Report cyber incidents to MyCERT (CyberSecurity Malaysia); call the NSRC on 997 for financial fraud; PDPA now requires breach notification within 72 hours.
In This Guide
Malaysia's Cyber Threat Landscape
Malaysia's Cyber Threat Landscape in 2026
Malaysia is a well-defended country with a soft attack surface. On paper the national posture is world-class: Malaysia scored 98.82 in the ITU Global Cybersecurity Index 2024 and sits in Tier 1, the "role-modelling" band reserved for countries strong across all five pillars (legal, technical, organisational, capacity, cooperation). The gap is at the ground level. Individuals and small businesses are being hit faster than they can adapt, and the losses are now measured in billions of ringgit a year.
The threat has also shifted shape. Five years ago the typical incident was a malware infection or a website defacement. Today it is fraud: stolen credentials, hijacked accounts, tricked payments, and leaked personal data that feeds the next attack. That shift is why account security, device hygiene and breach response now matter as much for a mamak-stall owner or a solo freelancer as they do for a bank.
The numbers that define the landscape
Every figure below is from a named source and year. Where a full-year total was not yet published, the most recent official quarter is shown instead.
| Metric | Figure | Source (year) |
|---|---|---|
| Cyber incidents handled by Cyber999/MyCERT | 4,659 in full-year 2024 | MyCERT Incident Statistics |
| Share of those incidents that were fraud | 3,111 of 4,659, about 67% | MyCERT Incident Statistics |
| Most recent quarter of incidents | 1,881 in Q4 2025 (fraud 1,471, or 78%) | MyCERT Cyber Incident Quarterly Summary, Q4 2025 |
| Data-breach reports, quarter-on-quarter | Up 20% from Q3 to Q4 2025 (142 to 171) | MyCERT Cyber Incident Quarterly Summary, Q4 2025 |
| Total online scam losses | RM2.97 billion in 2025, up from RM1.57 billion in 2024 | Ministry of Home Affairs / NSRC |
| Largest single loss category | Non-existent investments: RM1.46 billion in 2025 | Ministry of Home Affairs / NSRC |
| Telecommunications-scam losses | RM802.47 million in 2025 | Ministry of Home Affairs / NSRC |
| Average cost of a data breach to a Malaysian organisation | RM3.2 million in 2026 | PIKOM, "Beyond Compliance: The State of Cyber Resilience in Malaysia 2026" |
| Organisations reporting at least one incident | 35.9% | PIKOM |
| Most common attack types | AI-generated phishing / deepfake 32.6%; malware or ransomware 30.2%; credential theft 25.6% | PIKOM |
| SMEs with an annual cyber budget below RM250,000 | 51.3% | PIKOM |
| Organisations with five or fewer dedicated security staff | 78.8% | PIKOM |
| National cyber-defence ranking | Tier 1, score 98.82 | ITU Global Cybersecurity Index |
A note on reading these: the MyCERT figures count incidents formally reported to Cyber999, so they undercount the real total (most victims never report). The NSRC scam figures are wider because they capture money-loss cases routed through the 997 hotline and banks. Fraud dominates both, and reported cases climbed steadily through 2025.
What is actually attacking Malaysians right now
Fraud and account takeover. Fraud is the single largest category MyCERT handles, roughly two-thirds to four-fifths of reported incidents. Most of it starts with a stolen password or a tricked victim, which is why the account-security chapters of this guide (passwords, passkeys, MFA) are the highest-leverage thing you can do.
Banking-trojan APK scams. The signature Malaysian threat. Victims are lured (fake parcel delivery, fake cleaning service, fake loan, fake e-invoice) into installing an Android APK sent outside Google Play. The app steals banking credentials and one-time codes, then drains accounts. This is a device-security problem, not only a scam-awareness problem, and it is covered in the mobile and banking-app chapter.
Data breaches feeding the next attack. Leaked personal data (MyKad numbers, phone numbers, addresses) makes the next scam call convincing. Breach reports to MyCERT rose 20% between Q3 and Q4 2025. Malaysia's response is now legal: the Personal Data Protection Act's 2024 amendments introduced mandatory breach notification and a required Data Protection Officer, and the Cyber Security Act 2024 governs national critical information infrastructure. Both are covered in the PDPA and breach chapters.
Ransomware and business email compromise (BEC). These hit SMEs hardest. Malware and ransomware made up 30.2% of reported attack types, credential theft 25.6%, and a single incident can cost a Malaysian organisation an average of RM3.2 million. For a small firm without backups or cyber insurance, one ransomware hit can be terminal.
AI-generated phishing and deepfakes. Now the most common attack type at 32.6%. Generative AI has removed the broken-English tell that used to give scams away, and voice or video deepfakes are being used to authorise fraudulent payments.
What it means for individuals
The maths is simple. National defences are strong, but attackers have moved to the one target that cannot be patched centrally: you. RM2.97 billion in scam losses in 2025 is money taken mostly through hijacked accounts, tricked transfers and malicious apps, not through breaking Malaysia's infrastructure. The controls that protect you are personal and boring: a unique password on every account, passkeys or an authenticator app instead of SMS codes, never installing an app from a link, and knowing that 997 and your bank's 24/7 line are the numbers to call in the first hour after something goes wrong.
What it means for SMEs
Malaysian SMEs are the soft centre of the national target. More than half run on a cyber budget under RM250,000 and nearly four in five have five or fewer security staff, yet they face the same ransomware, BEC and breach risk as large firms, at an average cost of RM3.2 million per incident. The 2024 PDPA amendments also raised the legal stakes: a breach is now a notifiable event with a named officer responsible for it. For most small firms the practical priority order is fixed: enforce MFA on email and banking, keep tested offline backups, train staff to spot invoice and payment fraud, and write down who to call before an incident happens rather than during one. The rest of this guide walks through each of those in order.
Personal Security Essentials
Personal Security Essentials
Most Malaysians who get hacked are not targeted by a genius. They reuse one password across ten accounts, they approve an SMS code without reading it, or they leave email unprotected while it quietly holds the reset keys to everything else. Fix a handful of basics and you close the doors attackers actually walk through.
Fraud made up 71% of all incidents reported to Malaysia's Cyber999 centre in Q4 2024, with data breaches next at 10%. On the malware side, banking-trojan attacks on Android smartphones roughly tripled worldwide in 2024, rising from about 420,000 to 1.24 million detections, and Malaysian banks have been a direct target of fake-app campaigns such as CraxsRAT. The controls below are ordered by impact. Do them top to bottom.
The 60-minute priority checklist
If you only have one hour this week, work down this list in order. Each item blocks a specific, common attack.
- [ ] Secure your primary email first with a long unique password and an authenticator app. It is the master key that resets every other account.
- [ ] Install a password manager and let it generate a different password for each account.
- [ ] Turn on MFA on email, banking, e-wallets and social media, using an app or passkey, not SMS.
- [ ] Turn on passkeys wherever they are offered (Google, Apple, Microsoft, WhatsApp, banks that support them).
- [ ] Update your phone, laptop and browser, and switch on automatic updates.
- [ ] Never install an APK sent by link or chat. Only install banking and e-wallet apps from the official App Store or Google Play.
- [ ] Change any password you have reused, starting with email and banking.
- [ ] Save the NSRC scam hotline: 997, in case money ever leaves an account.
1. Use a password manager and stop reusing passwords
Password reuse is the single most exploited weakness. When one website suffers a breach, attackers take the leaked email-and-password pairs and try them on banks, e-wallets and email accounts. This is called credential stuffing, and it works only because people reuse passwords.
A password manager solves the whole problem at once. It generates a long random password for every account, remembers them, and fills them in for you. You memorise one strong master password and nothing else.
What to do:
- Pick a reputable password manager. Bitwarden and Proton Pass have free tiers; 1Password and Keeper are strong paid options. The built-in managers in Google Password Manager and Apple Passwords are a solid free start if you live in one ecosystem.
- Make the master password a passphrase of four or more random words, for example `siput-tangga-hujan-42-biru`. Length beats complexity.
- Let the manager generate 16-plus character passwords for every new account.
- Turn on the manager's breach-monitoring or "password health" feature and fix reused or exposed passwords it flags.
What makes a password strong:
| Weak (avoid) | Strong (use) |
|---|---|
| `Ahmad1234`, `Malaysia2026` | A random 16+ character string from your manager |
| Your name, IC number, birthday, car plate | A four-word passphrase for the master password only |
| One password reused everywhere | A unique password per account |
| `P@ssw0rd!` (predictable substitutions) | Genuinely random, never reused |
2. Turn on passkeys where you can
A passkey replaces the password entirely with a cryptographic key stored on your phone or laptop, unlocked by your fingerprint, face or device PIN. There is nothing to type, nothing to leak in a breach, and nothing a phishing site can steal, because the key only works on the genuine website it was created for.
Passkeys are already available on Google, Apple, Microsoft, WhatsApp and a growing number of banks and services. When a service offers to "create a passkey" or "sign in without a password", accept it.
- Set up passkeys on your Google, Apple or Microsoft account first, since these anchor most of your other logins.
- Your passkeys sync securely through your Google, Apple or password-manager account, so a lost phone does not lock you out permanently.
- Keep a backup sign-in method (an authenticator app or recovery codes) in case you lose all your devices.
3. Switch on MFA, and use an app, not SMS
Multi-factor authentication (MFA, also called 2FA) means a stolen password alone is not enough to get in. The second factor matters. In order of strength:
- Passkey or hardware security key (strongest, phishing-resistant)
- Authenticator app code, such as Google Authenticator, Microsoft Authenticator, or the code feature built into your password manager
- SMS one-time code (weakest, use only if nothing else is offered)
Why avoid SMS codes. SMS can be intercepted through SIM-swap fraud, where a criminal transfers your number to their SIM and receives your codes, and banking-trojan apps on Android can read incoming SMS and forward one-time codes to attackers. Malaysian banks warn about SIM-replacement scams for exactly this reason (Maybank security advisory). Where a bank still uses SMS, switch to its in-app "secure approval" or a "cooling-off" transaction approval if the option exists.
Do this now: turn on app-based MFA for email, internet banking, every e-wallet (Touch 'n Go eWallet, GrabPay, Boost, ShopeePay), and social media. Save the backup or recovery codes each service gives you inside your password manager.
4. Protect email like the master key it is
Your primary email address can reset the password on nearly every other account you own. If an attacker controls your email, they control your bank logins, your e-wallets and your social media. Treat it as the crown jewels.
- Give email its own unique, strong password from your manager, used nowhere else.
- Protect it with a passkey or authenticator app, never SMS alone.
- Review the account's recovery phone number and recovery email, and remove any you no longer control.
- Check the "active sessions" or "devices" list in your email settings and sign out anything unfamiliar.
- Be suspicious of any email that creates urgency and asks you to click a link to "verify", "unlock" or "avoid suspension". Go to the site directly instead of clicking.
5. Keep software updated, automatically
Most successful phone and computer attacks exploit a known flaw that a security update has already fixed. Attackers rely on people delaying updates. Turn updates on and let them run.
- Phone: enable automatic OS updates and automatic app updates. Update the same day a security patch is offered.
