With rising phishing scams, Indonesia needs regulatory change

In Indonesia, phishing schemes pose a major risk to people’s personal finances and wellbeing – and these digital annoyances are on the rise.

Indonesia’s rapid digital growth has increased its vulnerability to phishing, a form of cyberattack in which users are deceived into revealing sensitive information.

The Anti-Phishing Working Group, an international coalition tackling cybercrime, reported 877,536 phishing incidents worldwide in the second quarter of 2024 (Q2) alone. The National Cyber and Crypto Agency of Indonesia reported a significant 70 percent increase in phishing cases recorded throughout the year compared to 2023, with many Indonesians experiencing financial and emotional impacts as a result.

Addressing the root causes of these sophisticated scams is crucial to better protecting society against these evolving cyber threats.

The current phishing landscape in Indonesia

Phishing, a common form of cybercrime, uses fraudulent messages on social media, email, or websites to gather private data.

Cybercriminals — including those that engage in phishing — often exploit human vulnerabilities through social engineering, manipulating users to reveal sensitive information or compromise security. Scammers often do this through deceptive interactions like phone calls or emails where they pose as trusted figures, such as bank representatives or family members, to convince victims they have financial issues and trick them into sharing sensitive account details like PINs, passwords, or OTPs.

By using people’s trust, fear, curiosity and urgency, they persuade users to bypass security measures and reveal credit card details, passwords or other sensitive data through deceptive interactions like phone calls or emails.

Some phishing scams exploit the deep-rooted connections within Indonesian families and communities, manipulating an individual’s sense of responsibility and trust. In many cases, scammers pose as a relative or close friend in distress, such as needing urgent financial help or medical emergencies, resulting in the victim acting quickly without questioning the situation.

Other phishing techniques capitalise on people’s inherent tendency to trust seemingly credible sources, such as requests from community leaders or communications purportedly from family members.

A study by Universitas Gadjah Mada found that “reward-giving” phishing –where the scammers trick victims by impersonating a trusted organization and directing them to click a link that steals their personal or financial information to claim the reward– is the most common tactic used in Indonesia: it affected 36.9 percent of respondents, followed by malware (33.8 percent) and family crisis scams (26.5 percent)​

Reports by the Anti-Phishing Working Group show that social media remains the top target for cyberattacks globally, accounting for 37.6 percent in Q1 and 32.9 percent in Q2 of 2024. The next most popular targets for cybercrime are ‘Software as a service’ platforms, which allow users to connect to cloud-based apps over the internet and webmail services. They made up 21 percent of all global cyberattacks in Q1, rising to 25.6 percent in Q2.

This blend of tech-based deception and psychological tactics poses significant digital risks.

A recent UN report highlighted the substantial financial impact of cybercrime worldwide, with losses reaching billions of dollars in 2023.

According to the report, cyber scams in East and Southeast Asia caused financial damages ranging from USD 18 billion to USD 37 billion in 2023. In Indonesia, these scams predominantly target middle- to low-income individuals who may need to be made aware of digital security measures and have limited access to secure their banking accounts through digital tools.

Individuals experience not only financial losses but also significant emotional distress due to phishing schemes. Scams that drain savings have left families in financial crisis, resulting in mental health problems and the breakdown of familial relationships.

Several factors combine to make perfect phishing conditions

The rise of phishing scams in Indonesia is driven by several factors, one of them being the nation’s widespread lack of digital literacy. Phishing attacks often exploit users’ lack of knowledge in identifying phishing emails or text messages and their inability to implement basic security measures.

Despite Indonesia’s swift digital advancement, there is a notable inconsistency in digital literacy among its population. While Indonesia’s Digital Literacy Index scores rose slightly from 3.49 in 2021 to 3.54 in 2022, according to The Economist Intelligence Unit, Indonesia is still ranked 61st out of 100 countries — one of the lowest — based on its level of education and preparedness to use the internet. Indeed, a 2023 study revealed only 50 percent of Indonesia’s digital talent pool has “basic to intermediate” digital skills, with just 1 percent skilled at advanced levels in Artificial Intelligence (AI) and the Internet of Things (IoT).

This issue may stem from the lack of formal education and technological training. However, younger people tend to be more digitally aware of phishing as a result of using digital technologies from an early age. According to a study conducted by SMERU Research Institute in 2022, internet users in Indonesia are generally young, with 77 percent aged 10-29 years old, while only 21 percent are aged over 50.Another key factor allowing cybercrime to flourish is the weak regulatory oversight.

Although the Indonesian government has put some digital policies in place, the sheer volume of digital fraud and the rapid change in scamming techniques make it difficult to enforce these policies. According to one study on cyber framework regulations, although Indonesian law addresses certain aspects of digital fraud, jurisdictional limitations make it difficult to enforce cross-border cybercrime.

The rise of digital addictions is another concerning factor contributing to phishing scams. A growing number of young people in Indonesia are becoming addicted to digital devices, particularly when it comes to gaming, online gambling and — more concerningly — illegal financial lending apps.

Scammers often use these platforms to collect sensitive data that they may use in phishing attacks. What’s more, a UN study found that online lending has resulted in debt cycles for millions of Indonesians, making them more susceptible to scams that promise “debt relief” or other forms of financial assistance.”

The way forward

Indonesia’s efforts to raise awareness of phishing have generally focused on institutional and workplace training, but have not successfully reached the general population.

To better protect Indonesians, a range of solutions could be implemented to target the many factors driving the growth of these sophisticated scams.

Boosting digital literacy could help provide wider protection and enable people to identify and react to phishing efforts wisely.

Broad educational programs integrating cybersecurity instruction with digital literacy courses. To better protect the public from phishing risks, they advise involving governmental and cybersecurity authorities in these efforts and using a variety of communication channels, such as social media, for awareness campaigns, could also help.

Researchers have found that Indonesians in rural regions are more vulnerable to phishing than their city counterparts because most awareness campaigns to date have mostly targeted metropolitan residents. As mentioned earlier, older Indonesians may be more vulnerable to phishing scams as a result of less time spent online. Thus, improving public awareness and education regarding digital literacy, especially among elderly or rural communities, is crucial.

Another key potential solution: enhancing digital regulation, including more stringent enforcement of existing regulations and fostering global collaboration to address cybersecurity risks. Governments can take inspiration from countries such as Finland, where robust policies and government support have successfully made the country one of the lowest-risk nations in terms of cybersecurity.

In addition to regulatory improvements, organizations seeking to protect their data or workforce against phishing can take some additional steps to keep it safe. For example, they could implement frequent phishing simulations and train staff members in advanced technical tools that can help minimise vulnerabilities, including multi-factor authentication and AI-based threat detection.

Finally, creating a collaborative effort among governments, corporations and tech platforms is essential. Collaborators should work together and promote safe digital habits, such as creating strong passwords and regularly updating software. By implementing this diversified strategy comprehensively, Indonesia can better safeguard its citizens from the growing threat of cybercrime.

Ivan Sebastian Edbert is a lecturer at the School of Computer Science, BINUS University, Indonesia. His research area centred around Artificial Intelligence, Computer Vision and UAT.

Alexander Agung Santoso Gunawan is a lecturer at the School of Computer Science and the leader of Artificial Intelligence in Geospatial Economics Research Interest Group at BINUS University, Indonesia. His research area centred around data science, GeoAI, computer vision, machine learning and robotics.

Originally published under Creative Commons by 360info™.