Phished out: What makes people click away their hard-earned savings?

When an SMS pops up on their gadgets claiming to be from a bank or any government department, many uninitiated Pakistanis open it without a second thought, partly out of disregard and partly because they assume nothing could possibly go wrong. And why wouldn’t people fall for them? They look so legitimate, so official, and the number seems genuine — a perfect trap.

Phishing frauds are surging nationwide, and so are the victims, who helplessly see their savings drained and their personal data exposed with little to no hope of recovery. Citizens are learning this lesson the hard way.

Mumal Mirza thought she had found a legitimate work-from-home opportunity through a Facebook ad claiming to be associated with “Amazon.” Within weeks, Rs600,000 vanished from her savings, replaced by humiliation and anxiety that linger to this day. In Multan, Bushra Tasnim received a call that sounded like it came from her bank’s official number. Repeated prompts for codes quickly drained tens of thousands from her account. In Karachi, Ahmed* fell victim when a colleague’s hacked WhatsApp account lured him into transferring Rs20,000 in minutes.

These incidents are not isolated errors; they are the predictable choreography of modern phishing: a credible message, urgent prompts, and victims responding as scammers anticipate. The human cost runs deeper than the figures. “I was badly shaken,” Mumal says. “That humiliating experience has left me anxious about my transactions.”

Bushra, who reported her case to the authorities through a relative, was told that “nothing can be done now — you gave the code yourself”. Ahmed remembers shock and anger at his recklessness in the brief minutes between the first message and the transfer.

The financial losses in these three cases range from Rs20,000 to Rs600,000, but the emotional toll — fractured trust and a lasting fear of clicking links or answering calls — runs far deeper. Mumal recalls being drawn in by a convincing online portal that showed a balance of Rs1.8 million, until a demand for an extra Rs200,000 as a “release” fee exposed the scam. Bushra recounts the repeated pressure of a voice insisting the call was being recorded and that urgent verification was needed “so your account will not be blocked”. Ahmed’s transfer occurred within minutes. These are classic social-engineering tactics: urgency, authority, and isolation.

Beyond victims: law, order, and thin edge of enforcement

Institutional response is often slow where speed matters most. Mumal reported her case to the authorities, supplying account numbers, CNIC details, and traces of the scammers, yet says: “They haven’t taken any action yet despite knowing everything.” Bushra managed to get a complaint filed through a relative, but the response was blunt: because she had given the code herself, there was little the authorities could do.

These anecdotes mirror recurring complaints across Pakistan — victims doing the right thing by reporting scams see little immediate relief or reversal. 

Such gaps in enforcement create a cruel feedback loop: if victims feel reporting is ineffective, they may not fully cooperate; if banks and regulators appear slow to act, scammers face lower risk and higher reward. The result is an environment in which social engineering thrives.

The Pakistan Telecommunication Authority (PTA), the National Cyber Crime Investigation Agency (NCCIA), and the State Bank of Pakistan (SBP) did not respond to requests for comment till the filing of this story.

How phishing succeeds: technical plus human

Nazim Khan, a cybersecurity expert, explains the mechanics. Scammers create fake emails, SMS, and WhatsApp messages that appear official, tricking users into clicking links or sharing personal details. “Once data is entered, it’s stolen or used for financial fraud,” he says.

Why is Pakistan particularly vulnerable? Nazim points to two converging weaknesses. First, limited cyber awareness: many still trust SMS and WhatsApp messages as if they were official letters. 

Second, social factors — urgency and emotion — are readily exploited. Attackers weaponise trust: bank or courier updates, promises of quick income, or the threat of account freezes. Language barriers and the absence of routine verification habits further increase risk.

Technology, meanwhile, favours fraudsters. Ready-made phishing kits, widely available templates, and AI tools that can clone websites or mimic official correspondence make attacks faster and more convincing. Free SSL certificates and website mirroring tools let fake sites appear secure. Nazim warns that the combination of “kits plus AI” is producing personalised, hard-to-spot attacks, with new vectors like QR-code scams.

Red flags are often ignored: unusual sender addresses, grammar mistakes, strange URLs, and even small inconsistencies in logos or layouts. Many people respond to urgent messages without stopping to verify authenticity. Vulnerable groups — women, younger or older users, and those with limited cyber literacy — are often targeted using emotional and social triggers.

Rights dimension: awareness without protection

Digital rights activist Haroon Baloch situates the problem within a broader civic and communications failure. Digital literacy, he says: “remains alarmingly low”. 