- Computer: turn on automatic updates for Windows or macOS, and for your browser.
- Router: update its firmware at least once, and change the default admin password.
- Retire unsupported devices. A phone that no longer receives security updates cannot be made safe for banking. Move banking apps to a supported device.
Android-specific, because Malaysia's biggest local threat is malicious apps: only install apps from the official Google Play Store. Never install an APK file sent by SMS, WhatsApp, Telegram or a website, even one that looks like a bank, a delivery company, a government agency or a food brand. Keep Google Play Protect switched on. If an app asks for Accessibility permission or the right to read your SMS and it is not a genuine tool that needs it, refuse and uninstall it.
6. Be careful on public Wi-Fi
Open Wi-Fi at cafes, malls, airports and hotels is convenient and untrustworthy. Someone on the same network, or a fake hotspot named to look official, can try to intercept what you send.
- Avoid internet banking, e-wallet top-ups and shopping on public Wi-Fi. Use your mobile data instead. 4G and 5G traffic is encrypted between your phone and the network.
- If you must use public Wi-Fi for sensitive tasks, use a reputable VPN to encrypt your connection.
- Turn off "connect automatically" so your phone does not silently rejoin open networks it has seen before.
- Check that banking and shopping sites show `https://` and the correct domain before you log in.
- Treat any Wi-Fi captive page that asks you to "install an app" or "enter your banking details" as a scam.
Quick reference: what strong personal security looks like
| Control | Do this | Not this |
|---|---|---|
| Passwords | Unique per account, generated by a password manager | One password reused everywhere |
| Master password | A four-word passphrase you memorise | Name, IC number or birthday |
| Login method | Passkey where available | Password alone |
| Second factor | Authenticator app or passkey | SMS code as the only factor |
| Its own strong password plus app-based MFA | Same password as other sites | |
| Updates | Automatic, applied promptly | "Remind me later" for weeks |
| Apps | Official App Store or Google Play only | APK from a link or chat |
| Sensitive tasks | Mobile data or a VPN | Open public Wi-Fi |
If money is ever moved without your permission, call the National Scam Response Centre (NSRC) at 997 immediately and contact your bank, so a transfer can be traced and frozen before it disappears. Between January and June 2025, coordination through the National Fraud Portal blocked RM369 million in fraudulent transactions, and speed is what makes that possible.
Securing Your Key Malaysian Accounts
Securing Your Key Malaysian Accounts
Your money and identity in Malaysia now live inside a handful of apps: your banking app, your e-wallet, your government login, and your email. An attacker who takes over any one of these can drain the others. This section covers how to lock down the accounts that matter most here, using the exact tools your local banks and providers already give you.
Why account takeover is the real target
Most losses in Malaysia do not start with a hacker breaking encryption. They start with someone getting into an account they should not be in, usually through a stolen password, a hijacked OTP, a fake banking app (APK), or a SIM swap. Bank Negara Malaysia (BNM) reported a 58% reduction in unauthorised online banking transactions reported to the National Scam Response Centre in the five months after its December 2022 security measures took effect. The controls work, but only if you switch them on.
The defence has three layers:
- Get in cleanly — strong, unique passwords or passkeys plus interception-resistant MFA.
- Limit the blast radius — transaction limits, single-device binding, cooling-off periods.
- Have a kill switch — the ability to freeze everything in seconds if something feels wrong.
Online banking: use the controls BNM already mandated
Since September 2022, BNM directed all Malaysian banks off SMS OTP for high-risk actions (account opening, fund transfers, payments, and changing account settings), because scammers can intercept, read, and even delete SMS transaction authorisation codes (TACs) on a compromised phone. The five key measures banks rolled out are your baseline protection:
| BNM measure | What it does for you | What you should do |
|---|---|---|
| Secure authentication app replacing SMS OTP | Approvals happen inside the bank app on your device, not via interceptable SMS | Enrol in your bank's app token: Maybank Secure2u, CIMB SecureTAC, etc. |
| Single designated device | Only one nominated phone can authorise transactions | Register your own phone only; never approve a device you did not add |
| 12-hour cooling-off period on first-time online-banking or secure-device registration | New enrolment cannot transact for 12 hours, giving you time to react if it was fraudulent | If you get an unexpected "new device registered" alert, call your bank and NSRC 997 immediately |
| No hyperlinks in bank SMS/email | Genuine bank messages will not contain login links | Treat any banking SMS/email with a clickable link as a scam |
| 24/7 fraud hotline | A single number to freeze fraud fast | Save your bank's fraud line and NSRC 997 now |
In July 2023 banks went further with malware shielding technology that detects malicious apps or side-loaded APKs and blocks banking activity on a compromised device. Do not disable or bypass it, and do not install banking APKs sent through WhatsApp, Telegram, or any link. Only install banking apps from the official Google Play Store or Apple App Store.
BNM's updated Risk Management in Technology (RMiT) policy, issued November 2025, now makes SMS OTP explicitly non-compliant as a standalone second factor. It requires MFA that is interception-resistant and tied to the specific beneficiary and amount, plus device binding. In practice this means your in-app approvals should show you exactly who you are paying and how much before you confirm. Always read that screen.
#### Set transaction limits low
Your daily transfer limit is your single most effective loss cap. If your limit is RM50,000 but you rarely move more than RM3,000, an attacker inside your account can take RM50,000. Lower it.
- Set your DuitNow / third-party transfer limit to the minimum you realistically need.
- Raise it temporarily only when you have a genuine large payment, then lower it again.
- Note that reducing a limit is instant, but increasing it now triggers a cooling-off period at most banks, so a scammer cannot bump your limit and drain you in the same session.
The Kill Switch: freeze your account in seconds
Every major Malaysian bank now has a self-service Kill Switch that instantly suspends online banking and card use if you suspect you have been scammed or your phone is lost. OCBC launched it first in late 2022, followed by CIMB and Maybank in January 2023.
| Bank | Feature name | Where to find it |
|---|---|---|
| Maybank | Kill Switch | MAE app and Maybank2u web |
| CIMB | Lock Clicks ID | CIMB OCTO / Clicks app |
| OCBC | Kill Switch | OCBC app |
How Maybank's works as an example: once triggered, you are logged out of all active MAE and Maybank2u sessions and online banking is disabled. You can still withdraw cash at an ATM and use your physical debit/credit card, but cardless and contactless withdrawals stop because those need an app login. Reactivation requires identity verification at a branch or via Maybank Group Customer Care, deliberately, so an attacker cannot simply turn it back on.
Know where your bank's kill switch is before you need it. In a live scam, seconds matter.
E-wallets: Touch 'n Go, GrabPay, Boost
E-wallets hold smaller balances than bank accounts but are heavily targeted because reloads and DuitNow QR payments are fast and hard to reverse.
Touch 'n Go eWallet (Malaysia's largest) security controls:
- PIN or biometric (Face/Touch ID) is required to open the app and approve payments; set this up on first login. If biometrics fail twice, it falls back to your six-digit PIN.
- One secure device only. Every TNG eWallet is bound to a single mobile device, and transactions are authorised through TapSecure, a one-tap approval from that linked device. Changing devices requires re-verification.
- In-app kill switch / account freeze lets you suspend the wallet yourself.
- Face verification is used for sensitive actions such as login and payments, backed by automated fraud detection.
If your phone is lost or stolen, act fast:
- Call the TNG eWallet Careline at +603 5022 3888 to suspend your account.
- Contact your telco to block your SIM immediately, so nobody can request OTPs to reset your PIN.
- Use the in-app freeze/kill switch if you can still reach it from another device.
GrabPay and Boost both support Face ID or fingerprint authentication; enable it, set a PIN, and turn on transaction notifications. Across all e-wallets: keep only small balances loaded, turn off auto-reload from your bank if you do not need it, and never share the OTP or PIN with a "customer service" caller (real providers never ask).
MyDigital ID, MySejahtera and government portals
MyDigital ID is the government's single sign-on digital identity, live to the public since July 2024 and past roughly 10 million registrations by February 2026. It verifies your identity in real time against the National Registration Department database and does not store your biometrics or personal data, and it does not replace MyKad (MyDigital ID / My Digital ID Sdn Bhd). It increasingly gates access to MyGovernment and other federal e-services.
Because one credential is starting to unlock many government services, protect it accordingly:
- Register MyDigital ID yourself, on your own device, using official channels only (the MyDigital ID app / digital-id.my). Never let an agent or "helper" register it for you.
- Enable device biometrics/passcode on the phone that holds it.
- For MySejahtera, government portals (LHDN/MyTax, EPF i-Akaun, KWSP, JPJ), use a unique password per portal and enable any available 2FA. EPF i-Akaun and MyTax, in particular, expose money and tax data, so treat them like bank accounts.
- Be alert to fake government-portal phishing pages; type the official address or use the official app rather than clicking links in SMS or email.
Email and social accounts: the master key
Your primary email is the recovery point for almost everything else. Whoever controls it can reset your bank, e-wallet, and social passwords. Secure it first.
- Use a long, unique passphrase or a passkey for your main email (Gmail, Outlook).
- Turn on the strongest MFA available: an authenticator app (Google Authenticator, Microsoft Authenticator) or a passkey / security key, not SMS.
- Review recovery phone and recovery email settings, and remove any you do not recognise.
- Audit connected apps and active sessions periodically and revoke anything unfamiliar.
- On WhatsApp, enable two-step verification (a PIN) so a SIM-swapper cannot re-register your number.
- On social accounts (Facebook, Instagram, TikTok, X), enable app-based 2FA and review authorised logins; a hijacked social account is routinely used to run scams against your friends and family.
Your account-security checklist
- [ ] Main email secured with a passkey or unique passphrase plus app-based MFA
- [ ] Enrolled in your bank's secure app token (Secure2u / SecureTAC), SMS OTP retired
- [ ] Daily transfer/DuitNow limit set as low as practical
- [ ] Located and tested your bank's Kill Switch (Maybank Kill Switch / CIMB Lock Clicks ID / OCBC Kill Switch)
- [ ] Only your own device registered as the authorised banking/e-wallet device
- [ ] E-wallet PIN + biometric on; balances kept small; auto-reload reviewed
- [ ] MyDigital ID and government portals (EPF, MyTax) on unique passwords with 2FA
- [ ] WhatsApp two-step verification PIN enabled
- [ ] Banking apps installed only from official app stores, never from an APK link
- [ ] NSRC 997 and your bank's 24/7 fraud hotline saved in your phone
If an account is already compromised
- Trigger the Kill Switch in your banking app (or call the bank's fraud hotline) and freeze affected e-wallets.
- Call NSRC 997 immediately; the earlier you report, the higher the chance of freezing the receiving account.
- Block your SIM with your telco if you suspect a SIM swap or lost phone.
- Change passwords from a clean device, starting with your email, then reset MFA.
- Lodge a police report, which you will need for the bank and for any recovery claim.
> Watch for the fake-NSRC callback scam: after you report, be aware that scammers impersonate NSRC or bank officers and call back asking you to "verify" or "move funds to a safe account." Genuine NSRC and bank staff will never ask for your PIN, password, OTP, or tell you to transfer money.
