Cybersecurity & Banking

Phishing and Financial Cybercrime: How It Works and How to Avoid It

One fake link can drain your entire account in seconds. Understand how it works before you become a victim.

90%+ Cyberattacks begin with a phishing email

<60 sec Time it takes to drain an account after credentials are stolen

300% Increase in phishing attacks during the pandemic period

You receive a WhatsApp message from your "bank" saying your account will be blocked. There's a link to "verify" your data. The link looks exactly like your bank's website. You click it, enter your username and password. Within one minute, all your money is gone. That's the power of phishing.

Phishing is one of the oldest and most effective forms of cybercrime still in existence today. The method is simple yet devastating: scammers impersonate legitimate institutions — banks, investment apps, e-wallets, or even tax authorities — and send fake messages via WhatsApp, email, or SMS. These messages contain links that lead to fake websites that look nearly identical to the real ones.

When victims enter sensitive data like usernames, passwords, PIN numbers, or OTP codes on these fake sites, scammers instantly capture that data and use it to access the victim's bank accounts or investment portfolios in real-time. What makes phishing so dangerous is its ability to bypass many layers of technical security — because the attack targets not the system, but the human.

How Phishing Works: Anatomy of an Attack

Every phishing attack follows the same pattern, though the details keep evolving. Here are the four main stages that occur in every successful phishing attack.

📨

Stage 1: Sending the Fake Message Entry Point

The scammer sends a message via WhatsApp, email, SMS, or even phone calls. The message is designed to create fear or urgency: "Your account will be blocked," "There's suspicious activity," "Verify your data now," or "Click this link to claim your reward."

The message impersonates a trusted institution like a major bank, a popular investment app, an e-wallet, or even a government agency. The sender's identity is often spoofed to appear official — for example, the sender's name on WhatsApp might be "BCA Bank" or "DANA Official."

Special Note Scammers leverage data breach information to send messages that appear personal. They might mention your name or reference your recent transactions — making the message more convincing and increasing the likelihood you'll click the link.

🔗

Stage 2: The Fake Link Key Element

The link in the message leads to a website designed to closely mimic the legitimate site. Scammers copy logos, layouts, colors, and even text from the official site. The difference between the real site and the fake one is often very subtle — one wrong letter in the URL (e.g., "bca.co.id" becomes "bca.co.id.co") or a similar domain ("bca-login.com" instead of "bca.co.id").

Some links use URL shortening services (like bit.ly) to hide the actual address. On mobile devices, the address bar often isn't fully visible, making these scams even harder to detect.

How to Check a Link Don't click links directly from messages. Instead, hover over the link (on desktop) or long-press the link (on mobile) to see the actual URL. If the URL looks suspicious, don't click it. Open the official site manually through your browser.

🎣

Stage 3: Credential Harvesting Critical Moment

When the victim clicks the link and logs into the fake site, every piece of data entered is sent directly to the scammer. This includes usernames, passwords, PINs, credit card numbers, and sometimes OTP codes if the fake site is designed to mimic a multi-factor login process.

Some more sophisticated phishing sites act as "proxies" — they forward login data to the real site behind the scenes while capturing everything typed. The victim sees a "login successful" page and never realizes their account has been compromised.

Data That Gets Stolen Usernames and passwords, PIN and security codes, credit card numbers and CVV, one-time OTP codes, and other personal data used for identity verification.

💰

Stage 4: Account Drain Final Damage

With the stolen credentials, scammers log into the victim's account — often using their own device and within seconds of the victim entering data on the fake site. They transfer funds to holding accounts, buy prepaid credit or crypto assets, or conduct other transactions that are difficult to trace.

Because scammers have full access, they often change passwords and registered phone numbers to lock the victim out of their own accounts. By the time the victim realizes what happened, the damage is done and the scammers have vanished.

Scale of Loss Financial phishing attacks have stolen billions of dollars globally. In Indonesia alone, tens of thousands of cases are reported annually with total losses reaching hundreds of billions of rupiah.

A Realistic Scenario Andi receives an email that appears to be from his bank. The email informs him of a suspicious login attempt from abroad and asks him to "verify his identity" through a provided link. The link leads to a site that looks exactly like his bank's website. Andi enters his username and password. The site requests an OTP code that was just sent to his phone — Andi enters it. The page shows "Verification Successful." One minute later, Andi receives a transaction notification for Rp 30 million from his account. In less than two minutes, he lost his savings. The site was fake, and every piece of data he entered went straight to the thieves.

Types of Phishing You Should Know About

Phishing isn't a single type of attack. Scammers continuously develop new variations to increase their success rates. Here are the most common types of phishing you'll encounter.

📧 Email Phishing

Mass emails sent to millions of addresses at once. Quality varies — some are very poor (with bad grammar) and others are highly convincing (with professional logos and design).

