LCQ7: Combating phishing
************************
Question:
The Hong Kong Computer Emergency Response Team Coordination Centre handled a total of 12 536 security incidents last year, with phishing accounting for over half of all cases, marking a 108 per cent increase from 2023. In addition, between January and February this year, the Hong Kong Monetary Authority (HKMA) posted on its website press releases on phishing instant messages and fraudulent websites related to banks for more than 50 times. Regarding combating phishing, will the Government inform this Council:
(1) of the respective numbers of fraud cases involving phishing and the losses incurred in each of the past five years, together with a breakdown by industry;
(2) among the phishing websites reported by members of the public on the public intelligence platform since the launch of "Scameter", of the proportion of those that have actually been added by the Police to the scam database; whether a mechanism for immediate takedown of the reported phishing websites has been put in place; if so, of the average time taken to take down such websites;
(3) as it has been reported that in view of the susceptibility of SMS messages issuing an SMS one-time password (OTP) to interception by hackers, the HKMA has requested that banks implement measures by the end of last year requiring customers to authenticate online credit card transactions using the banking applications in their mobile phones instead of using an SMS OTP for authentication, whether the HKMA will formulate a specific timetable for phasing out OTP authentication; if so, of the details; if not, the reasons for that; and
(4) as the Office of the Communications Authority has launched the SMS Sender Registration Scheme for companies or organisations that have registered as Registered Senders to use SMS messages with the prefix "#" in order to help members of the public ascertain the authenticity of SMS messages, but it has been reported that some fraudsters use fraudulent mobile base stations, which are illegal radio devices, to circumvent the existing mechanism, impersonating official or financial institutions to send fraudulent SMS messages, whether the authorities will study the formulation of measures to address the aforesaid situation, and at the same time step up publicity to raise the public's anti-deception awareness; if so, of the details; if not, the reasons for that?
Reply:
President,
Deception is a serious crime. Regardless of the tactics used by criminals, we will take stringent combat actions as long as illegal activities are involved. Phishing scams as mentioned in the question generally refers to a crime where illegal elements sent out through SMS messages, emails, voice messages, QR codes, etc, to potential victims en masse, impersonating organisations such as banks, telecommunication service providers (TSPs) or even government departments. Alleging that irregularities in the recipients' accounts are detected or account verification is needed, criminals lure recipients of the messages into clicking on an embedded link and entering a fake website to provide their account login credentials, credit card information, personal information, etc. The criminals will then use such information to make purchases with credit cards or transfer the bonus points out of the recipients' accounts. The Police have been making every effort to combat various types of fraud cases, including phishing scams, in collaboration with different government departments. Apart from taking intelligence-led enforcement actions, the Police are raising public awareness against this type of crime through public education and promotional activities.
In consultation with the Financial Services and the Treasury Bureau and the Commerce and Economic Development Bureau, the reply to the Member's question is as follows:
(1) The Police have maintained statistics on phishing scam cases since 2023. In 2023 and 2024, 4 322 and 2 731 cases on phishing scam were received respectively. The monetary losses involved were $102.4 million and $53.5 million respectively. In the first two months of 2025, the Police received a total of 242 phishing scam reports, a decrease of 347 cases (58.9 per cent) as compared with the same period last year. The monetary loss involved decreased by 54.2 per cent to $4.9 million.
The Police do not maintain any breakdown by industry in relation to phishing scams.
(2) "Scameter" has yielded remarkable results since its launch in September 2022. As at February 2025, more than 7.60 million searches had been recorded and about 950 000 alerts on frauds and cyber security risks had been issued. Members of the public had also reported over 355 000 suspicious phone calls and over 38 000 suspicious websites through the public intelligence platform of "Scameter".
In February 2023, the Police launched a mobile application version, "Scameter+", to help members of the public distinguish suspicious online platform accounts, payment accounts, phone numbers, email addresses, websites, etc, and to provide the public with anti-fraud tips. "Scameter+" has now been upgraded and is equipped with automatic detection functions, namely the Call Alert function and the Website Detection function, which will automatically identify scam calls and fraudulent websites. If potential fraud or cyber security risk is detected, "Scameter+" will issue a real-time notification, reminding users not to answer the call or browse the website. There is also a public intelligence platform in "Scameter+" for members of the public to report frauds and pitfalls, thereby further enriching its database.
The Police update the database of "Scameter" on a daily basis and will continuously review and enhance its functions, while strengthening other anti-fraud measures in a proactive manner. The database of "Scameter" comprises information collected from reports made by members of the public and obtained by the Police from other channels, including criminal investigations and intelligence. We do not maintain statistics on the percentage of phishing websites reported by the public that have actually been added by the Police to the scam database.
Moreover, under the co-ordination of the Office of the Communications Authority (OFCA), the Police and major TSPs have established a mechanism where TSPs will, based on the fraud records provided by the Police, block the telephone numbers suspected to be involved in deception cases and intercept suspicious website links as soon as possible. As at end February 2025, the TSPs had successfully blocked about 40 000 website links involved in fraud cases and more than 8 600 suspected fraudulent phone numbers at the Police's request. The OFCA does not maintain any record of the average time required for relevant actions by TSPs.
(3) The Hong Kong Monetary Authority (HKMA) has been closely monitoring the trend of digital frauds and actively encouraging banks to implement effective anti-fraud measures. In line with the HKMA's guidelines, card-issuing banks have gradually started providing customers with more secure authentication methods since late 2024. Customers can authenticate online payment card transactions through their bank's mobile application (App) instead of using SMS One-Time Passwords (OTPs). According to banks' statistics, the related fraud rate has decreased by nearly 80 per cent.
