Fake ADCC and Brand Phishing Sites: How Hong Kong SMEs Can Protect Customer Trust and Payment Workflows
A Hong Kong retailer runs an online store promotion. Customer service replies through WhatsApp every day. The logistics team sends delivery updates. Finance occasionally sends a payment link for a deposit or balance paym
Fake ADCC and Brand Phishing Sites: How Hong Kong SMEs Can Protect Customer Trust and Payment Workflows
A Hong Kong retailer runs an online store promotion. Customer service replies through WhatsApp every day. The logistics team sends delivery updates. Finance occasionally sends a payment link for a deposit or balance payment. These are normal operating steps, but when scammers start impersonating government bodies, logistics providers, financial services, retail platforms and entertainment brands, customers may not know which link is real.
On 22 May 2026, HKCERT warned the public about phishing sites impersonating the Anti-Deception Coordination Centre (ADCC) and multiple well-known brands. The alert described fake websites using recovery-service claims, failed delivery messages, security verification, points redemption and promotional payment themes to trick users into entering personal data, account credentials, credit card information or one-time verification codes.
For Hong Kong SMEs, this is not only an IT issue. If a customer submits data on a fake page, the first question may be directed at the company: "Why did I receive this link? Did your system leak my information?" Phishing prevention therefore needs to move beyond customer education. It should be built into customer notifications, payment workflows, logistics updates, customer service scripts, CRM records and incident response.
Define the Official Customer Entry Points
Many companies have too many customer entry points: website, Facebook, Instagram, WhatsApp, phone, email, online shop, booking system, payment gateway and logistics tracking page. Customers may not know which one is official. Staff may also use private messages, manual short links or copied screenshots when under time pressure.
The first step is to create an "official channel register". A retailer, for example, can state that all payments are made only through checkout pages under the company domain; delivery updates are sent only through a named email address or official WhatsApp Business account; customer service will never ask users to enter credit card details or one-time passwords on an unfamiliar website.
The practical implementation can be simple. Store official URLs, WhatsApp accounts, support email addresses, payment pages and delivery-tracking pages inside the CRM or helpdesk template library. Staff then choose from approved templates instead of typing links manually. This reduces URL mistakes and prevents new staff from copying old messages without context.
Add Approval and Records to Payment Links
Phishing sites often use themes such as delivery fee top-ups, additional service charges, special offers or account verification. For SMEs, the riskiest area is the manual payment workflow: an order needs a balance payment, a customer changes a service package, a course needs a deposit, or an invoice needs to be settled quickly.
Payment links should become traceable workflow items, not free-form messages. For example, a training centre collecting a course deposit can create an order in the booking system. The system generates the payment page, and a manager can see the order number, customer name, amount, deadline and sending channel. The CRM records which staff member sent the payment notice and when.
This does not mean every SME needs a large new platform immediately. Even when using an existing payment gateway, the rules should be explicit: payment links must come from the company domain or a trusted payment platform; short links should not hide the destination; customers should never be asked to upload credit card details through WhatsApp; refund or recovery arrangements should always be verified through official phone or support email channels.
Build Anti-Fraud Checks Into Customer Service Scripts
Scammers often imitate a brand first, then move customers into an instant messaging conversation. HKCERT noted that fake ADCC websites used phrases such as free consultation or free investigation to lead users into fake WhatsApp conversations, where scammers could request more sensitive information or payments.
Businesses can add anti-fraud confirmations to customer service scripts instead of answering only when customers ask. A logistics company replying to a failed-delivery enquiry might include: "We will never ask you to enter credit card details on a non-official website. If you need to update an address, please use our website or call customer service to verify." An online store can include a fixed reminder in order confirmation messages: "If you receive an unknown link asking for additional payment, please verify it with our official customer service channel first."
The timing matters. Customers need the reminder when they are paying, changing delivery details, checking an order or redeeming points. Anti-fraud guidance is most useful when it appears inside the workflow where risk actually occurs.