Phone & Banking-App Security
Phone & Banking-App Security
Your phone is now the single most valuable target a criminal can reach. It holds your banking app, your OTP codes, your e-wallet, your MyDigital ID, and your messages. In Malaysia the dominant attack is not a sophisticated remote hack. It is tricking you into installing a malicious app yourself, then handing it the permissions it needs to drain your account. Malaysians lost over RM2.7 billion to scams in just the first 11 months of 2025, and a large share of that money left through a compromised phone.
This section covers the biggest local vector (malicious APK sideloading and banking trojans), SIM-swap, the permissions that actually cause damage, and how to lock down Android and iOS.
The malicious APK: Malaysia's number one mobile threat
The pattern is consistent. You receive an SMS or WhatsApp message about a parcel, a traffic summons (saman), a tax refund, an electricity bill, or a part-time job. The message contains a link. The link tells you to download an app to "track your delivery," "pay the fine," or "start the job." That app is a banking trojan.
MyCERT (part of CyberSecurity Malaysia) has tracked an active campaign using fake app brands such as Delivery4U, KerjaExpress, and MaxTag, all delivering the same underlying Android banking trojan (RizalProtect / RizalVA family), with Maybank (MAE) and CIMB (Octo) among the most consistently targeted banking apps.
Once installed, a banking trojan can:
- Overlay a fake login screen on top of your real banking app to steal your username and password.
- Read your SMS, so it captures the OTP or TAC the bank sends and can even delete the alert before you see it.
- Abuse Accessibility permission to read your screen, tap buttons on your behalf, and authorise transfers without you touching the phone.
- Hide its own icon so you cannot easily find and remove it.
Only Android is affected by sideloaded APKs, because Android allows installation from outside the Play Store. iPhones cannot install a normal `.apk` file, which is why criminals overwhelmingly target Android in Malaysia. iPhone users still face other risks covered below.
> The one rule that stops almost all of this: Never install an app from a link in an SMS, WhatsApp, Telegram, email, or social media. Banks, LHDN, Pos Malaysia, JPJ, and TNB do not send you app download links. Install apps only from the Google Play Store or Apple App Store.
The permissions that actually cause the damage
A malicious app is harmless until you grant it power. Four permission types do nearly all the harm. Treat any app that requests them, especially one you sideloaded, as hostile.
| Permission | What it lets a malicious app do | When it is a red flag |
|---|---|---|
| Accessibility service | Read everything on screen and tap buttons for you, including approving transfers | A courier, job, bank, or "update" app should never need this. Almost no legitimate app does. |
| SMS (read/receive) | Steal your OTP/TAC and delete bank alerts | A delivery or shopping app has no reason to read your SMS |
| Notification access | Read on-screen OTP notifications and 2FA prompts | Rarely needed outside genuine automation apps |
| Install unknown apps / display over other apps | Install more malware and paint fake login overlays | A single app asking for both is a serious warning |
If an app you installed from a random link asks you to "enable Accessibility to continue," stop immediately. That single tap is what lets it empty your account.
Google now blocks sideloaded apps that request these high-risk permissions (RECEIVE_SMS, READ_SMS, notification access, and Accessibility) through an enhanced Google Play Protect pilot, greying out the setting with a message that it is "unavailable for your security". Keep Play Protect turned on. Do not follow any "guide" that tells you to disable it to make an app work.
Fake and cloned apps in the official stores
Not every threat comes from outside the store. Criminals also upload fake banking, e-wallet, and e-commerce apps to Google Play and, less often, the App Store, using near-identical names and logos.
Before installing any financial app:
- Check the developer name, not just the app name. It should be the real bank or company (for example the official Maybank, CIMB, Touch 'n Go, or Shopee developer account).
- Check the install count and review history. A real bank app has millions of downloads and years of reviews. A clone has a few thousand and a recent publish date.
- Go through the bank's official website to find the correct app link, rather than searching the store and picking the top result.
- Avoid TestFlight or "beta" links for a banking app sent to you by anyone. That is not how Malaysian banks distribute their apps.
SIM-swap and mobile-number takeover
SIM-swap is when a criminal convinces your telco to move your phone number onto a SIM card they control, usually using your leaked personal data (IC number, address, date of birth) to impersonate you. Once they hold your number, every SMS OTP and call-based verification goes to them.
Warning signs of a SIM-swap in progress:
- Your phone suddenly shows "No Service" or "SOS only" for no reason, especially if others nearby have signal.
- You stop receiving calls and SMS.
- You get an unexpected notification that your number has been ported or a new SIM activated.
If you suspect a SIM-swap: call your telco immediately from another phone to freeze the line, then contact your bank and the National Scam Response Centre (NSRC) on 997.
Reduce your exposure:
- Set a PIN or passcode with your telco on your account so no SIM change happens without it (Maxis, Celcom, Digi, U Mobile, Yes, and unifi all offer this).
- Move your bank and email 2FA away from SMS toward an authenticator app or passkey wherever the service supports it.
- Keep your IC number and personal details off social media and out of lucky-draw forms.
Beyond SMS OTP: the shift to app-based approval
Bank Negara Malaysia (BNM) was one of the first regulators anywhere to push banks off SMS OTP, directing financial institutions from September 2022 to move high-risk actions to a more secure method. BNM's updated Risk Management in Technology (RMiT) policy issued 28 November 2025 confirms that SMS OTP is no longer acceptable as a standalone second factor, and that a bank account should be bound to a single secure device by default.
In practice this means your banking app now approves logins and transfers through an in-app "Secure2u," "SecureTAC," or push-approval prompt tied to one registered device. This is more resistant to interception than SMS. To use it safely:
- Bind your account to one device only, your own phone, and never approve a prompt you did not personally trigger.
- Be aware of the "cooling-off" period: after you register a new device or re-activate secure approval, banks impose a delay before large transfers are allowed. If a "bank officer" pressures you to bypass or ignore this, it is a scam.
- Learn where your bank's "kill switch" is. Most Malaysian banking apps now include a one-tap function to instantly freeze your account if you think you are compromised.
How to lock down your Android phone
Android gives criminals the most room to operate, so it needs the most hardening.
- [ ] Install apps only from Google Play. Turn off "Install unknown apps" for every browser and messaging app.
- [ ] Keep Google Play Protect on (Play Store → profile icon → Play Protect) and let it scan.
- [ ] Review Accessibility settings (Settings → Accessibility): if any app you do not recognise or did not deliberately set up is listed, disable it and uninstall the app.
- [ ] Review which apps can read SMS and notifications and revoke anything that has no reason to.
- [ ] Turn on automatic system and security updates and install them promptly.
- [ ] Use a strong screen lock (6-digit PIN minimum, or biometric plus PIN), not a simple pattern.
- [ ] Use the built-in banking protections on newer devices (for example the safety features in Samsung, Xiaomi, and stock Android that warn about screen-sharing during banking).
- [ ] Do the "when in doubt, factory reset" step if you cannot find or remove a suspicious app, after backing up your photos and contacts.
How to lock down your iPhone
iPhones are harder to infect, but not immune.
- [ ] Keep iOS updated. Turn on automatic updates.
- [ ] Never install "configuration profiles" sent by anyone, and never sideload apps via TestFlight or enterprise links you were sent.
- [ ] Review app permissions (Settings → Privacy & Security) and remove access nothing needs.
- [ ] Turn on Stolen Device Protection so a thief who knows your passcode still cannot change your Apple ID or bank details easily.
- [ ] Use a strong alphanumeric passcode, not a 4-digit one, and enable Face ID / Touch ID.
- [ ] Consider Lockdown Mode if you are a high-risk target (business owner, public figure, handler of large transfers).
- [ ] Ignore fake "your iPhone is infected" pop-ups. These are browser scams, not real virus alerts.
Signs your phone is already compromised
Act immediately if you notice:
- The phone is hot, slow, or the battery drains fast for no clear reason.
- Pop-ups or ads appear outside any app.
- An app you do not remember installing appears, or an icon vanishes.
- You see bank SMS or emails for transactions you did not make, or approval prompts you did not trigger.
- Data usage spikes unexpectedly.
- Friends receive messages from you that you did not send.
If you think your phone or account is compromised
Move fast. Money moves in minutes.
- Put the phone in airplane mode to cut the malware's connection, then keep it off your banking.
- From a different, clean device, log in and use your bank's kill switch / freeze function, or call your bank's 24-hour hotline.
- Call the National Scam Response Centre (NSRC) on 997. The line now operates 24 hours a day and can coordinate with banks to freeze mule accounts and trace funds. Since its 2022 launch it has handled more than 266,000 calls.
- Lodge a police report, which you will need for any bank dispute and insurance claim.
- Factory reset the phone to remove the malware, then change every important password from a clean device. Reinstall apps only from the official stores.
- Report the malicious app or number to MyCERT (Cyber999) at CyberSecurity Malaysia so others can be warned.
Speed is everything. The earlier you reach 997 and your bank, the higher the chance funds can be held before the criminal cashes out.
Data Protection & the PDPA
Data Protection & the PDPA
Your personal data (your IC number, phone, address, bank details, biometrics) is protected by law in Malaysia. The rules changed significantly in 2025. This section explains what the Personal Data Protection Act now requires, the rights you hold as an individual, the duties your business carries, and what to do when data is exposed.
What is the PDPA, and who enforces it?
The Personal Data Protection Act 2010 (PDPA) is Malaysia's main data privacy law. It governs how organisations collect, use, store, and share personal data in commercial transactions. It is enforced by the Personal Data Protection Department (Jabatan Perlindungan Data Peribadi, JPDP) and the Personal Data Protection Commissioner, under the Ministry of Digital.
The law was substantially updated by the Personal Data Protection (Amendment) Act 2024, which came into force in stages from January to June 2025. The headline obligations (mandatory breach notification, mandatory Data Protection Officer, and data portability) took effect on 1 June 2025.
> Important scope note. The PDPA applies to organisations processing personal data in commercial transactions. Federal and state governments are excluded, and personal or household use is exempt. It applies to businesses of every size, including sole proprietors and micro-SMEs.
The seven principles (the backbone of the law)
Every organisation that handles personal data must comply with seven principles under the PDPA:
| Principle | What it means in practice |
|---|---|
| General | Process data only with consent or a lawful basis; tell people why you are collecting it. |
| Notice & Choice | Give a clear privacy notice (in Malay and English) at the point of collection. |
| Disclosure | Do not share data with third parties beyond the stated purpose without consent. |
| Security | Protect data against loss, misuse, and unauthorised access. |
| Retention | Do not keep data longer than necessary; delete it when the purpose ends. |
| Data Integrity | Keep data accurate, complete, and up to date. |
| Access | Let individuals see and correct their own data on request. |
What changed in the 2024 amendment (verify this if you handle data)
The amendment is the biggest overhaul of the PDPA since 2010. The changes that matter most for individuals and SMEs:
- "Data user" is now "data controller." The Act adopts international terminology.
- Data processors are now directly liable. For the first time, third parties that process data on your behalf (your cloud provider, payroll vendor, marketing agency) are directly subject to the Security Principle. They can be penalised in their own right.
