Paylater and Buy Now Pay Later services have become popular because they are fast and easy to use for everyday transactions. That convenience also creates a security gap when personal data is handed over without full awareness of the risks.
The danger is not limited to online misuse. In face-to-face registration processes, sensitive documents can be exploited if users do not fully understand how their identity data is being handled.
A Modus That Targets Carelessness
One detected pattern involves identity abuse during new account registration. In some cases, field marketers are suspected of taking advantage of limited digital literacy by steering users into unsafe registration steps.
They may offer help with shopping service activation, account setup, or certain trade partnership applications. Users are then asked to submit a KTP, take a selfie, or complete facial scanning on the spot.
When Verification Moves Out of Your Control
The risk becomes much greater when biometric verification is carried out on a salesperson’s device instead of the user’s own phone. In that situation, the user can lose control of the account that is being registered and may not know which transactions later run through it.
Personal data that has already been transferred can also be used to open illegal credit facilities. For that reason, digital financial registration is recommended to be done independently through the official app and on a personal mobile device.
Warning Signs That Should Not Be Ignored
Users should be alert when a staff member or salesperson asks for face verification outside their own phone. Pressure to share OTP codes, PINs, or to finish verification in a hurry without a clear explanation is another warning sign.
Another red flag appears when notifications about phone number changes or OTP SMS messages arrive even though no app is being opened. Users should also reject promises of instant cash through illegal cash-out practices known as gestun.
What To Do If an Account Is Already at Risk
If someone suspects they have become a target or have already been trapped, the first step is to secure the account immediately. Passwords should be changed regularly, and the linked email address and phone number must remain fully under the user’s control.
If the account has already been taken over, the official customer support channel of the provider should be contacted right away to request a temporary freeze. OTPs and passwords must be treated as confidential information and never shared with anyone.
Sanctions and Official Reporting Channels
Gestun is regarded as a serious violation and can trigger permanent account blocking by the system. Licensed financial platform providers also state that they will not tolerate abuse of authority by internal or external parties.
When suspicious activity is found, users can submit reports through the consumer-handling channels of companies supervised by the Financial Services Authority. For example, Akulaku users can report through the official number 1500920 or via its verified social media accounts.
Beyond internal channels, victims of cybercrime are also advised to file an official report with the nearest police office. This step helps strengthen legal protection and can prevent fraudulent bills from appearing for transactions that were never made.