Reporting phishing and scams is not just about recovering your own losses — it helps authorities disrupt fraud operations, protect others, and build the intelligence picture that enables enforcement. Here is exactly who to contact and how.
The Hong Kong Police Force Cyber Security and Technology Crime Bureau (CSTCB) is the primary law enforcement body for cybercrime in Hong Kong. For non-emergency cyber fraud and phishing reports, call 182 388 or report online through the HKPF's Cyber Crime Reporting Portal. For financial fraud in progress — where money has just been transferred or you believe a transfer can still be intercepted — call 999 or the Anti-Deception Coordination Centre (ADCC) at 18222. The ADCC operates specifically to intercept fraud in progress and has direct relationships with banks enabling faster action than standard police reporting channels.
The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) handles phishing website and infrastructure reports. HKCERT works with hosting providers and domain registrars to take down phishing websites, coordinates with international CERT bodies for cross-border phishing infrastructure, and provides public advisories about active phishing campaigns. Report phishing websites, malicious URLs, and suspected malware to HKCERT at hkcert.org/report. HKCERT does not handle financial recovery or criminal investigations — its focus is on technical takedown and public awareness, and it handles both individual and business reports.
The Office of the Privacy Commissioner for Personal Data (PCPD) is the appropriate reporting body when personal data has been disclosed as a result of phishing or a data breach — HKID numbers, addresses, financial data. PCPD can be contacted at [email protected] or 2827 2827. For financial fraud involving bank accounts or payment systems, your bank's own fraud team is a critical first contact — they can freeze accounts and initiate internal investigation processes that the police and HKCERT cannot. The SFC is the reporting body for investment fraud and unlicensed securities activity. Each body handles a specific aspect, and comprehensive reporting often means contacting more than one.
Effective phishing reporting requires preserving evidence before it disappears. Phishing websites are often taken down quickly — either by the attacker to avoid detection or by hosting providers acting on abuse reports — so screenshotting the fraudulent site and noting the full URL is important. For phishing emails, forward the original message including full email headers to HKCERT and to your email provider's abuse address — headers reveal the true sending infrastructure and are critical for technical investigation. Do not just forward the message body; the headers require accessing the "view source" or "show original" option in your email client.
For financial fraud, document all transaction details: the date and time of any transfers, the recipient account number and bank, the amount, the reference used, and any confirmation numbers. If the fraud involved a fraudulent website, preserve the URL and screenshots of any pages where you entered information. If it involved a phone call, note the number displayed (even knowing it may be spoofed), the time of the call, the language used, any case numbers or names mentioned, and the demands made. This documentation serves both the formal police report and any subsequent civil recovery action, and is required for insurance claims under cyber insurance policies.
For SMS phishing (smishing), forward the fraudulent SMS to your mobile carrier's spam reporting service before deleting it — PCCW/HKT, CSL, and SmarTone all provide SMS spam reporting channels. For WhatsApp scams, report the message within the app using the Report function (long-press the message → Report) and also take screenshots before doing so, as reporting may result in the message being removed from your view. For social media scams, use the platform's reporting mechanism for fraudulent accounts or posts in addition to formal reporting to HKPF — platform takedowns are often faster than formal investigation processes.
Email phishing should be reported to your email provider's abuse or phishing reporting channel ([email protected] for Microsoft 365/Outlook, [email protected] for iCloud, and the spam/phishing reporting button in Gmail), to HKCERT at hkcert.org/report for website takedown, and to the impersonated organisation's security or fraud team. Banks maintain dedicated phishing reporting addresses — HSBC uses [email protected], and other major HK banks have similar dedicated channels. These reports enable the bank to alert their customers, engage with HKCERT for site takedown, and potentially provide intelligence to HKPF for investigation.
For investment scams and suspected unlicensed investment activity, report to the SFC at sfc.hk/complaint and to the ADCC at 18222 if funds have been transferred. The HKMA maintains a scam alert list of suspicious financial entities and accepts reports of suspicious virtual asset platforms. HKPF should also receive a formal report, particularly for pig butchering and other investment fraud where significant financial losses are involved — the Cyber Security and Technology Crime Bureau handles investment fraud cybercrime alongside its broader cybercrime mandate. Report to the PCPD if personal data was extracted as part of the investment scam.
For phishing that impersonates government departments — IRD, Immigration, ICAC, Labour Department — report to both HKPF and directly to the impersonated department. Most government departments publish dedicated fraud alert channels: the ICAC maintains a corruption reporting hotline at 2526 6366, the IRD provides a dedicated fraud report channel on their website, and the Hong Kong Customs and Excise Department accepts reports of customs impersonation fraud. Reporting to the impersonated government body enables them to publish public warnings that protect other potential victims, and government bodies often move quickly to issue press releases warning the public when an active impersonation campaign is identified.
Many people who successfully identify and avoid a phishing attack do not bother reporting it, reasoning that since they were not harmed, the report adds little value. This reasoning, while understandable, underestimates the collective protective value of phishing reports. Each report of an active phishing website provides HKCERT and their international partners with the information needed to initiate takedown requests to the hosting provider — and faster takedowns directly reduce the number of victims who reach the site before it is removed. A phishing site that receives ten reports and is taken down the same day exposes far fewer victims than one that operates undetected for a week.
Intelligence about phishing campaigns — the organisations being impersonated, the message content, the domains being used — enables HKPF and HKCERT to publish public warnings that pre-empt harm. When a new smishing campaign impersonating HK Post or a specific bank is identified through early reports, a public advisory warning can be issued within hours, reaching millions of potential victims before the campaign fully deploys. This early warning system only functions if people report early — waiting until significant harm has already occurred reduces the intelligence value substantially. Hong Kong has a well-developed public advisory infrastructure that depends on timely public reporting to remain effective.
For victims who experienced financial loss, formal reporting to HKPF is a prerequisite for any subsequent recovery action. Without a police report number, civil recovery proceedings cannot be initiated, cyber insurance claims cannot be processed, and victims cannot access the limited victim support services available. Even in cases where prosecution is unlikely — small-value frauds, overseas perpetrators — the formal report creates a record that contributes to crime statistics, informs policy, and builds the case for enhanced regulatory action. Reporting is also a legal requirement in some professional contexts: financial services firms regulated by the HKMA and SFC have explicit notification obligations when they suffer certain types of cyber fraud.
