Hong Kong Cracks Down on Phishing Attacks with Stricter Crypto Authentication Rules
The Hong Kong Securities and Futures Commission (SFC) has issued new requirements for phishing-resistant authentication methods for virtual asset trading platforms (VATPs) and online brokers in the region.
The measures, which must be implemented within the next 12 months, prohibit the use of one-time passwords through SMS, email or app-based logins. Instead, stronger alternatives such as passkeys, registered devices with cryptographic verification, and hardware security keys will be used.
The move aims to raise Hong Kong's cybersecurity standards in response to a global increase in phishing attacks and social engineering scams in the first quarter of 2026. The crypto industry saw total losses of $482 million, with $306 million attributed to phishing-related incidents.




