extracting money — remain among the highest-loss per-victim fraud categories reported to HKPF. In 2025, AI-generated profile photos (using generative adversarial network technology) have made it significantly harder to detect fake profiles through reverse image search, which previously was a reliable technique for exposing fake romance identities. Scammers now use AI-generated faces that return no results on reverse image search because they are algorithmically unique. HKPF advises extreme caution about financial requests from contacts met exclusively online, regardless of the length or apparent depth of the relationship, and irrespective of whether the contact appears consistent across multiple verification attempts.
The HKPF Anti-Deception Coordination Centre reported that deception crimes in Hong Kong totalled HK$9.1 billion in losses in 2023, with investment-related fraud and job scams among the largest contributors. The ADCC's ScamAdvisor service allows Hong Kong residents to check whether a website or phone number has been reported as associated with scams. HKPF's CyberDefender initiative provides free cybersecurity awareness resources including a hotline for scam verification queries. The HKMA has issued multiple circulars to authorised institutions regarding staff awareness of BEC and deepfake fraud, and the SFC has expanded its regulatory focus on unlicensed virtual asset platforms following significant investor losses.
Government department impersonation scams — particularly mainland police, ICAC, and Immigration Department impersonation — remain among the highest-individual-loss fraud types in Hong Kong through 2025. Law enforcement agencies including the HKPF have issued repeated public reminders that genuine government departments do not demand immediate telephone payment of any kind, do not instruct citizens to keep investigations confidential from family members, and do not transfer callers between departments to escalating "officials" as part of an investigation procedure. Despite these public advisories, the psychological effectiveness of authority impersonation continues to result in significant losses, particularly among older Hong Kong residents and recent arrivals unfamiliar with local institutional procedures.
Smishing campaigns impersonating Hong Kong banks have evolved in 2025 to use messages that appear within existing legitimate SMS conversation threads through a technique called SMS sender ID spoofing. Because banks use registered short codes or sender IDs for their legitimate SMS communications, and because some mobile carriers in Hong Kong do not adequately validate sender IDs, fraudulent SMS messages using a spoofed bank sender ID appear in the same thread as the bank's genuine messages on the recipient's device. This removes the previously reliable indicator of checking whether a suspicious SMS is in the same thread as known legitimate messages from the same bank. The HKMA has engaged mobile carriers regarding sender ID registration requirements to address this vulnerability.
The increasing use of local Hong Kong phone numbers — acquired through temporary SIM card registrations — in vishing and smishing campaigns has reduced the effectiveness of number-country-of-origin as a fraud indicator. Previously, calls from +86 mainland China numbers were a readily identifiable signal associated with mainland police impersonation fraud. Scammers now frequently use Hong Kong local numbers spoofed to appear as known trusted contacts or institutions. The only reliable response to unexpected requests involving money or personal information — regardless of whether the call appears to come from a local or international number — remains ending the interaction and calling back independently on a number obtained from official sources.
The HKPF publishes scam alerts and fraud warnings on their official website at police.gov.hk and through the CyberDefender platform at cyberdefender.hk. The CyberDefender initiative, launched by the government, consolidates cybersecurity resources for the public including scam verification, victim support information, and public awareness materials. HKPF also issues press releases about new and active scam campaigns that are syndicated through major Hong Kong media outlets — following HKPF on their social media channels or setting news alerts for Hong Kong scam news provides timely awareness of active campaigns before you might personally encounter them.
HKCERT (Hong Kong Computer Emergency Response Team Coordination Centre) publishes security advisories and phishing alerts at hkcert.org. These advisories tend to be more technically detailed than HKPF press releases, covering the specific URLs, sender addresses, and technical indicators associated with active phishing campaigns. HKCERT also maintains a phishing site reporting system that provides confirmation when a reported site has been taken down. Subscribing to HKCERT's email advisory service provides current alerts about active phishing infrastructure — a valuable resource for IT professionals and security-conscious individuals who want early warning of campaigns before they become widely known.
The HKMA publishes consumer alerts about banking fraud and impersonation scams on their website at hkma.gov.hk/consumer, and the SFC maintains an Investor Alert List of suspicious investment entities and unlicensed platforms at sfc.hk. The HKMA's Scam Alert feature allows consumers to check whether a contact method (phone number, website, or social media account) has been flagged as suspicious by HKMA or reported by other consumers. Individual Hong Kong banks also publish fraud alerts on their own websites and apps — checking your bank's official fraud alerts page when you receive a suspicious communication claiming to be from that bank is a quick verification step that often confirms whether an active campaign matching the suspicious message has been reported.
