Skip to main content

Threat landscape

What is phishing and how do you defend against it?

In short

What phishing is, the main types from email to smishing and vishing, how to spot an attack, and how training and controls reduce the risk.

Human risk and security awareness

An email lands in the finance inbox on a busy afternoon. It looks like a supplier invoice: the right logo, a familiar sender name, a polite note asking that the attached PDF be reviewed and the updated bank details used for this month's payment. Nothing about it feels alarming, so someone opens the attachment. That single click is all it takes. The sender was never the supplier, the bank details route the payment to an attacker, and the attachment quietly drops a tool that gives them a foothold inside the network. No firewall was breached and no password was cracked. A person was simply persuaded to trust a message that was not what it claimed to be. That is phishing, and it remains the most common way attacks begin.

What phishing is

Phishing is social engineering. Instead of attacking a system directly, the attacker impersonates a trusted sender and manipulates a person into doing something harmful: typing a password into a fake login page, approving a payment, or opening a file that installs malware. The trust is the weapon. A message that appears to come from your bank, your IT team, a supplier, or your own manager lowers the reader's guard in a way that a stranger never could.

The aim is always one of three things: steal credentials, steal money, or plant malware. A fake login page harvests the username and password you enter. A convincing payment request diverts funds. A malicious attachment or link installs the software an attacker needs to move further. What makes phishing so durable is that it sidesteps technical defences entirely. You can have every patch applied and every system hardened, and one well-written message to the right person still opens a door that no exploit had to force.

The main types of phishing

Phishing is not a single technique. It ranges from mass, scattershot email to carefully researched attacks on one named person, and it now reaches people well beyond the inbox.

TypeHow it works
Bulk email phishingThe same message is blasted to thousands of addresses, hoping a small fraction click. Low effort, low accuracy, high volume.
Spear phishingA message crafted for one specific person, using real details about their role or work to look genuine and slip past suspicion.
WhalingSpear phishing aimed at senior executives, whose authority and access make a successful trick especially valuable.
SmishingPhishing delivered by SMS or a messaging app, often a text with a link posing as a bank alert or delivery notice.
VishingPhishing by voice call, where the attacker phones and talks the target into revealing information or approving an action.
Business email compromiseA believable email, often with no malware at all, that impersonates an executive or supplier to authorise a fraudulent payment or data transfer.

The pattern to notice is that the more targeted the attack, the fewer signs it gives you. Bulk phishing is easy to spot once you know the tells. A spear phishing message written for you, or a business email compromise that mimics your finance director's tone, is designed to look exactly like the real thing.

  1. 01

    Research and setup

    The attacker picks a target and a disguise: a bank, a supplier, a colleague. For a targeted attack they gather names, roles, and recent events to make the message believable.

  2. 02

    The lure arrives

    A message reaches the victim by email, SMS, messaging app, or phone call, carrying a link, an attachment, or a request framed with urgency or authority.

  3. 03

    The victim acts

    The person clicks the link and enters credentials on a fake page, opens the attachment, or approves the payment, believing the request is genuine.

  4. 04

    The attacker cashes in

    Stolen credentials are used to log in, the fraudulent payment is collected, or the malware gives the attacker a foothold to move deeper into the network.

Why it matters in Indonesia

For most organisations, phishing is not one risk among many. It is the front door. A large share of breaches begin with a phishing message, because it is cheaper and more reliable for an attacker to trick a person than to find and exploit a technical flaw. Whatever else an organisation defends against, the email that starts the incident is usually the one that got past a busy employee, not the one that got past a firewall.

In Indonesia the reach is wider than email alone. Messaging apps such as WhatsApp are woven into how people work and bank, so lures arrive there as readily as in an inbox, often themed around bank alerts, delivery notices, tax notifications, or a message that appears to come from a manager. Attackers also localise their bait, writing in Bahasa Indonesia and imitating names and formats that local staff recognise. The result is that the same trusted channels people rely on every day are the ones being turned against them, which is exactly why a technical control alone cannot close the gap.

How to defend against it

Because phishing targets people, the defence has to work on two fronts at once: the people and the systems around them. Neither is enough alone.

On the human side, the goal is a workforce that pauses on the messages that matter. Regular security awareness training and phishing simulation build that habit far better than a once-a-year course, because they practise the response on realistic lures and give staff immediate feedback when they slip. Well-run programmes measurably lower click rates over time and, just as importantly, raise reporting rates, so the security team hears about a real campaign early rather than after the damage is done.

On the technical side, controls catch what people miss and limit the harm when someone does click. Email filtering stops a large volume of phishing before it ever reaches an inbox. Multi-factor authentication means a stolen password alone is often not enough to log in. And because payment fraud is a category of its own, business email compromise protection adds the verification steps and controls that stop a convincing fake instruction from moving real money. The layers reinforce each other: training reduces how often people fall for a lure, and technical controls reduce how much a single mistake can cost.

Where Alpha Code fits

Phishing works on trust, so defending against it means building both the instinct to pause and the controls that catch the message you missed. Alpha Code's human risk management service combines security awareness training and realistic phishing simulation in Bahasa Indonesia with behavioural analytics that show where the risk actually sits across your workforce. The aim is not to promise that no one will ever click. It is to make clicking rare, make reporting fast, and make sure a single mistake does not become a breach.

Reviewed by Mohit Bhansali, Head of Technology

Frequently asked questions

Phishing is an attack that pretends to come from someone you trust, a bank, a colleague, your IT team, in order to trick you into handing over a password, approving a payment, or opening a file that installs malware. It is social engineering rather than a technical break-in: the attacker does not defeat your defences, they persuade a person to open the door for them.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.