Phishing alert as Hong Kong workers warned to be wary of fake company emails

Almost 10 per cent of workers clicked on a fake human resources department survey, a test involving 37,220 employees found

Reading Time:2 minutes

Employees tend to lower their guard when internal emails come from within their company, police say. Photo: Shutterstock

Published: 9:35pm, 24 Jan 2025

Hongkongers should beware of fake internal company emails and communication from business partners to avoid phishing scams, police and technology firms have warned, after a drill exposed the risks.

Superintendent Baron Chan Shun-ching of the force’s cybersecurity and technology crime bureau said an exercise carried out from last August to December involving 216 companies found that a fake human resources department survey received the highest rate of clicks from workers.

The drill, organised by police and government-designated domain registration service provider the Hong Kong Internet Registration Corporation, tested 37,220 employees across the participating companies with four templates of common phishing emails. Any clicks into the phishing templates would be counted.

“Employees tend to lower their guard when facing internal emails from within the company,” Chan said.

“They will think it’s urgent and there’s a need to keep their managers informed.”

Among four types of phishing emails sent to employees, a fake human resources department survey request was clicked on by 9.5 per cent of participants.

That was followed by a fake bank account safety alert email, which 4.2 per cent of participants clicked on. A fake IT department system testing request and a sham update request from video conferencing software were opened by around 3 per cent of participants.