The Threat Landscape for Expats in Indonesia
Foreigners living in Indonesia face a distinct set of digital security risks. You are managing finances across multiple countries, using local SIM cards tied to banking apps, sharing personal documents (passport, KITAS) with various service providers, and operating on networks you do not control. Each of these creates attack surface that criminals actively exploit.
Indonesia ranks among the top targets for cybercrime in Southeast Asia. According to BSSN (Badan Siber dan Sandi Negara, the National Cyber and Crypto Agency), Indonesia recorded over 400 million cyber anomalies in 2025. Most of these targeted financial accounts and personal identity data.
This guide covers the specific threats you face as an expat and the practical steps to mitigate them.
SIM Swap Fraud: The Number One Risk
SIM swap fraud is the most dangerous cyber threat for expats in Indonesia, and it is alarmingly common. Here is how it works:
- A criminal obtains your personal details (name, phone number, ID number) -- often from data breaches or social engineering
- They visit a mobile carrier shop (Telkomsel, XL, Indosat) and claim to be you, requesting a replacement SIM
- With varying levels of social engineering, they convince the staff to issue a new SIM with your number
- Your phone loses signal. Their phone now receives all your calls and SMS
- They use SMS-based two-factor authentication to access your bank accounts, email, and crypto exchanges
Why Expats Are Particularly Vulnerable
- Your Indonesian phone number is tied to banking apps (BCA Mobile, Mandiri Livin, JAGO), digital wallets (GoPay, OVO), and potentially crypto exchanges
- Carrier shop employees may not thoroughly verify identity for foreign customers
- Your passport number and KITAS details exist in many databases (hotels, immigration, phone registration)
- You may not immediately realize what is happening due to language barriers
How to Protect Yourself
| Action | Priority | Difficulty |
|---|
| Switch all accounts from SMS 2FA to authenticator app (Google Authenticator, Authy) | Critical | Easy |
| Set a PIN/password on your carrier account (visit Grapari for Telkomsel) | Critical | Easy |
| Register with biometric verification at your carrier | High | Medium |
| Use a separate phone number for banking vs general use | High | Medium |
| Enable transaction notifications on all bank accounts | High | Easy |
| Set low default transfer limits on mobile banking | Medium | Easy |
The single most important action: remove SMS-based 2FA from every account that supports an alternative. Use Google Authenticator, Authy, or a hardware key (YubiKey) instead.
Phishing: Targeted Attacks on Foreigners
Phishing attacks in Indonesia increasingly target expats through familiar channels:
WhatsApp Phishing
The most common vector. You receive messages claiming to be from:
- Immigration (imigrasi) -- "Your KITAS needs urgent verification"
- Indonesian tax office (DJP) -- "Tax penalty notification"
- Your bank -- "Suspicious activity detected, verify now"
- Delivery services (JNE, J&T) -- "Package held, pay customs fee"
These messages contain links to convincing fake websites that harvest your credentials.
SMS Phishing (Smishing)
Bulk SMS messages claiming you won a prize, have an outstanding bill, or need to verify your identity. These are less sophisticated but still effective, especially when they reference real Indonesian services.
Email Phishing
More targeted attacks come via email, often impersonating:
- Visa agents or immigration consultants
- Indonesian banks
- Property agents (especially around lease renewals)
- Government agencies
How to Spot and Avoid Phishing
- No legitimate Indonesian government agency contacts you via WhatsApp to request personal data or payments
- Banks never ask for your PIN or password via any channel
- Check URLs carefully: Government sites end in
.go.id, bank sites use their official domains
- Call the organization directly using the number from their official website, not from the message
- Never click links in unexpected messages; navigate to the site manually
Secure Online Banking in Indonesia
Most expats in Indonesia use mobile banking apps for daily transactions. Here is how to secure them:
Bank App Security Settings
| Bank | Biometric Login | App-Based 2FA | Transaction Limits | Notification Options |
|---|
| BCA (m-BCA/myBCA) | Yes | Yes (BCA OneKlik) | Customizable | Push, SMS, Email |
| Mandiri (Livin) | Yes | Yes | Customizable | Push, SMS |
| BNI Mobile | Yes | Yes | Customizable | Push, SMS |
| JAGO | Yes | Yes (in-app) | Customizable | Push |
| CIMB Niaga (OCTO) | Yes | Yes | Customizable | Push, SMS |
Best Practices
- Enable biometric login (fingerprint/face) on all banking apps
- Set daily transfer limits lower than the maximum. You can temporarily raise them when needed.
- Turn on all notifications: Push notifications, SMS alerts, and email alerts for every transaction
- Use separate passwords for each banking app
- Never access banking on public WiFi without a VPN
- Log out of banking apps when not in use; do not rely on auto-lock alone
- Keep your phone OS updated: Security patches fix vulnerabilities that banking trojans exploit
What to Do If Your Account Is Compromised
- Call your bank's 24-hour hotline immediately (BCA: 1500888, Mandiri: 14000, BNI: 1500046)
- Request an immediate account freeze
- Visit a branch with your passport and KITAS to reset credentials
- File a police report at the nearest Polsek (required for bank investigation)
- Change passwords for all accounts that shared the compromised email or phone number
VPN Usage: Legal Status and Recommendations
Legal Status
VPN use is legal in Indonesia. This is unambiguous. No law prohibits individuals from using VPNs for personal or business purposes. The government's internet content filtering (operated through the Ministry of Communication and Informatics / Kominfo) blocks websites at the ISP level, but there is no enforcement mechanism against individuals who bypass these blocks.
