Antiphishing.biz

Who This Guide Is For

This article is written for you – a business owner, a financial director, an accountant, or a treasurer who uses QLola BRI to manage your company’s money.

QLola is not a personal banking app. It is a sophisticated cash management system designed for corporations, large enterprises, and serious entrepreneurs. You use it to pay suppliers, collect receivables, manage payroll, and move millions of rupiah across accounts. A single compromised QLola account can cost your company more than a year’s profit.

The criminals behind this new attack are not targeting random individuals. They are targeting you – the person with access to the company vault. They have built a near‑perfect copy of BRI’s official QLola complaint center, complete with the right logos, the right language, and the right sense of urgency. And they are using a legitimate global CDN to host their fake page, so your browser will show a green padlock and tell you the site is secure.

A CDN, or content delivery network, is a system of servers that delivers web content quickly to users around the world. Legitimate companies use CDNs like becdn.net to host images, brochures, and website files. The criminals have found a way to upload their malicious HTML code onto this trusted infrastructure, making their fake page look authentic. This is not a crude scam. This is a high‑level, targeted attack.

This guide will show you exactly how the trap works, share real stories of business owners who lost everything to similar schemes, and give you the expert‑backed habits that will keep your corporate bank accounts safe.

The Anatomy of the Attack: How a Fake Complaint Center Drains Real Accounts

Based on the captured screenshots and the analysis of the Antiphishing.biz security team, here is exactly how the criminals operate.

Step One: The Bait – An “Official” Complaint Center That Feels Familiar

The victim receives an unsolicited message – a text, a WhatsApp, or an email – directing them to a page that looks precisely like BRI’s official QLola customer service portal. The page uses the bank’s real branding, the same color scheme, and the same layout as the legitimate QLola help center.

Incident Report: This scam layout was intercepted, verified, and locked down firsthand by the Antiphishing.biz security team during our daily link moderation procedures. To protect the public, the dangerous destination URL has been completely disabled within our infrastructure. We document and analyze these live visual patterns to help security researchers and users spot lookalike phishing methods before financial damage occurs.

The page offers a menu of “issues” that any business user might face: failed login, blocked account, forgotten password, delayed transactions, misrouted funds, system access problems, fraud reports, billing questions. The criminals have studied the real QLola service page and copied every category.

The page also displays what appears to be authentic contact information: a call center number (1500001), a WhatsApp number (0813-6035-322), and an email address (qlola@bri.co.id). The first two digits of the WhatsApp number, 0813, are a common Indonesian mobile prefix, which adds a layer of local credibility.

But here is the trap. The WhatsApp number and the “Login QLola” button do not connect to BRI. They connect directly to the criminals.

Step Two: The Hosting Trick – A Legitimate CDN That Hides the Crime

Look closely at the second screenshot. The URL shown is cloud-1de12d.becdn.net/media/original/c2e7dc56f863e29e7728e59e97bb765c.html.

becdn.net is a legitimate content delivery network. Thousands of reputable companies use it to host images, PDFs, and other static files. The criminals have either found a security flaw in the CDN or, more likely, compromised an account on a platform that uses becdn.net to store user‑uploaded content.

By uploading their malicious HTML file to this CDN, the criminals achieve two things. First, the page loads quickly and reliably anywhere in the world. Second, and more importantly, the browser shows a valid SSL certificate and a green padlock. The victim sees the padlock and thinks, “This site is secure. It must be real.”

The padlock only means that your connection to the CDN is encrypted. It does not mean the content of the page is legitimate. Criminals can get SSL certificates for their fake websites just as easily as real banks can.

Step Three: The Extraction – Two Roads to the Same Ruin

The fake page offers two primary ways to steal your credentials and your money.

Road One: The Fake WhatsApp Support. When you click “Hubungi WA” (Contact WhatsApp), your phone opens a chat with the number 0813-6035-322. On the other end is a criminal, not a BRI employee. They will pose as a helpful support agent, ask for your QLola username, password, and the OTP codes sent to your phone, and then use that information to log into your real account and transfer funds out.

Road Two: The Fake Login Button. When you click “Login QLola”, you are taken to a second phishing page that mimics the real QLola login screen. You enter your corporate credentials, and the criminals capture them instantly. They then log in while you are still staring at a “loading” screen, change your passwords, and lock you out of your own account.

In both cases, the outcome is the same. The criminals gain full access to your company’s cash management system. They can see every account, every balance, every pending transaction. And they can empty those accounts in minutes.

