Fake police officers, bank fraud departments, and government officials — vishing calls are among the most psychologically effective scams in Hong Kong, using authority and fear to extract money and personal information in real time.
Vishing — voice phishing — uses telephone calls to deceive victims into disclosing personal information, transferring money, or taking actions that compromise their security. Unlike email phishing where the victim has time to examine a message at their own pace, vishing operates in real time: the victim is on the phone with a live or automated voice, under time pressure, and without the ability to independently verify anything while the call is in progress. This real-time dynamic is what makes vishing uniquely effective — rational scrutiny is harder to apply when you are responding to a live conversation driven by someone who controls the flow.
Vishing calls in Hong Kong exploit specific cultural and institutional factors. Respect for authority is deeply embedded in Hong Kong culture, and calls purporting to come from the police, the ICAC, the Immigration Department, or government departments carry a weight of authority that is difficult to challenge even when scepticism is warranted. Scammers use this by scripting calls to sound procedurally official — citing case numbers, reference codes, warrant details, and formal language that mimics genuine official communications. They often begin by providing details about the victim (name, HKID partial numbers, address) sourced from previous data breaches, establishing apparent legitimacy before making demands.
Caller ID spoofing makes vishing significantly more convincing. Attackers can make calls appear to come from any phone number — including the published numbers of HSBC, the HKPF, the Immigration Department, or the IRD. Seeing a number you recognise as official on your screen reinforces the caller's claimed identity, even though caller ID is trivially spoofable and provides no verification of the actual caller. In Hong Kong, documented vishing campaigns have spoofed HSBC's published customer service number, HKPF headquarters, and the ICAC hotline — numbers that carry immediate authority recognition for Hong security Guide for Hong Kong Residents">Kong residents.
The "mainland police" vishing scam has been one of the highest-value fraud types reported in Hong Kong for several years. The call typically begins with a recorded automated message claiming to be from the Mainland Chinese public security authority or a courier company, advising that a package in the victim's name has been intercepted containing contraband, or that the victim's identity has been used in a mainland crime. The call transfers to a "mainland police officer" or "prosecutor" who claims a warrant for the victim's arrest is outstanding. To resolve the matter without arrest, the victim must pay a security deposit or provide bank account details for a "fund freeze verification". These calls have resulted in some of the largest individual fraud losses ever recorded in Hong Kong, reaching tens of millions of HK dollars in some cases.
Bank impersonation vishing involves a caller claiming to be from the fraud department of the victim's bank, advising that suspicious transactions have been detected on their account. The caller asks the victim to confirm their full account details, online banking password, or the OTP they are about to receive by SMS — which the attacker is simultaneously triggering by attempting to log in to the victim's real account. The sense of urgency created by the apparent fraud alert suspends the victim's natural scepticism; they believe they are protecting their account when they are actually handing access to an attacker. Legitimate bank fraud departments will never ask for your full password or an OTP during an inbound call.
AI-powered voice cloning has added a new dimension to vishing. Voice cloning tools can create a convincing facsimile of a specific person's voice from a few minutes of audio — which is readily available for many individuals from social media videos, YouTube recordings, or professional audio content. In Hong Kong business contexts, vishing attacks using AI-cloned voices of CEOs and senior managers have been used to authorise fraudulent payments — a form of Business Email Compromise executed via voice rather than email. These attacks are increasingly reported by Hong Kong finance professionals and are expected to become more prevalent as the technology becomes more accessible to lower-sophistication attackers.
The most important recognition principle is that legitimate organisations in Hong Kong do not demand immediate financial action or personal disclosure during an inbound call. The HKPF, ICAC, Immigration Department, IRD, and all major banks will never call you unexpectedly and demand on-the-spot payment, immediate bank transfers, or ask you to provide OTPs, full passwords, or complete HKID details during that call. If an inbound call creates urgency around any of these actions, this urgency itself is the red flag — it is deliberately engineered by the scammer to prevent you from pausing to verify. The correct response to any such call is to end it and independently verify through official contact details you find yourself.
Particular language patterns indicate vishing. Phrases like "do not hang up as this will be treated as non-cooperation", "do not tell your family about this matter as it is under investigation", "you must not contact your bank as this account is under investigation", and "if you cooperate now this can be resolved without arrest" are scripted manipulation techniques designed to isolate the victim and prevent verification. These isolation techniques are a signature of mainland police and ICAC impersonation scams, and hearing any of these phrases should confirm the call is fraudulent. Real law enforcement agencies have transparent processes; they do not conduct investigations by requiring immediate telephone payment.
When you receive a suspicious call from a number claiming to be official, do not rely on the displayed caller ID as verification. Hang up and call back on the number listed on the organisation's official website — the bank's official customer service number, the HKPF's published line, or the relevant government department's official contact. When calling back, be aware that scammers sometimes attempt to keep victims "on hold" while maintaining the connection to prevent them from making an independent call — ensure you have fully ended the call before dialling back on a separate line or device.
If you received a vishing call but did not provide information or transfer money, report the call regardless. Reporting attempted vishing to HKPF at 182 388 and to HKCERT at hkcert.org helps intelligence agencies track active vishing campaigns and may lead to intervention before other victims are defrauded. Note the number that appeared on your screen (even knowing it is spoofed), the time and duration of the call, the language used, and any case numbers or names mentioned by the caller — this detail helps investigators identify the scam campaign and its origin.
If you disclosed personal information during a vishing call, assess what was provided and act accordingly. If you gave your bank account number or partial HKID, monitor your accounts closely for unauthorised transactions or credit applications. If you provided online banking credentials or read out an OTP, contact your bank's fraud line immediately using the number on the back of your card — your account may already be compromised. If you gave your full HKID and date of birth, report to the PCPD (Office of the Privacy Commissioner for Personal Data) and consider placing a protective alert with the credit reference agencies (TransUnion HK) to flag any fraudulent credit applications made in your name.
If you transferred money as a result of a vishing call, act immediately. Call your bank's fraud line and the ADCC at 18222 — the Anti-Deception Coordination Centre operates a financial interception service and works directly with banks to attempt to halt fraudulent transfers before they are complete. File a formal report with HKPF as soon as possible, as this is required for any subsequent civil recovery action and enables police to investigate the recipient account. Understand that while fund recovery after transfer is not always possible, early reporting significantly improves the chances and also helps police disrupt the fraud operation before more victims are targeted.
