One day, you receive an SMS, email, or WhatsApp message containing a link you never requested. Be careful, it could be a phishing link!
A phishing link is a malicious URL used in online scams. Its purpose is to trick the victim into clicking and unknowingly submitting personal information or downloading malware onto their device. As a result, sensitive data like login credentials can be recorded and stolen—either directly from the link or via the malicious app. Either way, the consequences are serious: your bank or e-wallet accounts could be compromised.
So what are the signs of a phishing link, and how can you avoid it? Let’s break it down.
Not every link sent via message is a phishing link. That’s why it's crucial to know how to distinguish between a phishing link and an official one. Here are the signs:
Banks, tax authorities, e-commerce platforms, and tech companies may send emails or texts. But you must verify messages from anyone claiming to be an official institution.
Phishers often impersonate legitimate organizations and send urgent messages like:
“Your Account Will Be Blocked!”
“Update Your Data Now!”
“Download This App to Prevent Viruses!”
These subject lines are designed to induce panic, so the victim clicks the link without thinking. Before clicking anything, contact the official customer service line to verify whether the email or message was truly sent by them.
Signs of a phishing site or message are numerous typos or awkward grammar, poorly formatted layout, and blurry or misaligned logos
Phishers often fake URLs to closely resemble official ones, for example:
www.bankkamu.co.id (extra letter)
login-bankkamu.com (different domain)
Legit sites often use .com, .co.id, or .org consistently.
Some links contain strange characters or symbols, such as:
http://bankkamu.secure-login.abc123.ru
https://login-bank.xyz/fakepage
If the URL looks odd, it likely is. Do not click—always confirm with the company first.
Any important account notifications should appear within the official app. If you suddenly get a panic-inducing message via email, SMS, WhatsApp, or social media DMs, it’s likely phishing.
These messages often scare or pressure you into acting immediately. Stay calm, and always double-check with the official contact center.
Let’s say you click the link. If it leads to a login page that looks like the real site, it’s likely a fake made to steal your username, password, PIN, or OTP.
Close the page immediately and clear it from your browser history. Never enter your credentials on a suspicious page.
Official websites that manage sensitive data always use secure HTTPS protocols.
If you’re on a login page and there’s no padlock icon and the address starts with http:// (not https://), it’s most likely a phishing site.
Here are a few real-world examples of phishing sites:
Looks like a legitimate banking site, but the domain is different. The site asks for login credentials and an OTP, which are then stolen.
During major sales events, scammers set up fake e-commerce sites offering massive discounts. Users are lured into entering their personal data to claim “promotions.”
These sites promise giveaways and ask users to log in with their social media accounts. The real goal is to collect login data.
The most effective tip? Don’t trust messages (email, SMS, or WhatsApp) too quickly, especially if they seem suspicious. Here’s what else you can do:
Hover over any link before clicking. Make sure the domain is accurate and starts with https://.
For example, xn--paypel-123.com or substituting letters with numbers. Domain spoofing is common.
Is there an authentication method that doesn’t rely on OTPs, PINs, or passwords—thus reducing phishing risks? Yes, use facial authentication.
Authentication is the process of verifying your identity when logging in. With face authentication, there’s no need for passwords or PINs—so there’s nothing for phishers to steal.
Phishing links are evolving and getting more sophisticated. VIDA offers authentication solutions that don’t require users to input credentials, making them phishing-resistant.
VIDA FaceToken uses facial recognition and liveness detection to ensure that only the genuine user can access the account. It can detect deepfakes and fake videos. With no OTPs required, this method is more secure against phishing, social engineering, and SIM swap attacks.
VIDA PhoneToken binds your account to your device using Public Key Infrastructure (PKI). That means your account can only be accessed from the device used during registration. Even if OTPs or PINs are stolen, attackers can’t log in using a different device.
Phishing links are a real threat that can reach you via email, SMS, WhatsApp, or fake pop-ups. They’ve caused many people to lose sensitive data, account access, and even money.
But by being extra careful, verifying links, and switching to advanced authentication like VIDA FaceToken and PhoneToken, you can significantly reduce the risks and stay safe in today’s digital world.