Real Stories That Will Make You Rethink Every Click

These are not hypothetical scenarios. Business owners in Indonesia and across Southeast Asia have lost staggering amounts to similar attacks.

The Construction Company Owner Who Lost Rp 2.3 Billion

In early 2025, a construction company owner in Surabaya received a WhatsApp message claiming to be from BRI’s technical support team. The message said his QLola account had been temporarily blocked due to “suspicious login attempts” and that he needed to verify his identity through a link.

The link led to a page that looked exactly like the one in the screenshots – complete with the official logo, the same categories of problems, and a WhatsApp number to call for help. The owner called the number. The “agent” asked for his user ID, password, and the OTP codes that arrived on his phone. The owner provided them, believing he was speaking to the bank.

Within 45 minutes, Rp 2.3 billion (approximately $150,000) had been transferred out of the company’s account to three different mule accounts. The bank refused to reverse the transactions, stating that the transfers had been authorized using the OTP codes the owner had willingly provided.

The owner later told investigators: “I thought I was protecting my business. I thought the bank was helping me. I never imagined the WhatsApp number on the page could belong to criminals.”

The Textile Exporter Whose Account Was Drained While He Slept

A textile exporter in Bandung received an email that appeared to be from BRI’s QLola support team. The email warned that his account had been accessed from an unrecognized device and that he needed to “re‑verify” his login credentials immediately. The email included a link to the same fake complaint center.

The exporter clicked the link, entered his credentials, and provided the OTP codes as requested. He then received a confirmation message saying his account was secure. He went to sleep.

When he woke up, his company’s bank account was empty. Rp 850 million had been transferred out in a series of small transactions over six hours – each one under the bank’s fraud detection threshold. The criminals had automated the process, draining the account slowly to avoid triggering alerts.

The exporter told local media: “I trusted the page because it had the green padlock. I thought that meant it was safe. No one ever told me that criminals can get padlocks too.”

The Restaurant Chain Owner Whose Supplier Payments Were Hijacked

A restaurant chain owner in Jakarta received a call from someone claiming to be a BRI security officer. The caller said there had been a data breach and that all QLola users needed to “reset their security settings” through a special portal. The portal was the fake page from the screenshots.

The owner, who was in the middle of a busy day, clicked the link and entered his credentials. The criminals then took over his QLola session and changed the payee details for his regular supplier payments. For the next three months, the restaurant’s payments to its meat and vegetable suppliers were redirected to accounts controlled by the criminals. The suppliers stopped delivering goods, and the restaurants ran out of stock.

By the time the owner discovered what had happened, more than Rp 600 million had been stolen. The criminals had also used his QLola access to apply for an unsecured business loan in the company’s name, leaving the restaurant chain with debt it had never authorized.

The owner later said: “I run seven restaurants. I have hundreds of employees. I thought I was too smart to fall for a scam. But they didn’t trick my intelligence. They tricked my exhaustion.”

The Accountant Who Saved Her Company by Asking One Question

Not every story ends in disaster. A senior accountant at a manufacturing company in Semarang received the same fake WhatsApp message. She had been trained by her company’s IT department to never click links in unsolicited messages. Instead of clicking, she opened a new browser tab, typed the official BRI website address manually, and logged into her QLola account directly.

There was no security alert. No account block. No suspicious login attempt. The message was a lie.

She reported the phishing attempt to BRI’s real fraud hotline. Because of her quick thinking, the company’s Rp 1.2 billion in operational funds remained safe. Later that week, she gathered her entire finance team and walked them through the fake page, pointing out the suspicious URL and the fake WhatsApp number.

“One question saved us,” she said. “Before I click anything, I ask myself: did I ask for this message? If the answer is no, I do not click.”

The Five Red Flags That Give Away the Fake Page – Every Time

You do not need to be a cybersecurity expert to spot this attack. You just need to know what to look for.

Red Flag One: The URL Has Nothing to Do with BRI

The official QLola BRI portal lives on a domain owned and operated by the bank – something like bri.co.id or qlola.bri.co.id. The fake page in the screenshot is hosted on cloud-1de12d.becdn.net. That is not BRI. That is a generic content delivery network.

Before you click any link or type any information into a page, look at the browser’s address bar. Does the domain end with exactly bri.co.id? Or does it contain words like becdn.net, github.io, netlify.app, or any other domain that is not the bank’s official property? If you see anything other than the official domain, close the tab immediately.

Red Flag Two: The Page Was Sent to You, Not Requested by You

BRI does not send unsolicited messages with links to complaint centers or login pages. If you receive a text, email, or WhatsApp message claiming that your QLola account has a problem and that you need to click a link to fix it, treat that message as hostile.

