One of the important things that internet users must pay attention to is keeping their passwords confidential. The message containing the One Time Password (OTP) that application users receive when making a transaction or changing their identity always includes a warning not to give the code to anyone. However, there are still users who are deceived by the actions of people acting on behalf of company employees.

In this case, the perpetrator used Google's search feature to collect phone numbers of potential victims. After that, they called the number and offered to increase the loan limit on their Kredivo application. Based on the provisions, Kredivo only provides a maximum loan limit of IDR 20,000,000 (twenty million rupiah). However, the perpetrator offered to provide a loan limit concession of up to IDR 50,000,000 (fifty million rupiah).

The first step, the perpetrator carried out SMS blasting to many numbers containing offers of ringgit investment and buying and selling of motor vehicles, electronic goods, and even houses. Then, the perpetrator will contact potential victims and ask whether they are Kredivo users or not. If the potential victim answers that they are a Kredivo user, the perpetrator will ask for the victim's username. Then, the perpetrator immediately tried to change the telephone number listed on the victim's Kredivo account so that the system would immediately send an OTP to the victim's number. At this stage, the perpetrator will ask for an OTP which is received by the potential victim and used to take over the potential victim's account. After the perpetrator successfully takes over the account, the perpetrator will use the victim's remaining loan limit. Instead of getting more loans, the victim's loan amount actually increased until it reached the maximum limit.

Due to this incident, PT FINACCEL DIGITAL INDONESIA (KREDIVO) made a police report in June 2019. Then, on December 7 2019, Subdit II Dittipidsiber succeeded in arresting 4 (four) members of the fraud syndicate from Wajo Regency, South Sulawesi Province. The perpetrators who were successfully arrested consisted of AR (28 years), S (25 years), H (34 years), and T (32 years). AR acts as the creator and sender of Blasting SMS. S acts as a collector of fraudulent money. H and T act as people pretending to be Kredivo employees. As a result of their actions, they were subject to Article 51 paragraph (1) in conjunction with Article 35 and/or Article 46 paragraph (1) and paragraph (2) in conjunction with Article 30 paragraph (1) and paragraph (2) of Law Number 19 of 2016 concerning Amendments on Law Number 11 of 2008 concerning Electronic Information and Transactions and/or Article 378 of the Criminal Code with the threat of a criminal penalty of 12 years in prison.