Why Brand Impersonation Scams and Phishing Are Still Winning in APAC—And How to Change That

Customer confidence is the fragile foundation of developing economies, and nowhere is this more true than Asia Pacific where phishing and customer account takeovers (ATO) threaten to bring that foundation crashing down.

For financial institutions and airlines in APAC, scam-related fraud is no longer an isolated cost center—it is an existential risk to digital trust and economic growth.

While enterprises across APAC pour billions into fraud prevention, brand impersonation scams, phishing, and customer ATO attacks continue to expose shortfalls in incumbent solutions.

Why APAC Is a Such an Easy, Lucrative Target for Scammers

APAC’s mobile-first economy, fragmented regulations, and high consumer trust in SMS-based banking create a perfect storm for fraudsters to exploit.

Fragmented Regulatory Oversight: Unlike the EU’s GDPR, APAC lacks a uniform data protection framework, making enforcement inconsistent.

Consumer Trust Culture: Many APAC consumers place a high degree of trust in SMS-based communications from banks and airlines, making them prime phishing targets.

Fraudsters Freely Exploit this Consumer Trust: often using real-time phishing proxies to intercept and relay credentials, effectively bypassing security measures like MFA and CAPTCHA.

These conditions are creating a perfect storm in APAC, empowering attackers to exploit consumer behavior and institutional blind spots. Without a fundamental shift in fraud prevention strategy, scam-targeted enterprises in APAC will remain outpaced.

The Sky-high Cost of Scams Targeting Airline and Financial Institutions

Each incident highlights a growing reality—fraudsters aren’t just stealing money; they’re systemically eroding trust, with lasting consequences for brand reputation and customer behavior.

Here are some examples from recent years.

The Singtel SMS scam: In September 2024, an SMS phishing scam impersonating Singtel directing recipients to a fake redemption site where they were prompted to enter their credit or debit card details and one-time passcodes. Collectively the victims lost over $100,000 in a single day. Needless to say, both Singtel and the victims only realized after the damage was done.

Marina Bay Sands data breach: In 2023, Singapore’s Marina Bay Sands experienced a data breach affecting approximately 665,000 members of its Sands LifeStyle rewards program. Unauthorized access occurred on October 19 and 20, compromising personal information such as names, email addresses, phone numbers, countries of residence, and membership details.

Singapore Airlines impersonation: In 2023, Singapore Airlines (SIA) faced multiple impersonation scams some of which included use of Facebook ads featuring SIA’s logo to offer S$2 luggage deals, leading victims to phishing sites that stole personal and payment details.

For Singtel, Marian Bay Sands and SIA, Things Could Have Played Out So Differently

To summarize, the reality is clear: fraudsters are innovating at a pace that outstrips traditional defenses – and scam-targeted industries simply need to reclaim control.

Here’s how.

If It’s Not Real-Time, It’s Not Real Protection

If real-time digital impersonation and ATO protection had been in place at Singtel, Mariana Bay Sands, and Singapore Airlines, these high-profile APAC scams could have played out very differently:

In the Singtel SMS scam: 

Where victims unknowingly entered card details and OTPs into a fake redemption site, real-time victim identification would have revealed exactly which users were targeted—allowing fraud teams to preemptively secure affected accounts before attackers could act.

• Decoy credentials: would have replaced real user logins entered on the fraudulent page. Instead of real user credentials, fraudsters would have unknowingly received Memcyco’s marked decoy credentials that are both useless, and traceable, exposing and locking out attackers when used.
• Automated takedown initiation: would have drastically shortened the scam’s
  lifespan, limiting its impact before it could claim six figures in losses.

In the Marina Bay Sands data breach: 

Where attackers gained access to loyalty program data, stolen credentials could have been polluted with decoy data mentioned above, corrupting the database and rendering it useless for resale or account takeovers.

• Multi-channel monitoring: would have caught early signs of fraud, identifying brand impersonation attempts across social media and online ads—stopping scammers before they could exploit stolen data for further phishing campaigns.

In the Singapore Airlines impersonation scams: 

Where fake Facebook ads led victims to phishing sites, instant impersonation alerts would have flagged fraudulent domains the moment they were deployed, allowing early intervention before victims ever clicked.

• Proactive fraud disruption: would have turned the attack against itself—flooding phishing sites with decoy data and forcing attackers to sift through worthless information, undermining their ability to profit.

Without real-time intervention, impersonation scams don’t just succeed—they scale. But if every stage of an attack is detected, blocked, and actively disrupted as it happens, fraudsters lose the advantage, and enterprises regain control.

Conclusion: The Cost of Inaction Will Only Get Higher

For financial institutions and airlines in APAC, the path forward is clear: either stay on the defensive and remain vulnerable or take proactive, real-time action to outmaneuver fraudsters.

Brand impersonation fraud is no longer a peripheral issue—it is a direct attack on the credibility of digital commerce. Enterprises that fail to adapt will suffer more than financial losses; they risk long-term customer attrition and regulatory scrutiny.

Julian Agudelo

Head of Content Marketing