In response to the latest modus operandi of digital frauds, the HKMA announced three new measures in April 2025, and which are succinctly referred to as E-Banking Security ABC. The measures require banks to strengthen E-banking security to further enhance customers' fraud prevention capabilities.
Firstly, banks are required to implement (A) a new measure called Authenticate in-App by Q4 2025 or earlier. Thereafter, when customers log into Internet banking and conduct high-risk transactions (such as adding new payees, increasing transfer limits, changing the phone number for receiving bank notifications, or binding Internet banking accounts to mobile devices), they will need to conduct authentication through their bank's mobile App instead of using SMS OTPs. Furthermore, starting in Q3 2025, when customers bind or rebind their mobile devices, they will have to conduct authentication via facial recognition or similarly stringent authentication methods (such as visiting a branch in person), replacing the current practice of using SMS OTP for two-factor authentication. If customers insist on using SMS OTPs for authenticating transactions or device binding, banks will need to follow the HKMA's requirements, and implement effective risk management measures for those transactions or binding requests, such as enhancing the monitoring of related transactions and deferring the execution of higher-risk transactions. These measures will help gradually phase out the use of SMS OTPs for authentication purposes.
Additionally, banks will also need to implement the remaining two new measures, namely (B) "Bye to unused functions" and (C) "Cancel suspicious payments", during Q2 2025. The former will give customers the option to deactivate Internet banking functions like increasing transfer limits and adding new payees, to better suit their personal needs while strengthening risk management. The latter will further enhance the effectiveness of the Suspicious Account Alert mechanism, and provide customers with sufficient time to review the alert content.
Together, the three new measures referred to as E-Banking Security ABC mentioned above will offer more comprehensive fraud prevention and protection coverage for bank customers.
(4) The SMS Sender Registration Scheme (the Scheme) was implemented on December 28, 2023, and was fully opened to all industries in February 2024. As at end March 2025, over 495 public and private organisations (including the Immigration Department, the Department of Health, the Police and the Consumer Council) have participated in the Scheme. Under the Scheme, only those companies or organisations qualified as Registered Senders are able to send SMS messages using their Registered SMS Sender IDs with the prefix "#". TSPs will block fraudulent SMS messages sent by non-Registered Senders via the Internet. In addition, to enhance the implementation effectiveness of the Scheme, the OFCA will, after obtaining the consent of the Registered Senders, request TSPs to prohibit non-"#" SMS messages suspected to impersonate identities of a Registered Sender, further safeguarding the public's interest. An SMS Sender Registry is available on the OFCA's website for the public to verify registered companies, and efforts will continue to engage more organisations to participate in the Scheme.
In mid-February this year, there were public enquiries about suspected fraudulent SMS messages with the prefix "#". The Police and the OFCA were highly concerned. Of the 31 reports received by the Police, two involved monetary losses, totalling about $30,000. The Police subsequently arrested a male and seized illegal radiocommunications apparatus. A joint press briefing with the OFCA was held to brief the public on how to stay vigilant against this type of fraud. The incident was an isolated case, and the relevant apparatus could only affect mobile phones within a limited area without undermining the overall implementation effectiveness of the Scheme. The OFCA has requested all TSPs to enhance monitoring of abnormal network signals, and has established a reporting mechanism. If similar cases are detected in future, the OFCA will promptly co-ordinate with the Police to take follow-up actions.
In response to these illegal activities, the Police will continue to adopt a multipronged approach, including use of technology in fraud prevention and enhanced enforcement actions, to combat fraud on all fronts. Regarding use of technology in fraud prevention, the Police will collaborate with other departments to step up interception of suspicious transactions and fraudulent phone calls. Anti-scam applications will also be upgraded to provide immediate alerts. Enforcement-wise, the Police will carry out rigorous investigation on money laundering activities and stooge accounts, and will work with overseas law enforcement agencies to combat cross-border fraud syndicates.
Apart from resolute law enforcement actions, the Government has adopted a multipronged publicity strategy to enhance public awareness of fraud. The Police will continue to work jointly with the OFCA and the industry in stepping up publicity and education, with a view to raising the public's anti-deception awareness. The OFCA and TSPs will strengthen monitoring on network signals and take timely response measures when abnormalities are found.
Specifically, in January 2025, the OFCA launched the District Anti-Phone Deception Ambassador Scheme, which received support from more than 150 District Council (DC) members' ward offices covering 18 districts in Hong Kong with the participation by more than 300 DC members and their staff members, to promote anti-phone scam messages at district level. The OFCA will continue to step up publicity and public education in the community through issuing press releases, broadcasting TV and radio announcements, publishing social media posts, producing and distributing promotional leaflets and posters, and organising various different community activities to deliver anti-phone scam messages to the public more comprehensively. Since 2023, the OFCA has conducted a total of 21 roadshows with Legislative Council Members and DC members, and organised 182 public education and publicity programmes.
To combat the rampant phishing scams, the Police have increased publicity efforts. Through the Police electronic platform, the website CyberDefender as well as traditional media, the Police have educated the public about common and new tactics used by fraudsters. The Police have warned members of the public not to click onto any hyperlink embedded in messages of unknown sources or suspected to contain phishing websites. Instead, they should contact the relevant institution directly for verification, or carry out risk assessment and fact checking using the "Scameter" or "Scameter+". For assistance, they are advised to call the Anti-Scam Helpline 18222.
Ends/Wednesday, May 7, 2025
Issued at HKT 12:20
Issued at HKT 12:20
NNNN