- Biometric data is now sensitive personal data. Facial recognition, fingerprints, voiceprints, retinal scans, and similar identifiers get the higher protection reserved for sensitive data, which generally requires explicit consent.
- Mandatory data breach notification. See the dedicated section below.
- Mandatory Data Protection Officer (DPO). See below.
- Data portability right. Individuals can, in principle, ask to have their data transferred to another provider, subject to forthcoming rules.
- Higher penalties. The maximum fine for breaching the data protection principles rose from RM300,000 to RM1,000,000, and maximum imprisonment from two to three years.
- Cross-border transfer rules tightened. The old "whitelist" of approved countries under Section 129 was removed. See below.
Mandatory data breach notification
This is the single most important operational change for businesses. If you suffer a personal data breach, you now have a legal duty to report it.
The timeline you must meet:
| Notify | Deadline | Trigger |
|---|---|---|
| The Commissioner (JPDP) | As soon as practicable, and within 72 hours of becoming aware of the breach | Any breach you have reason to believe has occurred. If you miss 72 hours, you must give written reasons for the delay. |
| Affected individuals | Without unnecessary delay, and within 7 days of notifying the Commissioner | Where the breach is likely to cause significant harm to data subjects. |
What counts as "significant harm" includes risk of physical harm, financial loss, damage to credit, misuse of data for unlawful purposes, compromise of sensitive data, or identity fraud from combined data. A breach affecting more than 1,000 data subjects must be notified to the Commissioner regardless.
Penalty for failing to notify a breach: a fine of up to RM250,000 and/or imprisonment of up to two years.
Practical takeaway for SMEs: the 72-hour clock is short. Prepare a simple breach response plan now (who to call, what to log, how to notify) rather than improvising during an incident. See the Incident Response section of this guide.
Mandatory Data Protection Officer (DPO)
From 1 June 2025, both data controllers and data processors may be required to appoint at least one DPO accountable for PDPA compliance. Under the JPDP guidelines, appointing a DPO is mandatory if you process:
- personal data of more than 20,000 data subjects; or
- sensitive personal data (including financial information) of more than 10,000 data subjects; or
- data through activities that require regular and systematic monitoring.
The DPO can be an existing employee or an outsourced service, must be based in Malaysia or easily contactable, and must be proficient in Malay and English. You must notify the Commissioner of the appointment and business contact details within 21 days.
Many small businesses fall below these thresholds and are not legally required to appoint a DPO. Even so, naming one person as the internal owner of data protection is sound hygiene.
Cross-border data transfer
If your business sends personal data outside Malaysia (common when you use overseas cloud, SaaS, or payment tools), the amended Section 129 applies. The old approved-country whitelist was deleted. You may now transfer data abroad where the destination has a law substantially similar to the PDPA, or ensures a level of protection at least equivalent to the PDPA. Other lawful grounds include the individual's explicit consent, necessity for a contract, or binding contractual safeguards. The JPDP has issued Cross-Border Personal Data Transfer Guidelines and expects controllers to carry out a Transfer Impact Assessment (TIA) before transferring.
Your rights as an individual
Under the PDPA you can:
- Access your data. Ask any organisation what personal data it holds about you.
- Correct it. Require inaccurate or outdated data to be fixed.
- Withdraw consent. Tell an organisation to stop processing your data (subject to legal exceptions).
- Stop direct marketing. Demand that a company cease using your data for marketing.
- Be notified of a breach where it is likely to cause you significant harm.
How to exercise them: submit a written data access or correction request to the organisation's DPO or privacy contact. They must respond within the statutory timeframe. If they refuse or ignore you, you can lodge a complaint with the JPDP.
If your data is breached (individual checklist)
When a company tells you your data was exposed, or you suspect it was:
- [ ] Change the password for that account and any account sharing the same password.
- [ ] Turn on MFA / passkeys on that account and your email (see the Account Security section).
- [ ] Watch your bank and e-wallet for unauthorised transactions; enable transaction alerts.
- [ ] Be alert to targeted scams. Breached data (your name, IC, phone) is used to make phishing calls and messages look legitimate. Treat unexpected calls claiming to be your bank, courier, or a government agency with suspicion.
- [ ] Never share OTPs or banking-app approvals with anyone who calls you, even if they quote your correct personal details.
- [ ] If money is lost, call the National Scam Response Centre (NSRC) at 997 immediately to attempt to freeze the transfer, and lodge a police report.
- [ ] If an organisation mishandled your data, complain to the JPDP (pdp.gov.my).
SME compliance checklist
For a small business, PDPA compliance is achievable without a large budget. Prioritise these:
- [ ] Issue a privacy notice (Malay and English) at every point you collect data.
- [ ] Map your data. Know what personal data you hold, where it lives, and who can access it.
- [ ] Secure it. Encrypt devices, use strong passwords and MFA, restrict access to who needs it.
- [ ] Vet your vendors. Your data processors are now directly liable; put data protection terms in your contracts.
- [ ] Check the DPO thresholds (20,000 / 10,000 data subjects). Appoint and register a DPO if you cross them.
- [ ] Write a breach response plan so you can meet the 72-hour notification deadline.
- [ ] Delete data you no longer need. Less data held means less to lose in a breach.
- [ ] Handle biometric data with extra care. It is now sensitive data and usually needs explicit consent.
> Verify before you rely. Data protection rules are still being supplemented with guidelines and subsidiary regulations. Check the official JPDP portal at pdp.gov.my for the current text before making compliance decisions, and seek legal advice for anything high-stakes.
Cybersecurity for Malaysian SMEs
Why Malaysian SMEs are now the main target
Attackers moved down-market. Large banks and government bodies have security teams, so criminals hit the businesses that hold real money and customer data but run on one part-time IT person or an outsourced vendor. In Malaysia the reported incident mix is dominated by fraud: fraud made up about 68% of all cases reported to the Cyber999 Incident Response Centre in Q1 2025, followed by intrusion and data breach. Ransomware is smaller by count but rising fast: ransomware incidents reported to Cyber999 rose sharply across 2025, up sharply on prior years, and Active Directory servers have become the primary target because compromising them amplifies the damage across a whole network.
Two things changed the rules for SMEs in 2025:
- The Personal Data Protection (Amendment) Act 2024 brought in mandatory 72-hour breach notification and a mandatory Data Protection Officer, both effective 1 June 2025, with fines raised to up to RM1 million and/or 3 years' imprisonment.
- The Cyber Security Act 2024 (Act 854) came into force 26 August 2024 and, from 1 January 2025, requires providers of certain regulated cyber security services (such as managed SOC and penetration testing) to hold a NACSA licence. That affects who you can legally hire.
This guide covers protective controls: backups, MFA, patching, email security, staff training, vendor risk, and insurance. For phishing, love scams, fake-seller and investment scams, see the separate scams guides.
Where an SME reports an incident
| You have... | Report to | Channel |
|---|---|---|
| Money transferred to a scammer / fraudulent transaction (still recent) | National Scam Response Centre (NSRC) — joint BNM, PDRM, NFCC, MCMC and banks | Call 997 immediately (time-critical for freezing funds) |
| Malware, ransomware, hacked email/website, data breach | MyCERT / Cyber999 (CyberSecurity Malaysia) | [email protected], hotline 1-300-88-2999, or the Cyber999 app |
| Personal data breach affecting customers/staff | Personal Data Protection Commissioner | Within 72 hours of becoming aware (PDPA duty) |
| Crime report for insurance/legal | PDRM (nearest station or Commercial Crime CCID) | Police report (needed for most claims) |
Report early. NSRC fund-freezing works only while the money is still in the receiving account.
The essential controls, in priority order
If budget is tight, do them top to bottom. Most of this list is free or low-cost.
| # | Control | Why it matters for SMEs | Rough cost |
|---|---|---|---|
| 1 | MFA on everything (email, banking, admin, remote access) | Stops the single most common breach: a stolen or reused password | Free (built into Microsoft 365, Google Workspace) |
| 2 | 3-2-1 backups, tested | The only reliable recovery from ransomware | Low (external drive + cloud) |
| 3 | Patch/update OS, browsers, apps | Closes the holes attackers actually use | Free (auto-update) |
| 4 | Endpoint protection on every device | Blocks known malware and banking trojans | Free (Microsoft Defender) to ~RM100–200/device/yr |
| 5 | Least privilege (staff are not admins) | Limits how far one compromise spreads | Free (config) |
| 6 | Email security + payment verification | Defeats business email compromise and invoice fraud | Low |
| 7 | Staff phishing awareness | Your people are the perimeter | Free to low |
| 8 | Cyber insurance | Covers the cost you cannot absorb | RM3k–5k+/yr (see below) |
Multi-factor authentication (MFA), everywhere
A password alone is not enough. Enforce MFA on email, cloud storage, accounting software, banking, remote-access tools, and any admin login.
- Prefer an authenticator app (Microsoft/Google Authenticator) or a passkey over SMS codes. SMS can be defeated by SIM-swap fraud, which is active in Malaysia.
- Turn on MFA for every user, not only the boss. Attackers target junior accounts to move sideways.
- In Microsoft 365 / Google Workspace, enforce it centrally so staff cannot opt out.
Ransomware and the 3-2-1 backup rule
Ransomware encrypts your files and demands payment. Do not rely on paying; recovery comes from backups.
3-2-1 rule: keep 3 copies of your data, on 2 different media, with 1 copy off-site (or offline/immutable cloud).
- At least one copy must be offline or immutable so ransomware cannot encrypt it too. Backups that are always connected get encrypted with everything else.
- Test a restore quarterly. An untested backup is a guess.
- Protect the Active Directory / main server specifically. It is the top ransomware target in Malaysia.
- Segment backups from daily user accounts; a compromised staff laptop should not be able to reach the backup store.
Business email compromise (BEC) and invoice fraud
BEC is the highest-value email threat to SMEs. An attacker gets into a mailbox (often via a phished password with no MFA), watches quietly for weeks, then sends a payment or bank-change instruction that looks routine. Globally BEC drove close to USD 2.8 billion in reported losses in 2024 across 21,442 complaints. One reported Malaysian case in 2025 saw a trading firm lose RM680,000 after a compromised finance mailbox.
Controls that stop it:
- Verify every payment or bank-detail change out-of-band. Call the supplier on a number you already have, never the number in the email.
- Treat "urgent, confidential, change of account, do it now" as a red flag, especially if it claims to come from the boss.
- Turn on MFA so mailboxes cannot be silently taken over.
- Enable email authentication (SPF, DKIM, DMARC) on your domain to make spoofing your address harder.
- Flag or tag external emails so a spoofed internal sender stands out.
- Set a dual-approval rule for payments above a threshold.
Staff phishing awareness
Your team clicks the links. Train them, briefly and often.
- Run short (15-minute) sessions each quarter, not one annual lecture.
- Send simulated phishing emails and coach whoever clicks, without blame.
- Teach the local patterns: fake bank/LHDN/JPJ SMS, parcel-delivery links, "your account is suspended" e-wallet messages, and APK files sent over WhatsApp (banking-trojan installers). Never install an app from a link; only from Google Play or the App Store.
