By Salleh Kodri, Sr Presales consultant, Cyble
As 2025 comes to a close, one thing is clear to me: The most damaging cyber incidents across ASEAN this year did not start with malware, zero-days, or system breaches.
They started with trust.
Across my work in Malaysia, Singapore, Thailand, Indonesia, the Philippines, and Vietnam, I repeatedly saw organizations doing “everything right” from a technical security standpoint, yet still suffering real-world damage because their brand, identity, or executives were exploited.
2025 was the year many of us finally realized that brand is no longer a marketing concern. It is a cyber asset, and in ASEAN, it has become one of the most abused attack surfaces.
Malaysia: When Customers Were Hit Before Banks Even Knew
In Malaysia, I saw multiple cases where:
- Fake banking websites and phishing pages were already circulating
- Scam campaigns were active in Bahasa Malaysia
- Customers were already losing money
Before the institution itself had any alert.
What struck me was this: There was no breach. No malware. No SOC alert.
The damage happened entirely outside the bank’s environment, through brand impersonation, fake domains, and social media abuse. By the time complaints reached the organization, trust had already eroded.
The lesson was painful but clear: If you only monitor what happens inside your network, you will always be late.
Singapore: Reputation Damage Moves Faster Than Regulation
In Singapore, the challenge was not capability, it was speed and exposure.
I observed:
- Fake government-related services appearing online
- Impersonation attempts abusing official-looking communications
- Scam infrastructure spun up and taken down rapidly
Even in a highly regulated, mature environment, brand abuse moved faster than response processes.
What concerned stakeholders most was not technical impact, but public confidence. Once trust is questioned, no amount of post-incident explanation can fully undo the damage.
Singapore reinforced a critical truth for me in 2025: Cybersecurity maturity does not automatically protect digital reputation.
Thailand: Executive Impersonation Became the Weakest Link
In Thailand, the most alarming trend I encountered was executive identity abuse.
We saw:
- Fake LINE and WhatsApp accounts impersonating senior leaders
- Social media profiles cloning executives from banks and enterprises
- Attempts to influence internal decisions using perceived authority
These were not sophisticated hacks. They were psychological attacks, exploiting hierarchy, respect, and urgency.
What made this dangerous was that traditional security tools had no visibility into it. The risk sat squarely at the intersection of human trust and digital identity, a space most security programs were not designed to defend.
Indonesia: Scale Made Brand Abuse a Business Model
Indonesia showed me what happens when scale meets weak visibility.
With its massive digital population, attackers exploited:
- Fake mobile apps using trusted brand names
- Clone domains targeting regional customers
- Long-running scam campaigns that reused infrastructure
In several cases, takedown efforts were slow, not because teams didn’t care, but because they discovered the abuse far too late.
By the time action was taken, the attackers had already moved, rebranded, and relaunched elsewhere.
Indonesia highlighted something important: Brand abuse in ASEAN is not opportunistic, it is industrialized.
Philippines: Trust Was Exploited Through Familiarity
In the Philippines, what stood out to me was how attackers weaponized familiar communication channels.
We encountered:
- SMS and messaging-based impersonation
- Social engineering campaigns tailored to local behavior
- Brand abuse that felt “normal” to recipients
Victims didn’t think they were being attacked.
They thought they were interacting with legitimate services.
The danger here wasn’t technology, it was perception. And perception is exactly what brand abuse manipulates best.
Vietnam: Digital Growth Outpaced Brand Defense
Vietnam’s rapid digital growth in 2025 came with an unintended consequence:
Brand exposure expanded faster than brand protection.
I observed:
- New digital services being impersonated almost immediately
- Fake pages and domains launched within days of public announcements
- Limited monitoring beyond core infrastructure
Vietnam reminded me that digital transformation without intelligence-led visibility creates silent risk, especially when brand assets are treated as secondary concerns.
Why 2025 Changed My View on Cyber Risk in ASEAN
Across all these countries, one pattern kept repeating:
- No malware required
- No system compromise needed
- No technical alert triggered
Yet real harm occurred—financial, reputational, and regulatory.
That was my biggest takeaway of 2025:
Cyber risk in ASEAN is no longer defined by system compromise alone.
It is defined by how easily trust can be abused.
Brand Is Now a Cyber Asset, Whether We Like It or Not
In 2025, I stopped asking: “Is this a cybersecurity issue?”
And started asking: “Does this harm trust, safety, or public confidence?”
Because once customers, citizens, or partners lose trust, recovery becomes exponentially harder than restoring a system from backup.
Brands, executives, and digital identities now require the same discipline we apply to networks and endpoints:
- Continuous monitoring
- Early intelligence
- Rapid disruption
- Clear ownership
Looking Into 2026: Trust Will Be the New Perimeter
As ASEAN continues to digitize, attackers will not slow down. They will go where defense is weakest, and in many organizations, that is still outside the firewall.
In 2026, the question will no longer be: “Are we secure?”
It will be: “Do we know how our brand, identity, and trust are being abused—right now?”
Those who answer that question honestly and act on it will be ahead.
Those who don’t will keep defending systems while attackers exploit perception.
Personal Closing
2025 changed how I see cybersecurity in ASEAN.
Not as a technology problem, but as a trust problem.
And trust, once lost, is the hardest asset to recover.
(This article reflects the author’s analysis and personal viewpoints and is intended for informational purposes only. It should not be construed as legal or regulatory advice.)
