SIM Swap Fraud in Indonesia: How Attackers Drain Your Bank and E-Wallet

SIM swap fraud is one of the most devastating cyberattacks affecting Indonesian mobile users. In a successful SIM swap, the attacker takes control of your phone number — and with it, every account that relies on SMS verification. Within minutes, they can drain your bank account, empty your e-wallets, and lock you out of your digital life.

Indonesia's heavy reliance on SMS-based OTP (One-Time Password) for banking, e-wallets, and government services makes its citizens particularly vulnerable. Here is exactly how this attack works and how to defend against it.

How a SIM Swap Attack Works

The Attack Chain

Step 1: Information Gathering
    ↓
Step 2: SIM Card Replacement
    ↓
Step 3: OTP Interception
    ↓
Step 4: Account Takeover
    ↓
Step 5: Fund Drainage

Step 1: Information Gathering

Before the attack, the scammer collects your personal data:

Information Needed	How They Get It
Full name	Social media, data breaches
NIK (KTP number)	Data breaches (BPJS, Dukcapil leaks)
Phone number	Social media, business cards, data breaches
Mother's maiden name	Social engineering, social media stalking
Date of birth	Social media, data breaches
Address	Data breaches, social media
Recent transaction history	Social engineering via fake bank calls

Indonesia's extensive data breaches (covered in our NIK/KTP data leak guide) mean much of this information is readily available on dark web marketplaces.

Step 2: SIM Card Replacement

With your personal information in hand, the attacker approaches a mobile carrier — Telkomsel, Indosat Ooredoo Hutchison, XL Axiata, or Smartfren — and requests a SIM card replacement. They may:

• Visit a physical outlet using a fake KTP matching your identity
• Call customer service and pass identity verification questions using your leaked data
• Bribe a carrier employee — insider threats are a documented attack vector
• Use a fraudulent power of attorney claiming to act on your behalf

Step 3: OTP Interception

Once the new SIM card is activated, your phone immediately loses signal. The attacker's SIM now receives all your SMS messages, including:

• Banking OTPs
• E-wallet verification codes
• Email password reset codes
• WhatsApp verification codes
• Government service OTPs

Step 4: Account Takeover

The attacker rapidly works through your accounts:

1. Resets your mobile banking password using SMS OTP
2. Logs into your GoPay, OVO, and DANA accounts
3. Takes over your email by resetting the password via SMS
4. Accesses any other account linked to your phone number

Step 5: Fund Drainage

Target	Method	Speed
Bank account	Transfer to mule accounts	Minutes
GoPay	Transfer or purchase	Minutes
OVO	Transfer to bank or purchase	Minutes
DANA	Transfer to linked account	Minutes
Tokopedia balance	Purchase and resell items	Hours
Crypto exchange	Withdraw to external wallet	Minutes

The entire process — from SIM activation to emptied accounts — can take less than 30 minutes.

Warning Signs of a SIM Swap in Progress

Recognizing the attack early is critical. Watch for these signs:

Warning Sign	What It Means	Action Required
Sudden loss of mobile signal	Your SIM has been deactivated	Contact carrier immediately from another phone
"No service" or "Emergency calls only"	New SIM activated on your number	Rush to carrier outlet with your KTP
Unexpected SMS about SIM changes	Carrier may send notification before swap	Call carrier hotline immediately
Unable to make calls or send SMS	Your SIM is no longer active	This is an emergency — act within minutes
Banking notifications for transactions you did not make	Attacker is already draining accounts	Call bank to freeze accounts

The moment your phone loses signal unexpectedly and does not recover within 2-3 minutes, treat it as a potential SIM swap attack. Do not wait.

How to Protect Yourself

Carrier-Level Protection

Action	Telkomsel	Indosat	XL Axiata
Register biometrics for SIM changes	Visit GraPARI	Visit Gerai Indosat	Visit XL Center
Set a SIM lock PIN	Contact 188	Contact 185	Contact 817
Request notification for SIM changes	In-app or call center	In-app or call center	In-app or call center
Verify your registered data is current	MyTelkomsel app	myIM3 app	myXL app

Banking and Financial Protection

1. Enable app-based authentication instead of SMS OTP wherever possible
2. Set transaction limits — Limit daily transfer amounts to minimize potential losses
3. Enable push notifications for all transactions, not just SMS
4. Use different contact numbers — Consider using a separate number for banking and financial services
5. Enable biometric login for banking and e-wallet apps
6. Register for call-back verification — Some banks offer phone verification before large transfers

Digital Hygiene

• Minimize personal data exposure online — Avoid posting your phone number, birthday, and mother's name publicly
• Use app-based 2FA (Google Authenticator, Authy) instead of SMS wherever supported
• Monitor your phone signal — Be aware of unexpected signal loss
• Secure your email with app-based 2FA since email is the recovery channel for most accounts
• Regularly check accounts linked to your phone number

What to Do If You Are a SIM Swap Victim

First 5 Minutes

1. Use another phone to call your carrier — Request immediate SIM deactivation
2. Go to the nearest carrier outlet with your original KTP
3. Call your bank — Request a full account freeze

First Hour

4. Change passwords on all critical accounts using a device you trust
5. Revoke active sessions on email, banking, and social media
6. Freeze e-wallet accounts — Contact GoPay (via Gojek app), OVO (1500696), DANA (via app)
7. Inform close contacts that your number may be compromised

First 24 Hours

8. File a police report at your local Polsek with evidence of unauthorized transactions
9. Report to Bank Indonesia — Contact 131 or visit bi.go.id
10. Report to OJK — Call 157 for financial service complaints
11. Document all losses with screenshots and transaction records
12. Contact your bank's fraud department to initiate the dispute process

Sharing Account Recovery Information Securely

After a SIM swap attack, you often need to coordinate with family members — sharing temporary passwords, bank reference numbers, or police report details. In this high-stress situation, information is frequently shared carelessly through messages that could be intercepted.

LOCK.PUB provides a way to share sensitive recovery details through password-protected, expiring links. When coordinating with your bank, a lawyer, or family members about the incident, you can share case numbers, temporary credentials, and financial details without leaving them exposed in chat histories.

The Systemic Problem

SIM swap fraud succeeds in Indonesia because of a combination of factors:

1. Massive data breaches have made personal verification data widely available
2. Over-reliance on SMS OTP for financial authentication
3. Inconsistent identity verification at carrier outlets
4. Limited carrier liability when SIM swaps are fraudulently authorized

Until carriers implement stronger biometric verification for SIM changes and banks move away from SMS-based OTP, the responsibility falls on individuals to add protective layers.

The 5-Minute Security Audit

Do this right now:

1. Open your carrier app — Is your registered information current?
2. Check your bank app — Is app-based 2FA enabled?
3. Review your email — Is it secured with app-based 2FA (not SMS)?
4. Set up transaction alerts — Are push notifications enabled for all accounts?
5. Use LOCK.PUB — Are you sharing sensitive information securely?

A SIM swap attack can wipe out years of savings in minutes. These five steps take less time than making a cup of coffee, and they could save everything in your accounts.