- Make it safe and fast to report a suspicious email. Speed of reporting limits damage.
Patching and endpoint protection
- Turn on automatic updates for Windows/macOS, browsers, and business apps. Most breaches exploit holes that already have a fix.
- Retire unsupported software (old Windows, end-of-life servers). It stops receiving patches.
- Run endpoint protection on every device. Microsoft Defender (built into Windows) is a reasonable free baseline for a micro-business; paid endpoint/EDR (~RM100–200 per device/year) adds detection and central management as you grow.
- Cover mobile phones used for work email and banking, and keep them updated too.
Least privilege and access control
- Staff accounts should be standard users, not administrators. Admin rights let malware install itself system-wide.
- One account per person; no shared logins. You cannot trace or revoke a shared password.
- Remove access the day someone leaves. Ex-staff and ex-vendor accounts are a common entry point.
- Keep a simple access list: who can reach banking, customer data, and the server, reviewed twice a year.
Vendor and supply-chain risk
Your security is only as strong as the outsourced IT firm, accounting-software vendor, or e-commerce platform you rely on.
- Hire only NACSA-licensed cyber security service providers. Since 1 January 2025 an unlicensed provider is operating unlawfully under the Cyber Security Act 2024. Ask to see the licence.
- Ask vendors: Do you enforce MFA? Where is our data stored? Will you notify us of a breach, and how fast?
- Give vendors only the access they need, and remove it when the engagement ends.
- Keep a short inventory of every third party that touches your data or systems.
Data protection and PDPA duties for SMEs
If you hold customer or employee personal data (almost every SME does), the amended PDPA now applies with real teeth (Personal Data Protection (Amendment) Act 2024, effective in stages through 2025).
- Breach notification: notify the Personal Data Protection Commissioner as soon as practicable and within 72 hours of becoming aware of a breach that meets the threshold, and notify affected individuals without undue delay (within 7 days of notifying the Commissioner).
- Data Protection Officer (DPO): qualifying controllers and processors must appoint and register a DPO.
- Penalties: up to RM1 million and/or 3 years' imprisonment, with possible personal liability for directors and managers.
- Practical steps: know what personal data you hold and where, encrypt sensitive data, limit who can access it, and keep a simple breach-response plan so you can hit the 72-hour clock.
Cyber insurance for SMEs
Insurance is the backstop for costs you cannot absorb: forensic investigation, data restoration, legal fees, notification, business interruption, and third-party claims. It is a complement to controls, and insurers increasingly require MFA and backups before they quote.
Indicative pricing:
| Tier | Typical annual premium | Fits | Common inclusions |
|---|---|---|---|
| Micro / basic | from ~RM3,000–5,000 | Sole trader, micro-SME, low data volume | First-party: incident response, data restoration, cyber extortion, business interruption |
| Standard SME | roughly RM5,000–15,000 | Growing SME, holds customer data, takes online payments | Above plus third-party liability, PDPA/regulatory defence costs, breach notification |
| Higher-limit | RM15,000+ | Higher turnover, sensitive/regulated data, e-commerce | Higher limits, wider third-party cover, dependent business interruption |
Premiums vary with turnover, industry, data volume, and the controls you already have. Figures are broker guidance, not fixed rates; get a quote for your business. Check what is excluded (e.g. losses from missing MFA, or fraud where staff authorised the payment) and whether BEC/social-engineering loss is covered, since basic policies often exclude it.
Does the Cyber Security Act 2024 apply to my SME?
For most SMEs, not directly. Act 854's core obligations (annual risk assessment, biennial audit, 6-hour incident reporting) fall on National Critical Information Infrastructure (NCII) entities in 11 sectors: government, banking and finance, transport, defence, information/communications, healthcare, water and waste, energy, agriculture/plantation, trade/industry/economy, and science/technology. A typical retailer, café, agency, or workshop is not an NCII entity.
Where it still touches you:
- If you are a supplier to an NCII entity, expect security requirements to be passed down through contracts.
- If you sell cyber security services, you need a NACSA licence.
- The PDPA applies to nearly all SMEs regardless of size, so treat data protection as your baseline legal duty.
30 / 60 / 90-day action plan
First 30 days (free, do it now)
- [ ] Turn on MFA for all email, banking, cloud, and admin accounts.
- [ ] Set every OS, browser, and app to auto-update.
- [ ] Confirm you have a working backup, and do one test restore.
- [ ] Enable Microsoft Defender (or equivalent) on every device.
- [ ] Save 997 (NSRC) and 1-300-88-2999 (Cyber999) where staff can find them.
Days 31–60
- [ ] Implement 3-2-1 backups with one offline/immutable copy.
- [ ] Remove admin rights from standard staff; delete ex-staff accounts.
- [ ] Add out-of-band verification for all payments and bank-detail changes.
- [ ] Set up SPF, DKIM, DMARC on your email domain.
- [ ] List every vendor with access to your data; confirm your IT provider is NACSA-licensed.
Days 61–90
- [ ] Run a staff phishing awareness session and a simulated test.
- [ ] Map what personal data you hold; appoint/register a DPO if required and write a 72-hour breach plan.
- [ ] Get a cyber insurance quote.
- [ ] Write a one-page incident response plan and assign who does what.
Incident response: the first hour
- Isolate the affected device from the network (unplug/disable Wi-Fi). Do not power it off if you may need forensics.
- Preserve evidence. Do not wipe or "clean up" before advice; screenshots and logs matter.
- Change passwords for affected accounts from a clean device, and confirm MFA is on.
- Report: call 997 if money moved; contact Cyber999 for malware/breach; file a police report.
- PDPA clock: if personal data is exposed, start the 72-hour notification assessment immediately.
- Recover from a known-good backup once the threat is removed. Do not pay ransoms as a first resort; paying does not guarantee recovery and funds crime.
- Notify your cyber insurer early; many policies require prompt notice and use an approved response panel.
- Review afterwards: what let it in, and which control on the list above would have stopped it.
Common Attacks Explained
Common Attacks Explained
Most cyberattacks in Malaysia are variations on a handful of techniques. Once you can recognise how each one works, the defence usually becomes obvious. This section explains the attacks that actually hit Malaysian individuals and small businesses, and names the single control that stops each one most reliably.
Fraud is the dominant category. Of the 1,881 incidents handled by the Cyber999 response centre in Q4 2025, 1,471 were fraud, and phishing is the most common fraud type reported. The attacks below are the mechanics behind those numbers.
Quick-reference: attack, how it works, best defence
| Attack | How it works in one line | The one defence that matters most |
|---|---|---|
| Phishing | Fake email or website tricks you into typing credentials | Phishing-resistant MFA (passkeys or a security key) |
| Smishing | SMS or WhatsApp with a malicious link, posing as a bank, LHDN, courier or gov aid | Never click links in messages; open the app yourself |
| Malware / banking trojans (APK) | You are told to sideload an Android "app" that steals OTPs and drains accounts | Never install APKs from links; keep Google Play Protect on |
| Ransomware | Malware encrypts your files and demands payment | Offline, tested backups (3-2-1 rule) |
| Social engineering | Attacker manipulates a person, not a machine | A verification step that cannot be skipped under pressure |
| Business Email Compromise (BEC) | Fake or hijacked executive/supplier email redirects a payment | Out-of-band callback to verify any payment or bank-detail change |
| Credential stuffing | Passwords leaked elsewhere are replayed against your accounts | Unique passwords in a manager, plus MFA |
| AI-enabled threats | Deepfake voice/video and AI-written phishing impersonate people you trust | A pre-agreed verification method (safe word, callback) |
Phishing
Phishing is a message designed to make you hand over credentials or money by pretending to be someone you trust: a bank, LHDN, PDRM, a courier, a government aid programme, or your own IT department. It usually creates urgency ("your account will be suspended", "claim your Sumbangan Tunai Rahmah before it expires") and points to a link. The link leads to a copy of a real login page. Whatever you type goes straight to the attacker.
The modern trap is that a convincing fake page can also capture your one-time password (OTP) in real time and pass it to the real bank before the code expires. That is why an OTP alone is no longer enough.
How to recognise it: unexpected urgency, a sender address that does not match the real domain, links that do not go to the official site, and any request to "verify" by logging in through a link.
The one defence that matters most: phishing-resistant MFA. Passkeys and hardware security keys are bound to the genuine website, so they simply do not work on a fake page. Even if you are fooled into typing your password, the login fails on the attacker's clone. Where passkeys are not available, an authenticator app beats SMS OTP. The universal rule: never log in through a link in a message. Open the app or type the address yourself.
Smishing (SMS and messaging-app phishing)
Smishing is phishing delivered by SMS, WhatsApp, Telegram or RCS. In Malaysia the common lures are fake bank alerts, fake courier redelivery notices ("your parcel is held, pay RM2 to release"), fake LHDN tax refunds, TNB or Saman fine notices, and fake government aid. The message carries a link to a phishing page or, worse, an instruction to install an app.
Messaging apps make smishing more dangerous than email phishing because links look shortened and personal, and because the same channel is used by real friends and family.
The one defence that matters most: treat every link in a message as hostile. Do not tap it. If a bank, courier or agency appears to be contacting you, close the message and reach them through their official app or a phone number you already have. Malaysia's banks do not send clickable login links by SMS, and legitimate agencies do not ask for OTPs or full card details over chat.
Malware and banking trojans (malicious APKs)
This is Malaysia's signature mobile threat. Malicious APKs (Android install files) are consistently among the most reported malware incidents. The scam usually starts on the phone: a "seller", "loan officer", "cleaning service" or "government officer" persuades you to download an app to complete a purchase, claim a discount or receive aid. Because the file comes from a link or chat rather than the Google Play Store, you have to switch off Android's protections to install it. Once installed, the app quietly reads your SMS (harvesting banking OTPs), captures what you type, overlays fake login screens on top of real banking apps, and can grant the attacker remote control of the device. Accounts are then drained, often at 3am while you sleep.
How to recognise it: any instruction to "install this APK", "enable installation from unknown sources", or turn off Play Protect. That request is the attack.
The one defence that matters most: never sideload apps. Install only from the Google Play Store or Apple App Store, and leave Google Play Protect enabled. On iPhone this class of attack is largely blocked by the App Store model. If someone insists you must install a file to receive money or a refund, it is a scam, full stop.
Ransomware
Ransomware is malware that encrypts your files (or a whole server) and demands payment for the key. For an SME it can freeze invoicing, POS, patient or customer records and email in one stroke. It typically gets in through a phishing attachment, a stolen remote-desktop (RDP) password, or an unpatched internet-facing system. Modern gangs also steal a copy of the data first and threaten to leak it, so paying does not guarantee recovery or silence. LockBit has been the most active family against Malaysian targets, with newer groups such as Akira and Qilin growing.
The one defence that matters most: offline, tested backups. Follow the 3-2-1 rule: three copies of your data, on two types of media, with one copy kept offline or immutable so ransomware cannot reach it. A backup you have actually restored from is what turns a ransomware attack from a business-ending event into a bad afternoon. Patching internet-facing systems and disabling exposed RDP removes the most common way in.
