How to Spot Phishing Scams on Tokopedia and Shopee: Indonesia E-Commerce Safety
Learn how to identify and avoid phishing attacks on Tokopedia and Shopee, including fake seller pages, order confirmation scams, and fraudulent customer service.
How to Spot Phishing Scams on Tokopedia and Shopee: Indonesia E-Commerce Safety
Indonesia's e-commerce market is among the fastest growing in Southeast Asia. Tokopedia and Shopee dominate the landscape, handling millions of transactions daily. This massive volume creates fertile ground for phishing attacks that trick buyers into revealing login credentials, payment information, and personal data.
Understanding how these scams work is the first step to avoiding them.
The 5 Most Common E-Commerce Phishing Tactics
1. Fake Seller Pages on Social Media
Scammers create Instagram, Facebook, or TikTok pages impersonating popular Tokopedia or Shopee sellers. They advertise products at steep discounts and direct buyers to phishing sites that mimic the marketplace login page. Once you enter your credentials, they own your account.
Red flags:
- Prices significantly below market rate
- The link goes to a domain that is not tokopedia.com or shopee.co.id
- The seller insists on transactions outside the platform
- No verified seller badges or inconsistent store information
2. Order Confirmation Phishing via SMS/WhatsApp
You receive an SMS or WhatsApp message claiming your recent order has a problem — a payment issue, a delivery delay, or a "prize" for being a loyal customer. The message contains a link to a fake login page.
Example messages:
- "Your Shopee order #SP29381 payment failed. Verify here: [phishing link]"
- "Congratulations! You won a Tokopedia voucher. Claim at: [phishing link]"
- "Your package is held at customs. Update delivery info: [phishing link]"
3. Fake Customer Service Contacts
Scammers set up WhatsApp Business accounts or social media profiles impersonating Tokopedia or Shopee customer service. They respond to public complaints on Twitter/X or Facebook and offer to "help resolve" your issue — by asking for your login credentials.
4. Counterfeit Checkout Pages
After a buyer shows interest in a product (often listed at an attractive price), the seller sends a "special checkout link" that leads to a phishing page designed to capture credit card or bank transfer details.
5. Fake Cashback and Flash Sale Pages
These appear during major sale events (11.11, 12.12, Ramadan sales) as ads on social media or Google. They promise exclusive cashback but redirect to credential-harvesting pages.
How to Identify Legitimate vs. Phishing URLs
This is the most critical skill for avoiding phishing. Learn to read URLs carefully.
| Element | Legitimate | Phishing |
|---|---|---|
| Domain | tokopedia.com | tokopedia-verify.com |
| Domain | shopee.co.id | shopee.co.id.login-verify.com |
| Protocol | https:// (with lock icon) | May show https:// but wrong domain |
| Subdomain | seller.tokopedia.com | tokopedia.seller-page.net |
| Path | shopee.co.id/product/123 | shopee-deals.com/product/123 |
The Golden Rule
The last two parts before the first slash are the actual domain. In tokopedia-verify.com/login, the domain is tokopedia-verify.com — NOT tokopedia.com. In shopee.co.id.login-verify.com/auth, the domain is login-verify.com.
Train yourself to always check this before entering any credentials.
