In March 2022, thousands of local and international travelers who registered for Thailand Pass received fraudulent emails asking for private information, including their full names, date of birth, and passport number. While the Thai government issued a warning about the spam email, officials have not confirmed if information from the Thailand Pass system had been compromised.
This is just one example of a phishing attempt, where an attacker obtains a person’s confidential information through deception. Phishing is on the rise in South and Southeast Asia, which are hotspots for such digital attacks. In the first half of 2019, Kaspersky reported that 14 million phishing attempts were detected in the region, with three countries – Vietnam, Malaysia, and Indonesia – logging 11 million combined attempts. When it comes to the number of phishing victims, the Philippines topped the list at 17.3%, which is 65% more than the previous year. South Asia too has also been actively targeted, with the advanced persistent threat group SideWinder in particular using contentious political issues in the region to launch phishing attacks mainly in Pakistan and Bangladesh.
This trend in cyberattacks has persisted – and even increased – with the COVID-19 pandemic accelerating the adoption of digital technologies. But the rapid pivot to the digital ecosystem left some people and organisations unprepared or unaware of the digital threats lurking online. In 2021, the number of Filipinos exposed to phishing attempts reached 9.9%, ahead of Malaysia (8.49%), Thailand (7.93%), Indonesia (7.70%), Vietnam (7.45%), and Singapore (3.30%). In South Asia, easy loan schemes and fake job offers are some of the common tricks employed by scammers. Fraudsters exploited the pandemic by tricking people into paying money in exchange for vaccination certificates and government aid, according to Kaspersky’s annual spam and phishing report.
Cybercriminals are capitalising on the increasing number of people who may lack awareness of basic digital hygiene as they use these technologies for their daily tasks. This highlights the urgent need to help internet users enhance their digital safety amid the continued threat of cyberattacks in the region.
Common types of phishing in South and Southeast Asia
In a phishing attack, the attacker poses as a trusted or known person or organisation to trick potential victims into sharing sensitive information (such as login credentials and bank or credit card information). Successful attacks may result in account compromise, unauthorised access to an organisation’s networks and computers, and the introduction of malware which would wreak even more damage – from financial losses to loss of intellectual property.
Civil society organisations, activists, and ordinary citizens who lack digital skills and awareness are most vulnerable to phishing attacks, which can happen via various communication channels including email, SMS, instant messaging, and phone calls. Here are some of the most common types of phishing in South and Southeast Asia.
This is the most common type of phishing. The attacker sends an email purporting to be someone trustworthy or familiar (such as an employer, colleague, bank, or social media company), with a request to click on a link or download an attachment. Doing so would result in the victim mistakenly sharing valuable, private information (like account credentials) through fake website links or malware surreptitiously installed on his or her system.
One infamous case that caused enormous financial damage was the 2016 Bangladesh Bank robbery, in which hackers illegally transferred close to $1 billion from the central bank of Bangladesh. According to reports, the hackers gained access to the bank’s system through an email sent in 2015 to several employees. The sender posed as a job seeker and asked email recipients to download his CV and cover letter. At least one employee did so, unwittingly infecting the bank’s systems with malware.
With a simple mistake – trusting an email from an unknown sender – one of the world’s biggest cyber heists was pulled off.
Vishing (voice call phishing)
In this type of phishing, the attacker calls the victim claiming to represent their bank, employer, the police, or other trusted institutions. The caller would scare or threaten the victim by claiming some sort of problem or emergency that should be addressed immediately. Out of fear or pressure to act quickly, the victims would agree to send money or share confidential information to resolve the problem.
In 2021, Thais received over 6 million fraudulent calls, a 270% increase from the previous year. Some of the most common tactics involved the fraudster claiming to be from a delivery service and asking for money to receive a package, or claiming to be a police officer investigating the victim. Meanwhile in South Asia, mobile phone scams such as the One Ring Scam are common. Phone users in Sri Lanka have been repeatedly targeted by scammers who place missed calls, with the aim of inducing the victim to call a foreign number that charges high callback fees.
Across Southeast Asia, there have been reports of a transnational crime ring where people desperate for work are forced or tricked into working as scam callers. In April 2022, several news outlets reported about Thai nationals rescued from Cambodian scam call centres. Reacting to these reports, Jeremy Douglas, regional representative of the United Nations’ narcotics and crime agency, said this was a “major wake-up call for the region”.
Smishing (SMS or text message phishing)
SMS phishing or “smishing” works by embedding a malicious link in text messages that claim the victim has won gifts or prize money. Some messages may also ask the victim to pay a small amount to receive the gifts or prizes. Another form of smishing exploits the vulnerability of one-time passwords (OTP) usually sent via SMS as part of two-factor authentication. Users can be tricked into believing that the OTP message came from a legitimate source, and would enter this code into a fake log-in page.
A case in Singapore highlights the financial losses that can arise from smishing. In 2021, malicious actors diverted SMS OTPs and made fraudulent credit card transactions amounting to S$500,000. The victims all reported that they did not make the transactions nor did they receive the SMS OTPs.
While these are just some of the most common types of phishing, there are other types employed by cybercriminals. These include catphishing, where attackers create fake social media profiles to win someone’s trust and scam them into giving money, gifts, or information; spear phishing, which employs social engineering to specifically target a person or organisation; and whale phishing, which is aimed at high-profile victims such as celebrities, politicians, and business executives.
Protecting against phishing attempts
There are 440 million internet users in Southeast Asia and this number is expected to grow. In South Asia, 39% of the region’s 1.88 billion population have access to the internet. Considering the sizable number of internet users in South and Southeast Asia, as well as the continued prevalence of phishing attacks here, internet users should be equipped with the knowledge and skills to recognise phishing attempts and protect themselves online.
This is even more important for civil society organisations and activists who often deal with sensitive information in their line of work. If not properly equipped with digital safety knowledge and training, they may be exposed to threats affecting their safety and that of their communities.
Here are some tips to keep in mind to avoid falling victim to phishing attacks:
Think before you click. The first line of defence is our own judgment. Before clicking on a link inside an email, mouse over it to check if it leads to a familiar website. If you receive random pop-ups from websites or messages claiming you’ve won the lottery, question it – if it sounds too good to be true, it probably is.
Always scan the attachment file before opening it. Scan attachments with an antivirus program before opening the file. If you do not have an antivirus program installed on your system (though it is always recommended to have one), use this free tool from VirusTotal.
Double-check the origin of the communication. Do not open emails from unknown senders. If you receive an unexpected email from a known sender, confirm this with the sender through another communication channel (for example, via the secure messaging app Signal).
Share your personal information or account credentials wisely. If you are asked to provide sensitive information, check that the URL of the page starts with “https” instead of just “http”. Make sure that the spelling of the domain name is correct.
Practice digital hygiene in your personal and professional life. Here are a few ways you can get started in improving your digital security:
- Always use a strong password and enable two-factor authentication where possible.
- Organise your inbox and unsubscribe from junk email.
- Review privacy and security settings on your accounts and social media.
- Install reputable antivirus and anti-malware software.
- Update software and apps regularly, including your operating system.
- Employ device encryption and keep backups regularly.
These tips will increase your protection against digital threats and minimise potential harm. To ensure that digital spaces will be safer for everyone, there is a need for strong collaboration among civil society, policymakers, and companies to collectively strengthen the cybersecurity ecosystem.
Help spread awareness about these digital safety tips by sharing the infographics below with your networks:
If you would like to translate these graphics into your local languages, reach out to EngageMedia Digital Rights Project Manager Vino Lucero.
Learn more about EngageMedia’s work to enhance digital security for civil society as part of the Greater Internet Freedom program