Social engineering
Social engineering is the parent of most of the attacks above. Instead of breaking software, the attacker manipulates a person: building trust, inventing authority, and applying time pressure so you act before you think. It powers Macau scams (fake police or Bank Negara officers accusing you of a crime), fake IT support calls, "your account has been compromised, move your money to a safe account" ruses, and the mule-account recruitment that feeds the whole ecosystem. The NSRC blocked 162,642 suspected mule accounts in 2025, a sign of how much of the fraud pipeline runs on manipulated people rather than hacked machines.
The one defence that matters most: a verification step you refuse to skip. Real authorities never ask you to move money to a "safe account", never demand payment in e-wallet transfers or crypto, and never conduct investigations over WhatsApp video. When urgency spikes, that is the cue to slow down and independently verify through a channel you control. For families, agree that any "emergency money" request must be confirmed by calling the person back on their known number.
Business Email Compromise (BEC)
BEC is the most expensive attack per incident for SMEs. The attacker either spoofs or actually breaks into an email account, usually a director's, a finance staffer's, or a supplier's, then quietly watches the mailbox for weeks to learn how payments flow. At the right moment they send a legitimate-looking instruction: a new supplier bank account, an "urgent confidential" transfer, or a change to payroll details. Kaspersky recorded more than RM7.5 million in Malaysian BEC losses between 2023 and mid-2025, against 64,778 phishing attempts aimed at Malaysian companies. In one 2025 case a Johor trading firm lost RM680,000 after its CFO's email was monitored for three weeks and then used to authorise a "confidential supplier payment".
How to recognise it: any change to bank account details, an unusual urgency around a transfer, a request to keep it confidential, or a reply-to address that differs subtly from the real one.
The one defence that matters most: out-of-band verification of payments. Before paying a new account or changing supplier bank details, confirm by phoning a number you already had on file, not one from the email. Make this a written rule that applies to everyone, including the boss, and enforce dual authorisation for payments above a set threshold. Turning on MFA for company email closes the door the attacker used to get in.
Credential stuffing
Credential stuffing exploits password reuse. When any website you use suffers a data breach, your email and password end up on lists that attackers buy and replay automatically against hundreds of other services: your email, your bank, your e-wallet, your business tools. If you reused that password anywhere, those accounts fall too, without any "hacking" of the second site at all. This is why a single leaked password can cascade across your whole digital life.
The one defence that matters most: a unique password for every account, plus MFA. Use a password manager so every login has a long, random, one-of-a-kind password; a breach of one site then leaks a password that works nowhere else. Add MFA (ideally passkeys) so that even a correct stolen password is not enough to log in. Check whether your email appears in known breaches and change any reused passwords first.
AI-enabled threats: deepfakes and AI phishing
AI has removed the old warning signs. Phishing emails and messages used to give themselves away with clumsy grammar; AI now writes them in fluent Malay and English, personalised from your social media. More alarming is voice and video cloning. A few seconds of someone's audio is enough to clone their voice, and scammers have used this to impersonate family members and executives. Malaysian cases in 2025 included an elderly man in Johor who lost RM10,000 to a cloned "grandson" claiming to be in an accident, and cases where an executive transferred a large sum after a video call from what appeared to be their CEO. Deepfake videos of public figures, including the King and well-known business leaders, have been used to promote fake investment schemes.
The security lesson is that seeing a face or hearing a voice can no longer prove identity.
The one defence that matters most: a pre-agreed, out-of-band verification method. Because the medium itself can be faked, verification has to move to a separate channel the attacker does not control. For families, set a private "safe word" for any emergency money request. For businesses, require that any instruction to move funds, however senior the source and however real the voice or face, is confirmed by an independent callback to a known number before anything is paid. Treat unexpected urgency, especially urgency plus a payment, as the signal to verify rather than the reason to hurry.
If you are hit
Speed matters most with money. For any fraudulent transfer or if you have installed a suspicious app, call the National Scam Response Centre (NSRC) on 997 immediately (24 hours) and your bank's hotline to freeze accounts, then lodge a police report. For malware, phishing pages, business incidents, hacked accounts or data breaches, report to CyberSecurity Malaysia's Cyber999 (email [email protected], or the Cyber999 app). Preserve evidence: do not delete the messages, and screenshot everything before you clean up the device.
If You Get Hacked or Breached
If You Get Hacked or Breached: Incident Response for Malaysia
The first hour matters more than anything you do later. Whether a banking-trojan APK has drained your account, ransomware has locked your SME's files, or a staff mailbox has been taken over, the response is the same in shape: contain, preserve, report, recover. Act in that order, and report money loss to 997 and cyber incidents to Cyber999 as fast as you can. Below is exactly what to do, who to call, and what the law now requires of you.
First 60 Minutes: The Fast Checklist
Do these in order. Do not stop to investigate root cause first; contain the damage, then dig.
- [ ] Money moved without your consent? Call NSRC 997 immediately (see below). The freeze window is measured in hours.
- [ ] Disconnect the affected device from the internet (turn off Wi-Fi, unplug the LAN cable). Do not power it off if you suspect ransomware; disconnecting preserves memory evidence and stops spread.
- [ ] Change the password of the compromised account from a different, clean device, and enable MFA if it was not already on.
- [ ] Revoke active sessions in the account's security settings ("log out all devices" / "sign out everywhere").
- [ ] Stop the spread. If one account or PC is hit, assume others are exposed. Isolate shared drives and reset any password reused elsewhere.
- [ ] Tell your bank through its official 24-hour hotline (printed on the back of your card) if any financial account or card is involved.
- [ ] Preserve evidence before you clean up: screenshot everything, note timestamps, keep the phishing email or SMS.
- [ ] Warn the people at risk: colleagues, family, or customers who might receive fraudulent messages from your hijacked account.
Step 1: Contain
Individuals
- Put the infected phone or laptop into airplane mode or disconnect Wi-Fi. Malaysian banking-trojan APKs (fake courier, e-invoice, or JPJ/"saman" apps) run in the background and intercept SMS TAC and screen content, so leaving the device online lets the attacker keep working.
- Do not uninstall the malicious app yet if money has already moved; you may need it as evidence. Contain by disconnecting, not by wiping.
- If a SIM-swap is suspected (your mobile line suddenly shows "No Service" and you cannot make calls), contact your telco to freeze the line, because the attacker is likely using it to receive your OTPs.
SMEs
- Isolate the affected machines from the network. Pull the cable or disable the switch port; do not rely on the user to "just log off".
- For ransomware: disconnect, but do not power down encrypted machines, and do not pay the ransom before getting advice from Cyber999/MyCERT. Payment does not guarantee recovery and may breach sanctions.
- For Business Email Compromise (BEC): reset the compromised mailbox password, revoke all sessions and app tokens, and check for malicious mailbox rules (auto-forwarding, "delete on receipt") that attackers use to hide replies. Notify finance to halt any pending payment or "change of bank account" instruction until verified by phone.
Step 2: Change Credentials and Lock Down
Change passwords from a clean device, in priority order:
| Priority | Account | Why first |
|---|---|---|
| 1 | Email tied to your other accounts | Controls password resets everywhere |
| 2 | Online / mobile banking and e-wallets | Direct financial loss |
| 3 | Any account sharing that password | Credential reuse is how one breach becomes ten |
| 4 | Cloud/admin accounts (SMEs: Microsoft 365, Google Workspace) | Attacker persistence and lateral movement |
- Enable MFA or passkeys on each. Prefer an authenticator app or passkey over SMS OTP, which SIM-swap and trojan malware can intercept.
- For SMEs, force a domain-wide or tenant-wide password reset and revoke OAuth app grants if an admin account was touched.
Step 3: Report to the Right Body in Malaysia
Report to more than one channel where relevant. Money loss goes to 997; the cyber incident itself goes to Cyber999.
| Situation | Who to contact | Details |
|---|---|---|
| Money transferred / stolen from your account | NSRC 997 | 24-hour hotline, now run by PDRM. Since September 2025 a 997 call counts as an official police report, so you need not lodge a separate one for the scam. Best chance to freeze funds is within the first hours. |
| Any cyber incident: malware, hacking, ransomware, data leak, phishing, defaced site | Cyber999 / MyCERT (CyberSecurity Malaysia) | Hotline 1-300-88-2999; 24/7 emergency +6019-266 5850; email [email protected]; online form at mycert.org.my/cyber999. National point of contact for reporting cyber incidents. |
| Fraudulent bank/card transaction | Your bank's 24-hour hotline | On the back of your card. Ask them to freeze the account/card and flag the transaction. Malaysian banks also offer a "kill switch" to freeze your own accounts. |
| Personal data breach affecting others (SMEs) | Personal Data Protection Commissioner (JPDP) | Mandatory since 1 June 2025. See Step 4. |
| SIM-swap / telco line hijack, scam number | MCMC and your telco | Freeze the line; report the number. |
| To lodge a formal police report (theft, extortion, evidence for insurance) | PDRM | Any station, or via the 997 call which is now treated as a report. Keep the report number. |
> The Cyber Security Act 2024 mandates 6-hour incident notification to NACSA, but this duty falls on designated National Critical Information Infrastructure (NCII) entities across 11 sectors, not ordinary SMEs. If you run a typical small business you report to Cyber999, not NACSA.
Step 4: PDPA Breach Notification (SMEs and Anyone Holding Customer Data)
The Personal Data Protection (Amendment) Act 2024 introduced mandatory breach notification, effective 1 June 2025. If personal data you hold (customer records, staff data, payment details) is breached:
- Notify the Personal Data Protection Commissioner as soon as practicable, and no later than 72 hours after becoming aware of the breach.
- Notify the affected individuals without unnecessary delay, and no later than 7 days after you notified the Commissioner, where the breach is likely to cause significant harm.
- A breach affecting more than 1,000 data subjects must be notified to the Commissioner even without significant harm.
- Failure to comply is an offence, with a fine of up to RM250,000 and/or imprisonment up to two years. Separately, the amendments raised the maximum fine for breaching the core Data Protection Principles to RM1 million.
- The same amendments require most data controllers and processors to appoint a Data Protection Officer (DPO). Know who yours is before an incident, because they lead this notification.
What to include in the notification: nature of the breach, categories and approximate number of individuals affected, likely consequences, and the measures you have taken or propose to take.
Step 5: Preserve Evidence
Do this before wiping or rebuilding anything.
- Screenshot the fraudulent messages, transaction records, ransom notes, and any attacker communications.
- Record dates, times, reference numbers, and the accounts/amounts involved.
- Keep the phishing email with full headers, the malicious APK/file, and affected device logs. For SMEs, do not reimage the machine until logs are exported; those logs are what MyCERT and police need.
- Save your 997 report number, Cyber999 reference, bank case number, and police report number in one place.
Step 6: Recover and Rebuild
Individuals
- Factory-reset any device that ran a banking trojan; do not just delete the app. Reinstall apps only from Google Play or the Apple App Store, never from an APK link sent over WhatsApp, SMS, or a website.
- Re-secure every account with fresh passwords (a password manager helps) and MFA/passkeys.