The only safe way to check your account status is to open a new browser tab, type the official BRI website address manually, and log in. If there is a real problem, you will see a notification inside your dashboard after you log in. If you see nothing, the message was a scam.

Red Flag Three: The Page Asks You to Log In or Share OTP Codes

No legitimate customer support representative from BRI will ever ask you for your QLola password or the OTP codes sent to your phone. Those codes are for you alone. They exist to prove that you are the legitimate account holder.

If a page asks for your password, you are looking at a phishing page. If someone on WhatsApp asks for your OTP code, you are talking to a criminal.

Red Flag Four: The Page Is a Static HTML File, Not a Live Web Application

Real banking portals are complex, dynamic applications that change based on your account status. The fake page is a single static HTML file – a fixed document that looks the same for every visitor. The criminals cannot personalize it because they do not have access to BRI’s internal systems.

If the page does not greet you by name, does not show your account information, and does not change based on your inputs, it is probably a fake.

Red Flag Five: The WhatsApp Number Is Not Published on BRI’s Official Website

The official QLola BRI contact information is available on the bank’s real website. Before you trust any WhatsApp number, email address, or phone number, verify it against the official source. Go to bri.co.id manually, find the QLola support page, and compare the numbers.

If the number in the suspicious message does not match the number on the official website, you are looking at a scam.

Expert Advice: How to Keep Your Corporate Bank Accounts Safe

The advice below comes from cybersecurity professionals, banking fraud specialists, and the official security teams at major Indonesian banks. Following these rules will protect your business from this attack and every future variation of it.

Rule One: Never, Ever Click Links in Unsolicited Messages

This is the single most important rule in this guide. If you receive a message about your QLola account – no matter how urgent, no matter how official it looks – do not click any links. Do not call any phone numbers in the message. Do not reply.

Instead, open a new browser tab. Type bri.co.id manually. Navigate to the QLola portal from there. Or open the QLola mobile app directly from your phone’s home screen – not from a link in a message.

That one habit – typing the official address yourself instead of clicking a link – would have prevented every single victim story in this article.

Rule Two: Verify All Contact Information Against the Official Source

BRI has published its legitimate contact channels on its official website. Take five minutes right now to bookmark that page. Before you trust any WhatsApp number, any email address, or any phone number, check it against the official source.

The legitimate QLola BRI WhatsApp number is not 0813-6035-322 unless that exact number is listed on BRI’s official website. Do not assume. Verify.

Rule Three: Never Share OTP Codes or Passwords

This rule is absolute. No BRI employee will ever ask you for your QLola password. No support agent will ever ask you to read back an OTP code over the phone or type it into a web form that you reached by clicking a link in a message. These codes are for your eyes only.

If someone asks for them, you are not talking to BRI. You are talking to a criminal. Hang up. Close the chat. Call the bank using the official number from the back of your card.

Rule Four: Implement Multi‑Factor Authentication Beyond SMS

SMS‑based one‑time passwords are better than nothing, but they are not secure enough for corporate cash management systems. Criminals can intercept SMS codes through SIM swapping attacks or trick you into providing them through fake support pages.

If QLola offers an authenticator app option – Google Authenticator, Microsoft Authenticator, or a hardware token – use that instead of SMS. Authenticator apps generate codes directly on your device without sending them over the network, making them much harder to intercept.

Rule Five: Train Your Entire Finance Team

One trained employee can save a company millions. The accountant in Semarang saved her company by asking one question. Make sure every person in your organization who has access to QLola – CFOs, treasurers, accountants, payroll staff – knows these rules.

Run regular phishing simulations. Test your team with fake “support” messages and see who clicks. The people who fail are not stupid; they are just untrained. Train them until the habit of verifying first becomes automatic.

Rule Six: Use Separate Devices for Banking

For high‑value corporate accounts, consider using a dedicated computer or tablet that is used only for banking. Do not check email, browse social media, or click random links on that device. The fewer opportunities for malware and phishing, the safer your accounts.

This is not paranoia. This is the standard practice recommended by banking regulators worldwide.

Rule Seven: Set Up Transaction Limits and Dual Approval

Most corporate banking platforms, including QLola, allow you to set transaction limits and require two people to approve large transfers. Enable these features. If a criminal steals one set of credentials, they cannot move large amounts without a second approval.

This is your emergency brake. Use it.

