Artificial intelligence has become a force multiplier for fraud. Across Southeast Asia, attackers are using generative AI to impersonate customers, fabricate identities, and bypass controls that once worked reliably. In Indonesia, where digital banking, e-commerce, and online lending continue to scale, this trend has elevated identity-based fraud into one of the most pressing, emerging cybersecurity threats. 

Recent cybersecurity news in Indonesia shows that scams involving deepfake voices, manipulated documents, and automated social engineering are no longer isolated incidents. They are systemic. The challenge for Indonesian organizations is not simply detecting fraud faster, but recognising that identity itself has become the attack surface.

Without stronger identity assurance and lifecycle monitoring, even mature security teams will struggle to maintain effective cyber security against increasingly sophisticated cyber threats in Indonesia.

AI-Generated Scams 101 – What’s New & What’s Different

AI-generated scams differ fundamentally from earlier fraud models in scale, realism, and coordination.

Key changes include:

• Fraud at Scale: Voice cloning, deepfake videos, and AI-generated documents are now realistic enough to defeat basic human review and legacy automation. This has accelerated scam success rates, especially in customer support and onboarding workflows.
• Automation of Persuasion: Generative AI enables attackers to personalize phishing messages, scripts, and conversations in local languages, making scams harder to spot and easier to execute.
• Multi-Stage Attack Chains: Rather than a single event, AI-driven scams often unfold across days or weeks, beginning with social engineering and ending with account misuse or financial extraction.

For defenders, this means identity checks that rely on static rules or point-in-time verification are increasingly unreliable. Clearing KYC is therefore just an entry point. This shift is now widely acknowledged in cybersecurity news in Indonesia, where fraud incidents involve layered, AI-assisted tactics rather than simple credential theft.

Synthetic Identities: The Silent Threat

Synthetic identity fraud represents a different category of risk altogether; one that is slower, quieter, and often more damaging.

Unlike traditional identity theft, synthetic identities combine real personal data with fabricated attributes. These identities are:

• Hard to blacklist, because elements of the profile are legitimate
• Difficult to detect early, as behaviour initially appears normal
• Designed for longevity, allowing fraudsters to build trust

In Indonesia’s rapidly expanding digital finance ecosystem, this threat is amplified. Faster onboarding, remote verification, and limited cross-institution data sharing make it easier for synthetic identities to mature unnoticed. Losses typically surface only after accounts are used for credit abuse, mule networks, or transaction laundering.

This is why synthetic identity fraud is now recognized globally as one of the most underestimated emerging cybersecurity threats. It does not trigger alarms quickly, but it steadily erodes trust, inflates fraud losses, and weakens institutional confidence in digital growth.

Pressure on Indonesian Organizations: Regulation, Reputation & Risk

Indonesian organizations face distinct pressures on three particular fronts.

Regulatory expectations are tightening, particularly around customer due diligence, data protection, and incident accountability. Weak identity controls are therefore increasingly able to translate into compliance risk, not just operational exposure.

Financial losses linked to online scams and AI-enabled fraud have become visible at a national level. For Indonesian organizations, fraud prevention is increasingly framed as a material business risk.

Reputational consequences are often the most damaging. Publicised fraud incidents undermine customer trust in digital platforms, particularly in banking and fintech. Recovery costs, customer attrition, and brand damage frequently exceed the direct value of stolen funds.

Together, these forces elevate identity assurance from a technical function to a strategic priority. Organizations that underestimate identity risk will find themselves repeatedly exposed to growing cyber threats in Indonesia, regardless of how strong their perimeter security appears.

Are Indonesian Organizations Ready? Key Gaps to Confront

Most Indonesian organizations still encounter structural weaknesses across five areas, which are stated below.

Legacy KYC & Onboarding

• Over-reliance on document checks and manual review
• Limited risk linkage between onboarding outcomes and downstream account behaviour

Authentication & Identity Proofing

• Continued dependence on SMS, OTP, and static credentials
• Insufficient behavioural or device-based verification

Data Governance & PDP Readiness

• Fragmented identity data across business units
• Limited ability to correlate signals while maintaining PDP compliance

Fraud, Cyber, & Business Silos

• Separate tools, teams, and KPIs
• No shared identity risk model across the organization

Awareness & Training

• Boards lack a practical understanding of AI-enabled fraud scenarios
• Frontline teams are rarely trained for deepfake or synthetic identity incidents

These gaps weaken effective cyber security by allowing attackers to exploit organizational blind spots rather than technical flaws.

A Practical Readiness Roadmap

A realistic path forward focuses on execution; i.e., closing the gaps that matter most before expanding capability.

Modernize Identity Proofing & KYC

• Combine document verification with liveness detection, device intelligence, and contextual risk scoring
• Treat onboarding as the first signal, not the final decision

Enhance Authentication & Continuous Trust Evaluation

• Shift towards adaptive authentication based on behaviour and risk
• Monitor identity confidence throughout the customer lifecycle

Unify Fraud, Cybersecurity, & Data Protection Around Identity

• Build a shared identity layer accessible to fraud, security, and compliance teams
• Correlate onboarding, login, and transaction data into a single view

Invest in AI to Fight AI

• Use machine learning to detect synthetic patterns, abnormal identity reuse, and coordinated account behaviour
• Prioritize explainability so analysts can act with confidence

Build Awareness, Run Drills, & Update Playbooks

• Conduct regular scenario-based exercises involving AI scams
• Report identity risk to leadership in business

This approach directly addresses the most prevalent cyber threats in Indonesia today,  without outpacing the organization’s capacity to execute. The priority is to align people, processes, and technology around a shared understanding of identity risk, so that defenses remain effective across the full customer lifecycle.

Build Your Board-Ready Strategy for AI Fraud at IndoSec

Boards increasingly ask the same questions: How exposed are we, and what are we doing about it? A credible response requires clear identity risk metrics, a phased investment plan, and measurable outcomes. 

IndoSec – Indonesia’s premier national cybersecurity summit now in its ninth edition – offers security and risk leaders the platform to refine their strategies, align with industry peers, and understand how regulators and industry peers are responding to AI-enabled fraud.

Bringing together over 2,000 cybersecurity professionals from more than 700 leading public and private organizations, the summit convenes CISOs, Heads of Fraud, Risk, and Compliance – a majority of whom hold direct influence over strategic and purchasing decisions. Beyond the main programme, the curated CISO Lounge provides a closed-door space for Indonesia’s most senior security leaders to speak candidly and build cross-industry alliances that fraud defence fundamentally depends on.

IndoSec, over eight distinguished editions, aims to foster an environment where the most influential stakeholders, industry pioneers, and regulatory authorities exchange hard-won experience, align on emerging best practices, and accelerate informed, coordinated action that this threat – and several more of its kind – demand.

Event Details: 

Date: 15–16 September, 2026

Venue: The Ritz-Carlton Jakarta, Pacific Place

For more information about the event, visit: https://indosecsummit.com/ 

Don’t miss out!