How E-Wallet Scammers in Indonesia Drain Your DANA, OVO, and GoPay Without Ever Touching Your Phone

When my aunt called me last year saying her DANA balance had been drained, my first question was not "how much." My first question was "what link did you click?" There was no link. She had not entered her PIN anywhere unfamiliar. She had not shared her OTP. She had received a phone call from someone claiming to be from DANA customer service, and over the course of fifteen minutes that person had walked her through what she thought was a verification process. By the time the call ended, every rupiah in her wallet was gone.

The Indonesian e-wallet ecosystem in 2026 is one of the most active in Southeast Asia. DANA, OVO, GoPay, ShopeePay, LinkAja, and the QRIS payment standard collectively move billions of transactions monthly. The apps themselves are well-engineered. The fraud is not in the apps. The fraud is in the seams between the apps and the people who use them.

I'm going to break down the four most successful e-wallet scam patterns in Indonesia in 2026, what they look like from the user's perspective, what they actually do technically, and what defenses work. This is the article I wish my aunt had read in 2024.

Pattern one: the customer service callback scam

This is the one that got my aunt. It is also the most common variant the OJK and the IASC track in Indonesia.

It starts with a triggering event. The victim's phone receives an unexpected notification — a transaction alert for a payment they didn't make, a login from a new device, a balance change. The notification might be real (the attacker initiated a small test transaction to make the alert legitimate) or fake (a phishing SMS designed to look like an e-wallet alert).

The victim panics. They call what they believe is the DANA or OVO customer service line, but the number was either supplied in the phishing message itself or scraped from a fraudulent customer service page that ranks highly in search engine results for "nomor cs DANA" or "customer service GoPay." The person who picks up sounds professional. They have scripts. They might even have the victim's name and phone number from a leaked database.

The "customer service representative" walks the victim through a process to "freeze" or "verify" the suspicious activity. The process always involves the victim reading out OTP codes, PIN numbers, or screen-shared verification codes that arrive on their phone. Every code the victim reads is the attacker performing real actions on the victim's account in parallel: changing the registered phone number, resetting the PIN, transferring funds to a mule account.

Fifteen to thirty minutes later, the call ends. The wallet is empty. The phone number registered on the account has been changed, so the recovery flow now points at the attacker.

The technical reality is that nobody in this story hacked anything. The attacker simply asked the victim to perform every step of the takeover voluntarily, framed as a security verification.

Pattern two: the QRIS sticker swap

This is a quieter scam that mostly affects merchants, but it's worth knowing if you ever scan QRIS codes.

A scammer prints a QRIS sticker tied to their own account and physically pastes it over a legitimate merchant's QRIS sticker — at a warung, a parking lot, a small shop, a charity donation box at a mosque. Customers scan the QR code, complete the payment, and get the normal confirmation screen. The money has gone to the attacker, not the merchant. The merchant doesn't notice for hours or days because they're not actively reconciling each transaction.

Indonesian police have prosecuted multiple cases of this in Jakarta, Surabaya, and Bandung. The Bandung mosque QRIS swap case in 2024 was particularly notable because the attacker was caught on CCTV during the swap.

For customers, the protection is to verify the merchant name on your e-wallet's confirmation screen before tapping pay. The QRIS standard always shows the receiving merchant's name. If you're paying a warung called "Warung Mbak Sari" and the confirmation screen says you're about to pay "PT Megalith Holdings" or some unrelated company, stop, do not pay, and tell the merchant. For merchants, it's worth physically inspecting your QR sticker every morning — pasted-over stickers are usually subtly raised or slightly off-color compared to the original.

Pattern three: the phishing site shaped like a real promo

Indonesian e-wallets run a lot of promotions. Cashback campaigns, gamified spinning-wheel prizes, partner discounts. Scammers exploit this by building phishing sites that look like real e-wallet promo pages, often hosted on URLs that contain the brand name plus a suffix — "dana-rewards-2026.com", "gopay-promo-spesial.id", "ovo-cashback-event.net". These sites are usually distributed through Telegram channels, WhatsApp blast messages, or Facebook ads.

The site asks the user to log in to claim their prize. The login form captures the e-wallet phone number and PIN. Behind the scenes, the attacker uses that PIN to authenticate the user's actual account on a real device, triggers the OTP, and then prompts the victim — still on the phishing site — to enter the OTP that just arrived on their phone. From the victim's perspective, they're "verifying their identity" to claim a promo. From the attacker's perspective, they've just collected the final piece needed to take full control of the account.