Even when organisations act — the SBP, PTA, and PKCERT have run advisories and educational partnerships — reach and retention are limited. Awareness campaigns exist, but they are inconsistent, often fail to reinforce learning, and do not sufficiently address root causes such as financial illiteracy or urban-rural divides.

Haroon highlights that women, low-income communities, the elderly, and marginalised groups are disproportionately affected. Campaigns rarely tailor messages for these audiences. 

He calls for inventive and repeatable approaches: game-based education, periodic bite-sized videos, SMS reminders, and public service messages that teach simple routines, such as always confirming an unknown request via an official app or phone number.

Crucially, systemic failures persist, with banks sometimes shifting blame to users rather than enforcing anti-fraud measures. Media also has a role to play, he adds: detailed, consistent storytelling covering technical, psychological, and legal aspects is needed, not one-off warnings.

Psychology behind the click

Technical and institutional weaknesses set the stage, but the psychological script explains why otherwise sensible people fall victim.

Maha Iftikhar, a clinical assessment specialist at LUMS, notes that awareness alone rarely offsets cognitive shortcuts taken under stress. “A lot of Pakistanis are still getting used to online platforms, and forming new habits takes time,” she observes.

Emotional triggers — fear of loss, rush to secure a benefit, or deference to perceived authority — make phishing effective. When a message threatens account suspension or promises a refund, the brain’s loss-avoidance circuitry activates. 

“In that moment,” Maha says, “the brain focuses on avoiding loss, not verifying facts.” Cultural traits amplify this: Pakistanis tend to respect authority and trust people in their networks. A forwarded link from a family WhatsApp group carries implicit social proof.

“Being cautious is smart, not rude,” she stresses. Cultural norms discouraging questioning authority or elders can become liabilities online. Scammers exploit trust, urgency, and social conditioning to make victims act before thinking.

Practical fixes: behaviour, technology, enforcement

Experts suggest interventions across three dimensions: behavioural, institutional, and technical.

• Behavioural: Maha recommends repeatable habits to build protective reflexes: pause before acting, verify through official channels, and normalise doubt — even questioning “official” callers. Community vigilance and household training can replicate offline protective behaviours online.
• Technical: Nazim advises two-factor authentication, regular device updates, and banks enforcing email security standards like DMARC, DKIM, and SPF. He also encourages outreach in Urdu and regional languages to close comprehension gaps.
• Institutional: Haroon calls for accountability. Regulators must ensure banks and telcos act swiftly when fraud is reported. The media must dedicate consistent airtime to explaining scams and preventive measures. Practical tools include mock scams in workplaces, checklists broadcast on radio and TV, and periodic SMS nudges.

Awareness alone is not immunity

The stories of Mumal, Bushra, and Ahmed reveal a common pattern: awareness in theory, failure under pressure. 

Mumal knew scams existed, but trusted a sponsored Facebook message and a persuasive portal. 

Bushra recognised the call seemed official, but followed instructions anyway. 

Ahmed transferred money within minutes after believing the WhatsApp came from a colleague.

These are not failures of intelligence; they are failures of designed resilience — the absence of quick verification rituals, institutional backstops, and social norms that make caution a shared practice. 

Phishing in Pakistan succeeds where technology, culture, and weak enforcement converge. Scammers exploit emotional levers the way pickpockets exploit crowds.

An unfinished fight

Statistics underline the urgency. Globally, phishing attempts have surged: APWG recorded over one million attacks in the first quarter of 2025 alone, with Kaspersky blocking nearly 900 million attempts in 2024 — a 26% increase from 2023. Pakistan mirrored the trend, reporting an 18% rise in phishing attempts in 2024, with spikes during holiday months when travel-related scams proliferate.

Locally, this rise translates into real losses: Mumal’s Rs600,000, Bushra’s repeated withdrawals, and Ahmed’s Rs20,000. If anything connects victims, experts, and psychologists, it is this: phishing is not only a failure of code and servers; it is a failure of everyday systems — how people are taught, how institutions respond, and how societies adapt to new forms of persuasion.

Solving it will require more than one campaign or regulation. It demands continuous reinforcement, cultural shifts in responding to authority online, and visible, rapid remedies when fraud hits someone’s life. Until these layers strengthen, Pakistanis will continue falling for phishing — not because they are reckless, but because the systems around them have yet to catch up.

The name marked with an asterisk (*) has been changed to protect the individual’s identity.

The authors are staffers at Geo.tv

Tumbnail and header images — Reuters