Rule Eight: Enable Real‑Time Transaction Alerts

Set up your QLola account to send you a push notification or email for every transaction, no matter how small. That way, if a criminal does gain access, you will know about the first unauthorized transfer within seconds, not days, and you can contact the bank immediately to stop further transactions.

Rule Nine: Report Suspicious Messages Immediately

If you receive a phishing attempt, do not just delete it. Report it to BRI’s real fraud hotline. Forward the message to the bank’s official WhatsApp number (the one on their real website). Each report helps the bank’s security team track down fake domains, block malicious numbers, and warn other customers.

Your report could save another business from losing everything.

What to Do If You Have Already Fallen for This Scam

If you realize that you have clicked a link, entered your credentials, or provided OTP codes on a suspicious page, do not panic. But do not wait, either. Time is the enemy. Act immediately using this step‑by‑step checklist.

First, contact BRI immediately using the official phone number from the back of your card or from the bank’s official website. Do not use any phone number from the suspicious message. Tell them your QLola credentials may have been compromised. Ask them to freeze your account, block all outgoing transfers, and change your access credentials.

Second, change your QLola password immediately if you still have access. Use a strong, unique password that you have never used anywhere else. Do this from a device that you know is clean – preferably not the device where you clicked the link.

Third, revoke all active sessions. Most banking portals have a “log out everywhere” or “terminate all sessions” feature. Use it. This will kick any criminal out of your account if they are currently logged in.

Fourth, review your recent transactions carefully. Look for small test transfers as well as large amounts. Criminals often test a compromised account with a tiny transfer – Rp 10,000 or Rp 50,000 – before moving larger sums. If you see anything you do not recognize, report it to BRI immediately.

Fifth, check your other business accounts. If you use the same or similar credentials for other bank accounts, change those passwords too. Criminals will try the stolen credentials on other banks.

Sixth, report the incident to the police. File a report with the Indonesian National Police’s cybercrime unit. The more victims who report, the more resources law enforcement can dedicate to shutting down these operations.

Seventh, warn your team. Tell your finance department what happened. Use your experience as a training opportunity. The shame of falling for a scam is nothing compared to the shame of watching another employee make the same mistake because you stayed silent.

The Bigger Picture: Why Business Banking Phishing Is Exploding in Indonesia

Indonesia has seen a dramatic increase in phishing attacks targeting corporate banking systems over the past 18 months. The rapid digitization of business payments, the growth of e‑commerce, and the increasing sophistication of criminal toolkits have all contributed to this trend.

QLola BRI is a particularly attractive target because it holds the keys to large corporate treasuries. A single compromised QLola account can give criminals access to millions of rupiah – far more than a personal banking account. The criminals have adapted their tactics accordingly. They are no longer sending sloppy emails with obvious spelling errors. They are building replica sites, hiring local speakers to staff fake WhatsApp support lines, and using legitimate infrastructure like CDNs to hide their tracks.

The attack documented in these screenshots is not the work of a lone threat actor. It is a professional operation, likely run by a syndicate that includes people with technical skills, people with customer service experience, and people who understand Indonesian banking regulations.

These syndicates are patient. They will spend days building trust with a victim before asking for credentials. They will call multiple times, send follow‑up messages, and create elaborate stories about “system upgrades” or “security breaches.” Their goal is not a quick score. Their goal is to gain persistent access to your business accounts and drain them slowly, over weeks or months, so you do not notice until it is too late.

A Final Word

The fake QLola BRI complaint center is a high‑level, carefully crafted attack designed to steal money from Indonesian businesses. It uses the bank’s real branding, a legitimate CDN, a green padlock, and a fake WhatsApp number to convince you that it is safe. It is not safe. It is a trap.

The criminals are counting on your exhaustion, your trust, and your split‑second decision to click before you think. Do not give them any of those things.

Build a new habit today. When a message lands on your phone or in your inbox claiming there is a problem with your QLola account, do not click. Do not call the number in the message. Do not reply. Open your browser. Type bri.co.id manually. Log in through the official portal. Check for yourself.

That extra thirty seconds will protect your company’s cash, your employees’ paychecks, and your peace of mind.

Share this guide with every business owner, every finance director, and every accountant you know. The more people understand this attack, the harder it becomes for criminals to profit.

This attack was documented and analyzed by the Antiphishing.biz security team based on intercepted screenshots and live threat intelligence. The malicious HTML file has been reported to the CDN provider and to BRI’s security team. If you see a similar page, report it immediately to the bank and to your local cybercrime authorities. Your vigilance could save another business from ruin.