Manage the Website and Search Surface
Some customers do not reach fake sites from company messages. They may click a search ad, a social media post or a forwarded link. HKCERT advises users to avoid unverified links and search ads for sensitive actions. Businesses should also manage their official search and brand surfaces.
Three steps are practical for most SMEs. First, clearly list official contact, payment and support channels on the homepage, contact page and checkout flow. Second, keep Google Business Profile, social platforms, email signatures and electronic receipts aligned with the same official URLs and contact details. Third, regularly search for the brand name, product names, campaign names and phrases such as "brand + payment" or "brand + delivery" to detect suspicious results or fake ads.
If the company already invests in SEO or content, add an official anti-fraud page to the website structure. The page can state what the company will not do: it will not request one-time passwords, collect payment through private accounts, or use unknown short links for extra charges. This page is not just a public notice. It can become a trusted source for customer service teams and AI search engines.
Prepare an Internal Response Workflow
When a customer or staff member finds a suspected fake site, the worst outcome is a group chat full of screenshots with no owner. Phishing response needs a simple incident workflow.
A workable process is: customer service records the URL, screenshots, time and channel provided by the customer; operations decides whether payment or personal data is involved; IT or the website owner checks for abnormal logins, content changes or possible data exposure; management decides whether a customer notice is needed; if there is an information security incident, the company can report it to HKCERT; if fraud is involved, the customer should verify through official Police or ADCC channels.
Example: an online store receives a customer report about a fake delivery-failure page asking for an additional delivery fee. Customer service records the URL and screenshots in a CRM ticket. Operations confirms there is no such fee arrangement. IT checks email sending logs and the store backend. Marketing posts an official reminder. The customer service template is updated immediately to state that the store will not ask customers to enter credit card details on an unknown site due to delivery failure.
Use Systems to Reduce Ad Hoc Decisions
Phishing risk often appears in ad hoc situations: an urgent balance payment, a delivery address change, a refund request, or a customer service conversation moved to another WhatsApp number. When the process depends on staff judgement in the moment, the risk of error increases.
System integration helps narrow the risk. A booking system can unify bookings, payments and notifications. A CRM can keep customer conversations and sending records. An e-commerce backend can restrict refund and additional-payment permissions. A helpdesk platform can send only approved templates. A management report can surface unusual payments, repeated refunds or high-risk enquiries.
These changes do not need to happen all at once. Hong Kong SMEs can start with the workflows closest to revenue and customer trust: payment, delivery, refund, account login and booking changes. For each workflow, ask four questions: where does the customer receive the link, who is allowed to send it, does the system keep a record, and who handles the case if something goes wrong?
A 30-Day Implementation Checklist
Week one: create the official channel register. Include website, payment page, support email, WhatsApp, social platforms, logistics tracking and booking system. Also list channels that should not be used, such as private accounts, manual short links and informal payment methods.
Week two: update customer service and payment templates. Add anti-fraud reminders, remove unnecessary short links, and ensure payment or data submission goes only to the official website or trusted platforms.
Week three: define the incident workflow. Clarify the responsibilities of customer service, operations, IT and management. Prepare a fake-site report form that captures URL, screenshots, time, channel and customer impact.
Week four: embed the process into systems. Store approved links inside the CRM, booking system, helpdesk platform or internal knowledge base. Set permissions so staff cannot freely send payment or data-collection links without a trace.
Conclusion
Phishing sites may be created by external scammers, but customers experience the issue as a question of company reliability. When payment, customer service, logistics, booking and CRM workflows have official entry points, records, approvals and response procedures, the company is not merely telling customers to be careful. It is building trust into daily operations.
technine.io helps Hong Kong businesses design and integrate websites, CRM, booking systems, payment workflows, customer service automation and cybersecurity operating processes. If your team still relies on manual messages, ad hoc payment links or scattered customer channels, now is the right time to turn those high-risk touchpoints into manageable systems.