💬 Smishing (SMS Phishing)

Phishing via SMS. Scammers send short links leading to fake sites. Smishing is highly effective because SMS feels more personal and people tend to trust text messages more than emails.

📱 WhatsApp Phishing

The most common method in Indonesia. Scammers impersonate banks, e-wallets, or other official services. Sender names are spoofed and messages are sent en masse via WhatsApp Business or fake accounts.

🎯 Spear Phishing

Targeted phishing aimed at specific individuals or organizations. Scammers research their victims — names, positions, business relationships — to create highly personal messages that are difficult to recognize as fraud.

👤 Whaling

Spear phishing targeting top executives (CEOs, CFOs, directors). The goal is to steal sensitive company information or authorize large fund transfers.

📞 Vishing (Voice Phishing)

Phishing via phone calls. Scammers pose as bank officers or authorities, creating urgency to request personal information or direct victims to fake sites.

Common Misconception Many people believe they're "too smart" to fall for phishing — that only naive people become victims. The reality is that modern phishing attacks are designed by professionals who deeply understand human psychology. They know how to create urgency, leverage authority, and exploit moments when people are rushed or stressed. Even experienced executives and cybersecurity professionals have fallen victim to phishing.

How to Protect Yourself from Financial Phishing

Protecting against phishing starts with a simple habit: never click links from unsolicited messages. Always verify through official channels. Here are practical steps you can take.

🔗 Never Click Links from Unsolicited Messages

The golden rule: if you receive a message from your "bank" or "investment platform" asking you to click a link, don't click it. Open the official app or website manually through your browser — don't use the link from the message.

🔍 Inspect the URL Carefully

Before entering any data, check the URL in the address bar. Make sure the domain is exactly the same as the official site. Watch for misspelled letters, extra characters, or suspicious domains.

🔒 Look for HTTPS Security Indicators

Ensure the address starts with "https://" and there's a padlock icon in the address bar. While this isn't an absolute guarantee (fake sites can also use HTTPS), its absence is a major warning sign.

📱 Enable Two-Factor Authentication

Use two-factor authentication (2FA) on all financial accounts. Ideally, use an authenticator app or physical security key rather than SMS, which is vulnerable to SIM-swapping attacks.

⏸️ Stop, Think, and Verify

Urgency is the biggest warning sign. Legitimate institutions will never pressure you to act within minutes. Stop, take a breath, and verify through official channels before doing anything.

📢 Report Phishing When You Find It

If you receive a phishing message, report it to the impersonated institution and relevant authorities. This helps protect others from becoming victims.

URL Inspection Guide: Before You Click

The simple habit of inspecting URLs before clicking can save you from phishing. Here's a step-by-step guide to follow every time you receive a suspicious link.

🔍 URL Inspection Guide

1

Don't click yet. Hover over the link (on desktop) or long-press the link (on mobile) to see the actual URL.

2

Check the main domain. The domain is the part after "https://" and before the first "/". For example, in "https://www.bca.co.id/login", the domain is "bca.co.id".

3

Watch for misspellings. Scammers often use domains with similar spellings: "bcа.co.id" (using a Cyrillic 'a') or "bca-login.com".

4

Beware of non-standard domains. Bank sites in Indonesia typically use ".co.id" or ".com". Domains like ".top", ".xyz", ".click", or ".ru" should raise suspicion.

5

Use Bookmarks. For sites you visit frequently, create bookmarks and use those to access them, not links from messages.

What to Do If You Suspect You've Been Phished

If you suspect you've entered credentials on a phishing site, time is the most critical factor. Acting quickly can limit the damage.

Step	Action	Timeframe
01	Immediately change passwords on all financial accounts — don't use the same password you just entered.	Immediately
02	Contact your bank or financial institution and ask them to block your accounts or temporarily restrict transactions.	Within 5 minutes
03	If you used the same password elsewhere, change all those passwords immediately. Scammers often try the same credentials on other platforms.	Within 15 minutes
04	Report to the police and relevant financial regulatory authority with evidence of the message and phishing link.	Within 24 hours
05	Check your transaction history and record any suspicious activity for investigation documentation.	Within 24 hours
06	Beware of "recovery scams." Don't trust anyone offering to help recover your funds for an upfront fee.	Ongoing

Phishing is one of the most dangerous threats in the modern digital finance landscape. It attacks not system vulnerabilities, but human vulnerabilities: fear, urgency, and trust. The best protection isn't the most advanced technology — it's a simple habit: never click links from unsolicited messages. Always verify through official channels. Check the URL before entering any data. And remember: no legitimate institution will ask you to click a link to "verify" your data or "avoid account blocking." If you receive one, it's phishing. One second of pause and thought could save years of your savings.

This article is for educational and informational purposes only. It does not constitute cybersecurity, legal, or financial advice. Threat landscapes and security technologies evolve continuously. Always consult qualified cybersecurity professionals and your financial institution for advice specific to your situation.