The defense here is mechanical. E-wallet promotions live inside the e-wallet app, never on third-party websites. If you see a promo on Telegram or WhatsApp that requires you to visit an external site to claim it, the promo is a phishing page until proven otherwise. Open your DANA or OVO app directly and check the promotions section. If the offer is real, it will be there. If it's not, you've just avoided a clean-out.

Pattern four: the malicious APK pretending to be your e-wallet

This is the technically nastiest of the four, and it's increasingly common in 2026.

The attacker distributes an APK file via WhatsApp, Telegram, or SMS. The file is named to look like an official update — "DANA_Update_v3.21.apk", "OVO-Premium-2026.apk". The accompanying message says the official Play Store version has a bug, or the user needs to install a special version to claim a prize, or there is a "limited regional release" for Indonesia.

If the user installs the APK, what they get is a banking trojan — typically a variant of the SOVA, Cerberus, Anubis, or Hook families. These are well-documented Android malware families analyzed in detail by ThreatFabric, Cyble, and other threat intelligence teams. The architecture follows a consistent pattern. The malware requests permission for Android's Accessibility Service, framed as something the user needs to approve to make the app work. Once the Accessibility Service is granted, the malware has effectively root-equivalent access on the user-space layer of the device.

From there, the malware does several things in parallel. It reads SMS messages to capture OTPs. It uses Accessibility to perform overlay attacks — when the user opens their real DANA or OVO app, the malware draws a fake login screen on top of the real one, captures the credentials, then dismisses itself so the user sees the real app open normally. It can record the screen, log keystrokes, and even perform automated transactions by simulating user taps. The 2026 generation of these trojans includes Automated Transfer System (ATS) modules that can complete a full fraudulent transaction without any visible activity on the screen.

The defense against this category is the simplest one in the article and the one most users get wrong: never install an APK file from a link in a message. The Play Store and Apple's App Store, with all their flaws, do scan for known malware. APKs distributed through WhatsApp do not. If your friend sends you an APK, your friend's account was probably already compromised — that's how these files spread. The single act of allowing "install from unknown sources" is the highest-leverage decision in this entire chain.

The defenses that protect you across all four patterns

The four patterns above have different mechanics, but the defenses overlap heavily. Here are the rules I follow personally and recommend to family and friends in Indonesia.

Do not call e-wallet customer service from a number you found in a message, an SMS, or a search result. Open the e-wallet app, navigate to the help or support section inside the app, and use only the contact information shown there. The official numbers are also published on the company's verified social media accounts — DANA's verified Twitter, GoPay's official Instagram, OVO's verified Facebook. Cross-check before you call.

Do not read out OTP codes to anyone, ever, including someone who claims to be from your e-wallet's customer service. Legitimate customer service representatives at DANA, OVO, GoPay, and ShopeePay are explicitly trained not to ask for OTPs. If you are asked, the call is a scam, full stop.

Never sideload an APK. If your phone gives you any prompt about installing from unknown sources, the answer is no. Even if the message comes from someone you know — especially if it comes from someone you know, because that's a sign their account was compromised. Use only the Play Store or App Store.

Verify the recipient name on every QRIS payment before tapping pay. The five seconds this takes will save you from the QR sticker swap scam.

Enable PIN-on-app-open for your e-wallet. All four major Indonesian e-wallets support a PIN that must be entered when opening the app, separately from the transaction PIN. Enable it. This means a thief who steals your unlocked phone cannot open your DANA or OVO without knowing the PIN, even if your screen unlock is disabled.

Review your transaction history weekly. Not monthly. Weekly. The earlier you catch a fraudulent transaction, the higher the chance of recovery through the e-wallet's dispute process.

A note on what the e-wallets themselves are doing

DANA, OVO, GoPay, and ShopeePay have all rolled out significant fraud prevention upgrades in 2025 and 2026. Device binding, behavior-based anomaly detection, mandatory cooling-off periods on phone number changes, and machine-learning models that flag transactions out of pattern. The IASC's coordination with these e-wallets has improved recovery rates — the Rp 169 billion returned to victims as of March 2026 is a real number.

But the technical defenses can only do so much when the user voluntarily hands over the keys. The customer service callback scam works against an account with every fraud-prevention feature enabled. The defense layer that matters most is the user knowing that no legitimate party will ever ask for an OTP, a PIN, or a screen-share during a verification call.

If you live in Indonesia, the single thing I'd ask you to take from this article is: tell one older relative this week that no real customer service person will ever ask them to read out an OTP. That conversation, repeated across a million households, would shut down the most successful category of e-wallet fraud in this country overnight.