Platform-Specific Security Features
Tokopedia Security Features
| Feature | How to Enable | What It Does |
|---|---|---|
| Two-Factor Authentication | Settings > Security > 2FA | Requires OTP for login |
| Login Alerts | Settings > Security > Notifications | Notifies you of new logins |
| Trusted Devices | Settings > Security > Device Management | Lists all devices with access |
| PIN for Transactions | Settings > Security > Transaction PIN | Requires PIN for payments |
| Official Store Badge | Check seller page | Verifies legitimate sellers |
Shopee Security Features
| Feature | How to Enable | What It Does |
|---|---|---|
| Shopee Verify | Account > Security | Phone + email verification |
| Login History | Account > Security > Login Activity | Shows all login locations |
| Payment PIN | Account > Payment > PIN Setup | Protects wallet transactions |
| ShopeePay Lock | ShopeePay > Settings > Lock | Biometric lock for payments |
| Preferred Seller Badge | Check seller page | Indicates reliable sellers |
Step-by-Step Verification Process Before Any Purchase
- Check the URL — Confirm you are on tokopedia.com or shopee.co.id
- Verify the seller — Look for official badges, check join date, read reviews
- Compare prices — If it seems too cheap, search the same product from other sellers
- Stay on platform — Never complete transactions outside the marketplace
- Use official payment methods — Only use integrated payment (ShopeePay, GoPay, bank transfer through the platform)
- Avoid clicking links in messages — Navigate to the app directly instead
- Check reviews for red flags — Be wary of stores with only 5-star reviews and generic comments
What to Do If You Fall for a Phishing Scam
Immediate Actions
- Change your password immediately — Log in directly through the official app (not any link) and change your password
- Enable 2FA if you have not already
- Check your orders and payment methods — Look for unauthorized purchases or added payment methods
- Contact official support — Use in-app help, not any external contact
- Alert your bank — If you entered credit card or bank information on the phishing page
Reporting Channels
| Platform | Reporting Method |
|---|---|
| Tokopedia | In-app Help Center or care@tokopedia.com |
| Shopee | In-app Help Center |
| General cybercrime | patrolisiber.id |
| Consumer protection | konsumen.ojk.go.id |
| Phishing sites | Report to Google Safe Browsing (safebrowsing.google.com) |
Secure Sharing for Online Transactions
E-commerce transactions often require sharing sensitive details — bank account numbers for refunds, delivery addresses, or ID verification for high-value items. Sending this information through platform chat or WhatsApp means it stays in those chat histories permanently.
LOCK.PUB allows you to share sensitive transaction details through password-protected, self-expiring links. When a seller needs your address for a custom delivery or you need to share payment confirmation with a buyer, using a temporary secure link ensures that information does not persist in accessible chat logs.
Seasonal Awareness: When Phishing Spikes
Phishing attacks in Indonesia follow a predictable calendar:
| Period | Event | Phishing Spike Type |
|---|---|---|
| January | New Year sales | Fake voucher campaigns |
| March-April | Ramadan sales | Fake cashback and THR promos |
| May | Harbolnas prep | Early access scam links |
| August | Independence Day sales | Fake patriotic discount campaigns |
| November | 11.11 sale | Highest volume of fake checkout pages |
| December | 12.12 + Year-end sale | Gift card and voucher scams |
During these periods, increase your vigilance. Bookmark the official Tokopedia and Shopee URLs and always navigate directly rather than clicking links.
Building Long-Term E-Commerce Security Habits
The most effective defense against phishing is not any single tool — it is consistent behavior. Use a password manager to generate unique passwords for each marketplace account. Enable every security feature the platforms offer. Develop the habit of pausing before clicking any link and verifying the URL.
When you need to share order details, payment confirmations, or personal information related to e-commerce transactions, use LOCK.PUB to create secure, temporary links instead of pasting sensitive data directly into messages. The few extra seconds it takes could save you from a significant financial loss.
Stay safe, shop smart, and never trust a deal that seems too good to be true.
Keywords
You might also like
Mobile Payment Fraud Prevention — Keep Apple Pay & Google Pay Safe
Mobile payment fraud is rising fast. Learn how to protect your Apple Pay, Google Pay, and Venmo accounts from unauthorized charges, phishing, and account takeovers.
Side Hustle Scams — How Fake Job Offers on Social Media Steal Your Money
Social media is flooded with fake side hustle offers promising easy money. Learn how these scams work, the warning signs, and how to protect yourself.
Boleto Fraud in Brazil: How to Spot Fake Boletos Before You Pay
Learn how scammers create fake boletos in Brazil and how to verify legitimate payment slips. Complete checklist to protect yourself from boleto bancario fraud.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free