AI-supported spear phishing threatens APAC e-commerce

The rapid expansion of e-commerce platforms such as Lazada, Rakuten, and Tokopedia has transformed the digital shopping landscape in Asia-Pacific, driving unprecedented demand for real-time tracking, seamless transactions, and personalised shopping experiences. However, this surge in digital commerce has also made these platforms prime targets for cybercriminals using AI-supported phishing tactics.

AI-driven spear phishing, a form of advanced social engineering, is emerging as a major cybersecurity threat in the region. By leveraging AI, attackers can craft highly personalised and convincing phishing campaigns by analysing publicly available data, including social media profiles and other digital footprints. As a result, phishing campaigns are becoming increasingly difficult to distinguish from legitimate communications.

For businesses operating in Asia-Pacific, the risks extend beyond technical concerns, affecting customer trust, brand reputation, and long-term growth. As AI evolves, it introduces not only new opportunities but also new threats that organisations must address. The widespread adoption of AI across industries necessitates a proactive approach to security — not just to protect sensitive consumer data, but also to maintain trust and resilience in a digital-first economy.

The evolution of phishing: AI takes centre stage

According to a recent academic study, AI-generated phishing emails achieved a click-through rate of 54%, compared to just 12% for traditional phishing emails, underscoring their alarming effectiveness. AI-powered spear phishing campaigns use machine learning to analyse publicly available information, generating personalised messages that significantly increase the likelihood of success.

AI is not only transforming industries but also introducing new cybersecurity risks that require urgent attention. Key trends in AI-driven cyberthreats include:

• Generative AI for cybercrime: Large language models (LLMs) are being misused to create realistic phishing emails, malicious code, and fake identities at scale.
  
• Deepfake technology: Cybercriminals are leveraging deepfake audio and video to impersonate executives or trusted individuals in business email compromise (BEC) scams.
  
• Automated reconnaissance: AI-powered tools can scrape vast amounts of data from social media and public platforms to identify high-value targets for cyberattacks.

During festive seasons, these threats become even more pronounced as attackers exploit heightened consumer urgency and emotional engagement. Common tactics include:

• Sending fake order confirmations or fraudulent tracking links to shoppers.
  
• Impersonating trusted brands with exclusive but fraudulent promotions.

The increasing use of AI-supported phishing techniques reflects a growing reliance on automation by cybercriminals. The accessibility of generative AI tools further amplifies these attacks, making them available even to less sophisticated threat actors.

The APAC context: High growth, high risk

With e-commerce sales in Asia-Pacific projected to reach US$2 trillion by 2025 and US$3.2 trillion by 2028, the region is leading the charge in digital transformation. In addition to competitive pricing and promotions, consumers in the region have identified fast and reliable delivery and good customer service as the top e-commerce improvements they want to see, according to a study by KPMG. E-wallets and mobile banking apps are also their preferred modes of payment.

While enhanced features such as real-time tracking, faster transactions, and seamless digital shopping experiences are good for businesses, they also create new vulnerabilities that cybercriminals are quick to exploit.

The diversity within Asia-Pacific adds another layer of complexity. Established markets such as Singapore and Japan face different challenges compared to emerging economies like Vietnam and Indonesia. Cybersecurity strategies must account for these variations, ensuring both scalability and localised effectiveness.

Sales events and festive seasons: A prime target for phishing attacks

Sales events and festive periods are particularly attractive to cybercriminals for several reasons:

• High transaction volumes: The sheer number of online transactions during these seasons increases the probability of phishing attempts going unnoticed.
  
• Consumer urgency: Shoppers eager to secure deals or track shipments are more likely to click on suspicious links without scrutiny.
  
• Promotional activities: Fake promotions and discount offers provide an easy cover for phishing campaigns.

For instance, in the lead-up to festive or seasonal celebrations like Valentine’s Day, consumers may receive fraudulent emails claiming to offer exclusive deals or tracking updates. These messages often lead to fake websites designed to steal personal and financial information. Fraudsters also take advantage of sales events such as Black Friday, preying on consumers who expect discounts and are actively seeking bargains — making them more susceptible to deals that seem too good to be true.

Securing festive seasons and beyond

To combat AI-supported phishing, businesses should prioritise embedding security into their digital operations. Key steps to enhance protection include:

1. Strengthening customer verification processes: Implement secure payment gateways and authentication methods such as multi-factor authentication (MFA) to safeguard transactions.
   
2. Educating teams and consumers: Conduct regular training for employees to recognise phishing attempts and provide consumers with resources to practice safe online habits.
   
3. Leveraging AI-powered cybersecurity: Deploy AI-driven detection systems capable of analysing large data sets in real time to identify anomalies and block threats. These tools can also detect unusual patterns indicative of phishing or fraud attempts.
   
4. Enhancing data protection: Encrypt sensitive customer data and comply with regional data protection regulations such as Singapore’s PDPA or the GDPR for cross-border transactions.
   
5. Prioritising incident response planning: Establish clear protocols to address and mitigate phishing attacks swiftly, minimising disruption to business operations and customer experience.

Consumers, meanwhile, should remain vigilant by adopting safe online practices. Be cautious of unsolicited emails or links, especially during festive seasons, and verify the authenticity of promotional offers and tracking notifications before clicking. Use MFA and secure payment methods for online transactions, and regularly monitor payment cards and digital wallets for fraudulent activity, reporting any suspicious transactions immediately. Additionally, ensure passwords are updated frequently and avoid reusing them across multiple platforms to reduce risk.

Vigilance in a digital-first economy

As Asia-Pacific continues to lead in e-commerce and digital innovation, the region must remain vigilant against evolving cyberthreats such as AI-supported phishing. The cost of cyberattacks globally is projected to exceed US$10 trillion by 2025, a stark reminder of the stakes involved. Collaboration between businesses, the public sector, and consumers will be essential in creating a vibrant and secure digital ecosystem that fosters trust and growth.

By proactively addressing these threats through advanced cybersecurity measures and public awareness initiatives, Asia-Pacific can maintain its leadership in digital innovation while mitigating economic and security risks.