Phishing Scams in Malaysia
How phishing attacks in Malaysia target Maybank, CIMB, and e-wallet users through fake banking SMS, Macau scam phone calls, and social media impersonation.
Part of: Phishing
Last reviewed: 1 June 2026
Malaysia has a distinct phishing threat landscape shaped by high smartphone banking penetration, widespread use of e-wallets like Touch 'n Go and GrabPay, and a persistent 'Macau scam' telephone fraud industry that combines social engineering with credential harvesting.
Bank Negara Malaysia and the NACSA (National Cyber Security Agency) have issued repeated warnings about phishing campaigns targeting Malaysian banking customers, reflecting the high volume of incidents reported to CCID (Commercial Crime Investigation Department).
How this scam works on Malaysia
SMS phishing targeting Maybank2u, CIMB Clicks, and RHB Now users sends messages claiming account suspension, suspicious transaction alerts, or mandatory security updates requiring login via a linked URL. The fake pages are near-identical to official banking portals and harvest TAC (Transaction Authorisation Code) credentials in real time.
Macau scam calls — a hybrid of impersonation and phishing — involve callers claiming to be police, LHDN (tax authority), or Bank Negara officials. Victims are told they have committed financial crimes and are instructed to transfer funds or reveal OTP codes to 'clear' their accounts of fraudulent activity.
WhatsApp phishing involves messages from apparently known contacts whose accounts have been compromised, requesting OTP codes to 'help' with a verification issue — which then gives the scammer access to the victim's account.
Common red flags
- SMS from a bank asking you to click a link and enter your TAC or password
- Phone call from someone claiming to be PDRM, LHDN, or Bank Negara asking for OTP codes
- WhatsApp message from a contact requesting a 6-digit verification code sent to your phone
- Email or SMS about a Shopee, Lazada, or Touch 'n Go account issue with a suspicious link
- Urgent instruction to transfer money to a 'safe account' designated by a caller
How to protect yourself
- Access all banking apps by opening them directly — never follow SMS or email links
- Bank Negara and PDRM will never ask for OTPs or fund transfers over the phone
- Enable Secure2u or equivalent app-based authentication on all Malaysian banking apps
- Report suspicious calls to the CCID Scam Response Centre at 997
- Register for Bank Negara's Monetary and Financial Consumer Alert list for scam warnings
How to report it
- Report to CCID at 997 — Malaysia's dedicated scam hotline
- Report to the NACSA at nacsa.gov.my for cyber incident reporting
- Contact your bank's fraud hotline immediately if credentials or funds were compromised
Frequently asked questions
What is the Macau scam and why is it called that?
The 'Macau scam' is a telephone fraud originating from organised crime syndicates that initially operated from Macau. Callers impersonate government officials, police, or bank security staff and convince victims to transfer money or reveal banking credentials. The name persists in Malaysian media despite the operations now running from various countries.