Indonesia’s finance industry faces a growing threat that scams occur 3 to 4 times higher compared to other countries, as stated by Friderica Widyasari Dewi from the Financial Services Authority (OJK). According to the Indonesia Threat Landscape Report (2025) released by SOCRadar, the finance industry leads as the most targeted sector for phishing attacks at 24.42%, far ahead of telecommunication (10.08%), information services (9.69%), and banking (6.20%). These figures highlight a concrete risk for Micro, Small, and Medium Enterprises (MSMEs), particularly as the government continues to promote digitalisation and encourage digital payment adoption without a clear risk mitigation mechanism in place.

Digitalisation promises seamless and accessible transactions, but the risks underneath are rarely discussed. According to the Jakarta Post, Indonesians are experiencing multi-layered scams, fake job offers, fraudulent investments, lottery schemes, online marketplace fraud, and love scams. MSMEs are exposed to these threats; unlike large corporations, they often operate without dedicated IT support, cybersecurity protocols, or staff training.

This leaves them structurally vulnerable at the exact intersection where personal finance and business operations meet, meaning a single successful scam can jeopardise not just a transaction, but an entire livelihood. When the system assumes you already know Despite “built-in protections” like biometric verification on fintech apps and e-commerce platforms, cyber attacks on MSMEs continue to rise. These protections assume a user who is already alert, someone who reads terms of service, notices suspicious URLs, and knows to verify before transferring.

That is not the average MSME owner’s behaviour. The system was not “designed for them”; it was designed “around them”. This raises a harder question: “Is the problem the technology, or the people using it?” Also Read: Thailand’s cybersecurity boom has a weak core According to Universitas Gadjah Mada, most MSMEs do not prioritise cybersecurity because they underestimate their own operations.

The small-scale business owners consider that, as they are in a small operation, “the bad guy” will not chase them, but this mindset apparently invites scammers to actively exploit. Combined with limited budgets for dedicated security tools, many MSMEs end up relying on platform-level protection they barely understand. Based on a report from the National Cyber and Crypto Agency of Indonesia (2024) most common scams targeting MSMEs include fake QRIS codes, fake supplier invoices, and WhatsApp Business impersonation.

These cyber attacks have successfully manipulated small-scale business owners, leaving them with financial loss and nowhere to turn. Even when socialisation about mitigating these scams is widely available, awareness alone has proven insufficient. The gap lies in the absence of a system that validates transactions and blocks threats before they reach the business owner.

Protection cannot be left to the individual The Indonesian government has not been idle. The OJK and the Ministry of Communications and Digital (Komdigi) have launched dedicated programmes to address the issue: OJK’s Bulan Inklusi Keuangan runs annual financial literacy campaigns targeting underserved communities, including MSMEs. Komdigi’s campaign at Gerakan Nasional Literasi Digital has reached many participants across the country.

Also Read: Digital Growth, fragile defences: Inside Philippines’s cybersecurity gap However, reach is not the same as impact. These initiatives inform MSMEs that cybersecurity matters, but fail to embed protection into the tools they use every day. A warung owner registering for QRIS does not receive a fraud simulation.

The education exists in seminars and pamphlets, but the scams happen in WhatsApp chats and payment notifications. Platforms can argue they have provided biometric authentication, two-factor verification, and fraud reporting features. The government can point to its literacy programmes.

Meanwhile, MSMEs absorb the losses. What this distribution of responsibility produces is a system where everyone has done something, and no one is accountable when it fails. MSMEs cannot be expected to self-protect against threats they were never equipped to identify.

The burden of responsibility needs to shift from MSMEs to the platforms, i.e. fintech companies or fintech services, that gain profit from MSMEs’ adoption and the regulators that mandate it. Digitalisation without protection is not progress. It is exposure with better branding. — Editor’s note: e27 aims to foster thought leadership by publishing views from the community.

You can also share your perspective by submitting an article, video, podcast, or infographic. The views expressed in this article are those of the author and do not necessarily reflect the official policy or position of e27. Join us on WhatsApp, Instagram, Facebook, X, and LinkedIn to stay connected. The post