Cyber Threats

Phishing & Social Engineering

Phishing and social engineering attacks remain the most pervasive cyber threats facing Malaysians today. These attacks rely not on sophisticated technical exploits but on human psychology — tricking people into revealing sensitive information, transferring money, or installing malware through deception and manipulation.

In Malaysia, these scams have reached epidemic proportions. From SMS phishing (smishing) and email scams to phone call impersonations, fraudsters are constantly evolving their tactics. The COVID-19 pandemic accelerated this trend as more Malaysians moved their daily activities online, creating new opportunities for scammers to exploit.

What Is Phishing?

Phishing is a type of cyber attack where criminals pose as legitimate organisations or individuals to trick victims into providing sensitive data. The term is a play on "fishing" — scammers cast a wide net hoping someone will bite. Common phishing channels include email, SMS text messages, phone calls (vishing), and fake websites designed to look exactly like the real thing.

Social engineering goes hand in hand with phishing. It is the psychological manipulation of people into performing actions or divulging confidential information. Unlike technical hacking, social engineering targets the human element — our natural tendency to trust, our fear of authority, and our desire to help.

How Scammers Target Malaysians

Malaysian scammers have developed a playbook of highly effective tactics tailored to local context:

  • Bank Negara Impersonation: Callers claim to be from Bank Negara Malaysia, stating your bank account has been compromised or involved in money laundering. They pressure you to transfer funds to a "safe account" or reveal your online banking credentials.
  • MyKad Scams: Victims receive calls from people posing as police or government officials, claiming their MyKad has been used for illegal activities. The caller demands payment or personal information to "resolve" the case.
  • Parcel Scams: SMS or calls claiming you have an undelivered package containing illegal items. You are instructed to call a number and make payments to "clear" your name.
  • Shopping Scams: Fake online stores on social media platforms like Facebook and Instagram offering popular items at impossibly low prices. Payment is made but the goods never arrive.
  • Love Scams: Fraudsters build romantic relationships through dating apps or social media, then fabricate emergencies requiring urgent financial help.
  • Job Scams: Fake job offers, often promising high pay for minimal work, that ask for processing fees or personal information up front.

Real Statistics From Malaysia

The scale of phishing and cyber fraud in Malaysia is staggering. According to the Malaysia Computer Emergency Response Team (MyCERT), Cyber999 receives over 26,000 cyber incident reports annually, with fraud and phishing consistently ranking as the top categories. Commercial crime losses have exceeded RM 565 million in a single year, with online scams accounting for the majority.

Studies suggest that approximately 1 in 3 Malaysians have been targeted by some form of scam attempt. The National Scam Response Centre (NSRC), established in 2022, has been receiving hundreds of calls daily, highlighting the severity of the problem.

How to Identify Phishing Attempts

Phishing messages often share common warning signs. Learning to spot these red flags is your first line of defence:

  • Urgent or threatening language: "Your account will be closed!" or "Legal action will be taken!" — scammers create panic to override your critical thinking.
  • Requests for sensitive information: Legitimate organisations never ask for your password, OTP, or PIN via SMS, email, or phone.
  • Suspicious sender addresses: Check email addresses carefully — banknegara-malaysia@gmail.com is not an official government email.
  • Poor grammar and spelling: While AI-generated scams are improving, many still contain noticeable language errors.
  • Unusual URLs: Hover over links to see the real destination. Scammers use misspelled domains like maybank2u.xyz instead of the real website.
  • Too-good-to-be-true offers: RM 50 for an iPhone or RM 10,000 monthly salary for data entry work are clear red flags.
  • Generic greetings: "Dear Customer" instead of your name suggests a mass phishing attempt.

Protection Measures

Protecting yourself requires a combination of vigilance, good habits, and the right tools:

Never share your OTP. Your One-Time Password is the last line of defence for your bank account. No bank, government agency, or legitimate organisation will ever ask for your OTP. If someone asks, they are a scammer — end the call immediately.

Verify the caller. If someone calls claiming to be from your bank or a government agency, hang up and call the official number from their website. Scammers use caller ID spoofing to display legitimate numbers, so don't trust your phone screen.

Check URLs carefully. Before entering any personal information on a website, verify the URL. Look for the padlock icon and ensure the domain matches the official website exactly. Bookmark important sites like your bank's portal rather than searching for them.

Enable two-factor authentication. 2FA adds an extra layer of security to your accounts. Even if a scammer obtains your password, they cannot access your account without the second factor.

Keep software updated. Regular updates patch security vulnerabilities that scammers can exploit. Enable automatic updates on your devices whenever possible.

Be sceptical of unsolicited messages. Whether by SMS, email, WhatsApp, or phone, treat unexpected messages with healthy scepticism. If in doubt, ignore and report.

Immediate Steps If Scammed

1. Contact your bank immediately — Call your bank's hotline to report the scam and freeze affected accounts. Quick action can save your money.

2. Report to Cyber999 — File a report at cybersecurity.my or call 1-300-88-2999. MyCERT operates 24/7 to assist cyber incident victims.

3. Make a police report — Visit your nearest police station to lodge an official report. This is essential for insurance claims and legal proceedings.

4. Call NSRC — The National Scam Response Centre at 997 can help coordinate with banks to freeze fraudulent transactions.

5. Change passwords — Update passwords for all affected accounts and enable 2FA immediately.

26,000+

Cyber999 reports received annually for cyber incidents in Malaysia

RM 565M

Total commercial crime losses in a single year, mostly online scams

1 in 3

Malaysians affected by scam attempts or cyber fraud

What to Do If Scammed

If you or someone you know falls victim to a phishing scam, time is critical. The first hour after a scam is the golden window for recovery. Contact your bank's fraud hotline immediately to report unauthorised transactions. Banks in Malaysia, including Maybank, CIMB, Public Bank, and others, have dedicated fraud teams that can freeze accounts and trace fund flows.

Next, report the incident to Cyber999 operated by MyCERT. They document the attack, analyse the scam method, and may be able to help track down the perpetrators. Their reports also contribute to national cybersecurity data that helps authorities combat scams more effectively.

Finally, lodge a police report at the nearest Balai Polis. While the likelihood of recovering lost money may be low, the report is crucial for building a legal case and may support efforts to block the scammer's accounts or phone numbers. The more data law enforcement has, the better equipped they are to dismantle scam syndicates.

Stopping the Next Attack

Phishing and social engineering are not just personal problems — they are national security concerns. Scam syndicates operating across Southeast Asia fund other criminal activities and erode public trust in digital services. By staying informed, reporting scams when you encounter them, and educating family and friends, you become part of Malaysia's cyber defence force.

Remember: if something feels wrong, it probably is. Trust your instincts, verify before acting, and never let anyone pressure you into making a quick decision with your money or data. Together, we can make Malaysia a safer place to connect, transact, and thrive online.

Marcus Tan

Marcus Tan

Cyber Threat Analyst

Marcus Tan is a cybersecurity awareness specialist with over 10 years of experience in threat intelligence and digital fraud prevention. He leads the CyberSafe Malaysia editorial team, a cybersecurity awareness initiative by CyberSecurity Malaysia & NACSA dedicated to protecting Malaysians from digital threats.

← Back to Articles