- Watch bank and e-wallet statements closely for the next few months, and check whether your credentials appear in known breaches.
SMEs
- Restore from clean, offline backups after confirming the backups themselves are not infected. Test the restore before going live.
- Rotate all administrative credentials, API keys, and service-account passwords.
- Run a post-incident review: how did they get in, what was accessed, what control failed. Close that gap (patching, MFA, email filtering, staff awareness) before resuming normal operations.
- Reset the "verify by phone" rule for any payment or bank-detail change, the control that stops BEC recurring.
Save These Numbers Before You Need Them
| Contact | Number / Channel | For |
|---|---|---|
| NSRC | 997 (24 hours) | Money stolen, unauthorized transfers |
| Cyber999 / MyCERT | 1-300-88-2999; emergency +6019-266 5850; [email protected] | Any cyber incident |
| Your bank | 24-hour hotline on the back of your card | Freeze account/card |
| PDP Commissioner (JPDP) | pdp.gov.my | PDPA breach notification (SMEs) |
| MCMC | aduan.skmm.gov.my | SIM-swap, scam numbers, telco issues |
| PDRM | Nearest station / 999 for emergencies | Formal police report |
Tools Worth Using
Tools Worth Using
Good security in Malaysia runs on a short list of well-chosen tools, not a cupboard full of apps. Most of what protects an individual or a small business here is free or costs less than a Netflix subscription. The trap is spending on the wrong things (a flashy VPN) while skipping the free basics (a password manager and app-based MFA) that actually stop the attacks hitting Malaysians: phishing that leads to credential theft, banking-trojan APKs, and business email compromise. This section is honest about what earns the money and what does not.
Two habits matter more than any product. First, download apps only from the official Google Play Store or Apple App Store, and keep "Install unknown apps" turned off. Nearly every banking-malware case NC4 and MyCERT have flagged starts with a victim being talked into side-loading an APK from a link. Second, keep everything updated: phones, laptops, browsers and routers. Auto-update is the cheapest security control you own.
Password managers (start here)
A password manager is the single highest-value tool for both individuals and SMEs. It generates a unique, strong password for every account, so one leaked password from a breached website cannot unlock your email or banking. It also resists phishing, because it will not auto-fill your Maybank2u password into a look-alike domain.
| Tool | Best for | Cost (approx.) | Notes |
|---|---|---|---|
| Bitwarden | Individuals and SMEs on a budget | Free; Premium ~USD 10/year; Teams from ~USD 4/user/month | Generous free tier (unlimited passwords and devices), open-source, self-hosting possible. The default recommendation for most Malaysians. |
| 1Password | Those who want the most polished experience; teams | ~USD 2.99/month individual, ~USD 4.99/month family, ~USD 7.99/user/month business | No free tier, but excellent sharing, travel mode and admin controls. Regular independent audits (Cure53), SOC 2 and ISO 27001. |
| Proton Pass | Privacy-focused users already in the Proton ecosystem | Free tier; paid bundles with Proton Mail/VPN | Solid free option; convenient if you already pay for Proton. |
Avoid keeping passwords in a browser's built-in saver as your only system, in a Notes app, or in an Excel file. Never reuse your email password anywhere, because email is the master key that resets everything else.
Worth paying for? Usually not for individuals, Bitwarden free is enough. SMEs should pay for a Teams or Business plan: shared vaults, offboarding when staff leave, and enforced policies are worth the few ringgit per head.
Authenticator apps and passkeys (MFA that actually resists phishing)
Turn on multi-factor authentication (MFA) everywhere, but choose the right kind. SMS one-time-passwords are the weakest form because they can be intercepted or defeated by SIM-swap fraud. App-based codes are much stronger, and passkeys are stronger still.
| Option | Strength | Recommended tools |
|---|---|---|
| Passkeys (device biometrics/FIDO2) | Strongest; phishing-resistant by design | Built into iOS, Android, Google, Microsoft and 1Password/Bitwarden. Use these wherever offered. |
| Authenticator app (TOTP) | Strong | Aegis (Android, open-source, encrypted backups), Ente Auth (open-source, cross-platform), Google Authenticator, Microsoft Authenticator |
| Hardware security key | Strongest for high-value accounts | YubiKey, Google Titan, roughly RM150 to RM300 per key (buy two: one spare) |
| SMS OTP | Weakest; use only if nothing else exists | Keep it as a last resort, not your main method |
Prefer an authenticator that lets you export or back up your codes (Aegis and Ente do), so a lost or stolen phone does not lock you out. For a business, protect your Microsoft 365 or Google Workspace admin accounts and your company email with app-based MFA or hardware keys as a minimum. Separately, MyDigital ID is the government's national digital identity app used for a growing list of official services; it is not a general MFA tool for your own accounts, but set it up for government dealings and treat its credentials with the same care.
Antivirus and endpoint protection (EDR)
Individuals: the built-in protection on a modern, updated device is genuinely good. Microsoft Defender (Windows) and Apple's built-in protections cover most home users. On Android, keep Google Play Protect on. You rarely need to buy consumer antivirus; if you want extra features (a scam-site filter, a family dashboard), a paid suite like Bitdefender or ESET is a reasonable, honest upgrade, but it is a convenience, not a necessity.
SMEs: step up from consumer antivirus to business endpoint protection with EDR (endpoint detection and response), which detects suspicious behaviour and lets you isolate an infected machine, exactly what you need to stop ransomware spreading across the office.
| Tool | Best for | Cost (approx.) |
|---|---|---|
| Microsoft Defender for Business | SMEs already on Microsoft 365 | ~USD 3/user/month (included in M365 Business Premium) |
| Bitdefender GravityZone | Small teams wanting strong protection with simple management | ~USD 4 to 7/endpoint/month |
| ESET / Sophos | SMEs wanting local reseller support in Malaysia | Varies by reseller |
If you buy Microsoft 365 Business Premium, Defender for Business is bundled, which makes it the cheapest credible EDR for most Malaysian SMEs. Whatever you pick, one product managed centrally beats a mix of free tools no one is watching.
VPNs: when they help and when they do not
A VPN is widely oversold. It is genuinely useful in a few situations and does almost nothing in others. Be clear-eyed about it.
A VPN helps when:
- You are on untrusted public Wi-Fi (café, airport, hotel) and want to stop others on that network snooping on your traffic.
- You want to hide your browsing from your ISP or mask your location for privacy.
A VPN does NOT protect you from:
- Phishing, scam links or malicious APKs. A VPN does not check whether a site is fake or an app is malware.
- Account takeover if your password is weak or reused. Only a password manager and MFA fix that.
- Giving your OTP or banking details to a scammer on the phone. No tool fixes that; only you can.
Modern websites use HTTPS, so a VPN is far less essential than the marketing suggests. If you want one, choose a reputable, audited, paid provider (for example Proton VPN, which has a usable free tier, or Mullvad). Avoid free VPNs that monetise by logging and selling your traffic, they are a privacy downgrade, not an upgrade.
Backup (your ransomware insurance)
Backups are the one control that turns a ransomware attack or a stolen laptop from a disaster into an inconvenience. The rule is 3-2-1: three copies of your data, on two different media, with one copy off-site (or in the cloud) and disconnected from your network.
| Need | Tool / approach | Notes |
|---|---|---|
| Individual files and photos | Google Drive, iCloud, Microsoft OneDrive, Proton Drive | Turn on automatic backup; keep versioning on so you can roll back. |
| SME shared files | Microsoft 365 / Google Workspace + a separate backup | Cloud storage is not a backup by itself; use a third-party backup (e.g. Backblaze, Veeam, or Synology NAS with offsite copy) so ransomware or an accidental deletion cannot wipe everything. |
| Whole-device / server | Backblaze, Acronis Cyber Protect, a Synology/QNAP NAS | Keep at least one backup offline or immutable so malware cannot encrypt it too. |
Test a restore at least once. A backup you have never restored from is a hope, not a plan.
Family and parental tools
For households, the goal is fewer, better controls: safe defaults on the device, and an ongoing conversation rather than pure surveillance.
- iPhone/iPad: Apple Screen Time with Family Sharing (screen limits, app approvals, content filters).
- Android: Google Family Link (app approvals, screen time, location, content filtering).
- Windows/Xbox: Microsoft Family Safety.
- Whole-home filtering: a DNS filter such as Cloudflare for Families (1.1.1.3) or OpenDNS Family Shield blocks adult and malicious sites at the router for every device, free.
- Paid all-in-one: Qustodio or Bark if you want cross-device dashboards and alerts, worth it for younger children, less so for teens who will route around it.
Pair any tool with the basics that stop scams reaching kids and elderly relatives: app-store-only installs, no side-loading, and a family rule that no one shares an OTP or installs an app because a caller told them to.
The honest shortlist
If you do only five things, do these:
- [ ] Install a password manager (Bitwarden is free) and give every account a unique password.
- [ ] Turn on app-based MFA or passkeys on email, banking and social media; never rely on SMS OTP alone.
- [ ] Keep auto-update on for phones, computers and routers, and install apps only from official stores.
- [ ] Set up automatic backups (3-2-1), with one copy offline or immutable.
- [ ] For SMEs, run business EDR (Defender for Business or Bitdefender) centrally, not a patchwork of free tools.
Spend on the password manager (for teams), EDR (for SMEs) and hardware keys (for high-value accounts). Be sceptical of paid consumer antivirus and consumer VPNs; they are optional conveniences, not the things standing between you and the scams and malware actually targeting Malaysians today.
Sources: MyCERT Cyber Incident Quarterly Summary Reports, Q1 and Q2 2025 (CyberSecurity Malaysia / MyCERT); Bank Negara Malaysia and PDRM figures on online fraud, first half of 2024 (RM581 million in losses); NC4/MyCERT advisories on banking-malware and BNM-impersonation phishing; MyDigital ID (Digital ID Malaysia / NACSA), 2025 to 2026.
Laws, Bodies & Compliance
Laws, Bodies & Compliance: The Malaysian Cybersecurity Framework
Malaysia runs cybersecurity and data protection on two main statutes and a sector rulebook for finance. The Cyber Security Act 2024 governs critical national systems, the Personal Data Protection Act 2010 governs how organisations handle personal data, and Bank Negara Malaysia's RMiT governs technology risk in financial institutions. Below is who each body is, what it covers, and what compliance actually requires.
The bodies at a glance
| Body | What it is | What it does for you |
|---|---|---|
| NACSA (National Cyber Security Agency) | The lead agency under the Cyber Security Act 2024; the Chief Executive enforces the Act | Designates and regulates NCII entities; licenses cyber security service providers |
| CyberSecurity Malaysia | National cybersecurity specialist agency under the Ministry of Digital | Technical assistance, digital forensics, awareness, and operates MyCERT |
| MyCERT / Cyber999 | The national Computer Emergency Response Team and its incident-response helpdesk | Where individuals and businesses report incidents (malware, hacking, fraud, data breaches) |
| Personal Data Protection Commissioner (JPDP) | The data-protection regulator under the Ministry of Digital | Enforces the PDPA; receives breach notifications and DPO registrations |
| Bank Negara Malaysia (BNM) | The central bank | Issues and enforces RMiT for financial institutions |
| NSRC (National Scam Response Centre) | Cross-agency centre on the 997 hotline | First responder for active financial scams (funds still moving) |
Cyber Security Act 2024 (Act 854)
The Cyber Security Act 2024 was gazetted on 26 June 2024 and came into operation on 26 August 2024. It created the National Cyber Security Committee and gave the Chief Executive of NACSA the power to implement and enforce the Act.