Why Expats Need a VPN
- Accessing blocked content: Some websites are blocked in Indonesia, including Reddit
- Securing public WiFi: Cafes, coworking spaces, and villas with shared networks are not encrypted by default
- Company requirements: Many employers require VPN connections to corporate networks
- Banking from abroad: Some home-country banks flag Indonesian IP addresses; a VPN avoids account freezes
- Privacy: Your ISP can see your browsing activity without a VPN
VPN Considerations in Indonesia
- Some VPN protocols are throttled by ISPs. WireGuard and OpenVPN typically work well. PPTP is sometimes blocked.
- Indonesian-server VPN connections are useful for accessing local services while appearing local
- Keep your VPN app updated; Indonesia's filtering system evolves
- Have a backup VPN. If your primary provider experiences issues, a secondary one ensures continuity
UU PDP: Indonesia's Data Privacy Law
UU PDP (Undang-Undang Pelindungan Data Pribadi), or Law No. 27 of 2022, is Indonesia's comprehensive data protection law. It became fully enforceable in October 2024 after a two-year transition period.
Key Provisions That Affect Expats
| Right | What It Means | How to Exercise It |
|---|
| Right to access | You can request a copy of your personal data from any organization | Written request to the data controller |
| Right to correction | You can demand correction of inaccurate personal data | Written request with evidence |
| Right to deletion | You can request deletion of your data when no longer necessary | Written request; some exceptions apply |
| Right to withdraw consent | You can revoke consent for data processing at any time | Written notice to the data controller |
| Right to object | You can object to automated decision-making | Written request |
Practical Implications
- Phone registration: Your SIM card registration data (passport, biometrics) is protected under UU PDP. Carriers must handle it according to the law.
- Property rentals: Landlords and agents who collect your passport and KITAS copies must protect that data and cannot share it without consent.
- Employment: Your employer must comply with UU PDP when handling your personal data, including KITAS details and salary information.
- Data breach notification: Organizations must notify you within 72 hours of discovering a data breach affecting your personal data.
Enforcement
UU PDP violations can result in fines up to 2% of annual revenue for organizations and criminal penalties including imprisonment. A dedicated supervisory body is being established, though enforcement is still maturing.
Public WiFi Security
Public WiFi in Bali -- cafes, restaurants, coworking spaces, hotels -- is largely unencrypted and unsecured. This creates opportunities for man-in-the-middle attacks and traffic sniffing.
Rules for Public WiFi
- Always use a VPN when connected to public WiFi
- Verify the network name with staff; fake hotspots mimicking legitimate ones are common
- Disable auto-connect to open networks on your devices
- Use HTTPS-only mode in your browser (built into Chrome and Firefox)
- Avoid sensitive transactions (banking, crypto trading) on public WiFi even with a VPN
- Forget the network after disconnecting; do not let your device reconnect automatically
Physical Security for Devices
Digital security starts with physical security. In Bali, device theft is a real concern:
- Bag snatching: Motorbike riders grabbing bags or phones from pedestrians, especially in busy areas like Canggu and Seminyak
- Villa break-ins: Secure laptops in a locked room or safe when you leave
- Cafe theft: Never leave devices unattended, even briefly
Device Security Settings
- Enable Find My Device (iPhone: Find My; Android: Find My Device; Laptop: Prey or built-in)
- Set auto-lock to 30 seconds or less
- Enable full-disk encryption (FileVault on Mac, BitLocker on Windows)
- Use a strong PIN/password, not a simple pattern lock
- Back up to cloud daily; if a device is stolen, your data is not lost
Complete Security Checklist for Expats
| Category | Action | Done? |
|---|
| Authentication | Switch all accounts to authenticator app 2FA | |
| Authentication | Use unique passwords for each service (use a password manager) | |
| Authentication | Set carrier PIN at Grapari/carrier shop | |
| Banking | Enable biometric login on all banking apps | |
| Banking | Set daily transfer limits | |
| Banking | Enable all notification channels | |
| Devices | Enable full-disk encryption | |
| Devices | Enable Find My Device on all devices | |
| Devices | Set auto-lock to 30 seconds | |
| Network | Install and configure a VPN | |
|
When Something Goes Wrong
If you suspect a security breach:
- Immediately change passwords for affected accounts from a secure device
- Contact your bank to freeze accounts if financial data is compromised
- Report to police: File a report at the local Polsek; you need this for bank investigations and insurance claims
- Contact your carrier: If you suspect SIM swap, visit a Grapari or carrier shop immediately with your passport
- Notify your embassy: For serious identity theft, your embassy can provide guidance
- Document everything: Screenshots, transaction records, and communications for any investigation
Indonesia's cybercrime reporting can also be done through the Kominfo portal at aduankonten.id for online fraud and scams.
Need help with visa compliance, business setup, or navigating life in Indonesia? Bali Zero provides comprehensive advisory services for expats. Reach out at hello@balizero.com or WhatsApp +62 811-399-0045.