Who it actually covers. The Act does not regulate every business. Its core obligations fall on National Critical Information Infrastructure (NCII) entities: computers or systems whose disruption would harm national security, the economy, public health, safety, or order. Eleven NCII sectors are named:
- Government
- Banking and Finance
- Transportation
- Defence and National Security
- Information, Communication, and Digital
- Healthcare Services
- Water, Sewerage, and Waste Management
- Energy
- Agriculture and Plantation
- Trade, Industry, and Economy
- Science, Technology, and Innovation
If your organisation is designated an NCII entity by a sector lead, you must (Act 854):
- Implement the sector-specific code of practice
- Conduct a cyber security risk assessment at least once a year
- Undergo an audit at least once every two years (or more often if NACSA directs)
- Report cyber security incidents on a strict timeline: immediate initial notification to the NCII sector lead and NACSA, further details within 6 hours via the national reporting system, and supplementary details within 14 days
Cyber security service providers need a licence. Providers of managed SOC / security monitoring and penetration testing services must hold a NACSA licence, applied for since 1 October 2024, valid for one year. Providing these services without a licence is an offence carrying a fine up to RM500,000, imprisonment up to 10 years, or both (Act 854). When you hire a security vendor, check they are licensed.
> For the typical SME: If you are not an NCII entity, the Act does not impose direct duties on you. It still matters indirectly: if you supply an NCII entity (a vendor, contractor, or SaaS provider to a bank, hospital, or utility), expect their code of practice to flow security requirements down to you in contracts.
Personal Data Protection Act (PDPA) 2010, amended 2024
The PDPA 2010 (Act 709) governs the processing of personal data in commercial transactions. It is enforced by the Personal Data Protection Commissioner (Jabatan Perlindungan Data Peribadi, JPDP) under the Ministry of Digital. The Personal Data Protection (Amendment) Act 2024 made major changes, with the biggest new duties taking effect on 1 June 2025.
What changed in the 2024 amendment:
| Change | Detail |
|---|---|
| Mandatory breach notification | Data controllers must notify the Commissioner as soon as practicable, and within 72 hours of becoming aware of a personal data breach. If the breach is likely to cause significant harm, affected individuals must also be notified without unnecessary delay (Section 12B) |
| Mandatory DPO | Controllers and processors that cross the processing thresholds must appoint a Data Protection Officer and register them with the Commissioner within 21 days of appointment |
| Processors now directly liable | Data processors must comply with security obligations directly, not only through their contract with the controller |
| Higher penalties | Maximum fine for breaching the data protection principles raised from RM300,000 to RM1,000,000; maximum imprisonment raised from two to three years |
| "Data user" renamed "data controller" | Terminology aligned with international norms |
When you must appoint a DPO. The Commissioner's guideline sets the thresholds: appointment is required where an organisation processes the personal data of more than 20,000 individuals, or sensitive personal data (including financial data) of more than 10,000 individuals, or where processing involves regular and systematic monitoring.
PDPA compliance checklist for an SME:
- [ ] Map what personal data you hold (customers, staff, suppliers) and where it lives
- [ ] Issue a privacy notice in Bahasa Malaysia and English
- [ ] Apply the seven data protection principles (General, Notice & Choice, Disclosure, Security, Retention, Data Integrity, Access)
- [ ] Appoint and register a DPO if you cross the thresholds
- [ ] Have a written data breach response plan that can meet the 72-hour clock
- [ ] Sign data-processing terms with vendors (cloud, payroll, marketing) that handle your data
- [ ] Delete personal data you no longer need (retention limitation)
BNM RMiT: Risk Management in Technology
If your business is regulated by Bank Negara Malaysia, you also fall under the Risk Management in Technology (RMiT) policy document. RMiT applies to licensed banks, Islamic banks, investment banks, insurers, payment system operators and issuers, and development financial institutions (BNM). The current version took effect 28 November 2025, updating the earlier 1 June 2023 document.
Core RMiT requirements include (BNM):
- A board-approved cybersecurity policy and clear senior ownership (CISO-level)
- 24/7 security operations centre (SOC) monitoring capability
- Multi-factor authentication for privileged and remote access
- Annual penetration testing of internet-facing systems
- Documented and tested incident response procedures
- Notification to BNM within one hour of a significant technology or security incident
RMiT is why Malaysian banking apps enforce strict controls (cooling-off periods on new transfers, single-device binding, in-app "kill switch"). For fintechs and payment operators, RMiT compliance is a licensing condition, and non-compliance can bring remediation orders and operational restrictions.
Where to report an incident
| Situation | Report to | Channel |
|---|---|---|
| Active scam, money just transferred | NSRC | Call 997 immediately |
| Hacking, malware, phishing, data breach (general) | MyCERT / Cyber999 | [email protected] or the Cyber999 hotline |
| Personal data breach (your organisation is the controller) | PDPA Commissioner (JPDP) | Within 72 hours, via the Personal Data Protection System |
| You are a designated NCII entity | NACSA + sector lead | Immediate, then 6 hours, then 14 days |
| Regulated financial institution | Bank Negara Malaysia | Within 1 hour of a significant incident |
| Police report (for evidence and insurance) | PDRM | Nearest station or the CCID portal |
What "compliance" means in practice
For most Malaysian SMEs, the binding law is the PDPA, not the Cyber Security Act. The practical baseline is: know what personal data you hold, secure it, appoint a DPO if you cross the thresholds, and be able to notify the Commissioner within 72 hours of a breach. If you serve regulated finance or critical-sector clients, their RMiT and NCII obligations will reach you through contracts, so build the controls before a customer audit forces you to.
Malaysia's incident volume shows why this matters: MyCERT's Cyber999 received 1,657 incidents in Q1 2025 and 1,881 in Q4 2025, with fraud the largest category and phishing the most common fraud type. Data breach incidents rose 20% quarter-on-quarter in Q4 2025. Compliance duties and real-world threats point the same way: get the basics documented, tested, and owned by someone before you need them.
Sources: NACSA (nacsa.gov.my), Cyber Security Act 2024 [Act 854]; Personal Data Protection (Amendment) Act 2024 and Commissioner's 2025 Guidelines; Bank Negara Malaysia, Risk Management in Technology policy document; MyCERT / CyberSecurity Malaysia Cyber Incident Quarterly Summary Reports, Q1 2025 and Q4 2025.
2026 Outlook & Predictions
2026 Outlook & Predictions
This section is our reading of where Malaysian cyber risk is heading, framed as predictions and opinion rather than settled fact. The underlying laws, bodies and figures are real and cited. The forecasts built on them are judgement calls. Treat them as planning assumptions for the year ahead, and revisit them as MyCERT and NACSA publish fresh data.
The short version: attacks are getting cheaper to run and harder to spot, defences are shifting from passwords to passkeys, and the law now expects you to have controls in place before something goes wrong. Both individuals and small businesses should move on a handful of things this year rather than wait.
Prediction 1: AI-generated attacks become the default, not a novelty
For years the reliable tell of a Malaysian phishing message was broken English or clumsy Malay. That tell is disappearing. Attackers now use large language models to write clean, localised lures in Malay and Manglish that read like they came from a real colleague, bank, or government agency. In one 2025 case, a local bank narrowly avoided a multi-million-ringgit loss when attackers used an AI-generated video call to mimic an employee and authorise a fraudulent transfer.
What we expect through 2026:
- Deepfake voice and video move down-market. What hit a bank in 2025 will reach SMEs and families: a "video call" from a boss approving a payment, or a voice note from a relative asking for money. Verify unusual money requests through a second, known channel every time.
- Phishing volume and quality both rise. Cheap AI tooling lets one operator produce thousands of tailored messages. Grammar and logo checks stop working as filters. The reliable signal becomes the request itself: urgency, secrecy, a new bank account, or a link to log in.
- Impersonation of authorities keeps growing. Scammers already impersonate CyberSecurity Malaysia, MyCERT and the Ministry of Communications by phone to create panic and harvest personal data, and MyCERT's own quarterly reporting showed impersonation-style fraud making up the bulk of incidents through 2025. No Malaysian agency, bank or police officer will ever ask you to move money to a "safe account" or read out an OTP.
Our take: the human check becomes the last line of defence. Slow down on anything involving money or credentials, and confirm out-of-band.
Prediction 2: Passkeys start replacing passwords and SMS OTP
The single biggest defensive shift for ordinary Malaysians in 2026 is authentication moving away from passwords and one-time codes.
Bank Negara Malaysia's November 2025 update to the Risk Management in Technology (RMiT) policy turned earlier guidance into binding rules for licensed banks, insurers, e-money issuers and payment operators. The headline: SMS OTP is explicitly no longer acceptable as a standalone second factor, multi-factor authentication must be interception-resistant and tied to a specific payee and amount, and device binding defaults to one mobile device per account. This is the regulatory response to SMS OTP theft by banking-trojan APKs and SIM-swap fraud, and to the RM383 million in fraudulent transactions banks blocked in 2024.
What this means in practice:
- Passkeys (FIDO2/WebAuthn) become the recommended login. A passkey ties your login to your phone or laptop and cannot be phished, replayed, or read out to a scammer. Expect Malaysian banking and e-wallet apps to push app-based approval and passkeys and to quietly retire SMS OTP over 2026.
- Individuals should adopt passkeys wherever offered: Google, Apple, Microsoft, WhatsApp and a growing list of banks and e-wallets. Turn them on for your email first, because email is the master key to everything else.
- The one-device default cuts both ways. It stops attackers binding their own phone to your account, but it means you must keep your registered device secure and know how to re-register if you change phones.
Our take: by end-2026, "enter the OTP we texted you" should feel dated for banking. If your bank still relies on it alone, that is a lagging signal, not a safe one.
Prediction 3: Ransomware-as-a-service keeps targeting SMEs
Ransomware in Malaysia is not a headline-grabbing surge, it is a steady grind that lands hardest on businesses. MyCERT recorded 17 ransomware incidents in Q3 2025, up from 13 the previous quarter, and noted that businesses, including national critical information infrastructure operators, are the most affected.
Reported counts understate the problem. Many SMEs pay quietly or never report. The ransomware-as-a-service model, where operators rent ready-made attack kits, keeps the barrier to entry low and the volume steady.
What we expect through 2026:
- SMEs remain the soft target because they hold valuable data but rarely have offline backups, tested recovery, or a response plan.
- Double extortion stays standard: attackers encrypt your systems and threaten to leak stolen data, which now also triggers PDPA breach-notification duties (see Prediction 5).
- Recovery, not just prevention, decides survival. The businesses that shrug off an attack are the ones with an offline or immutable backup they have actually tested restoring.
Our take: the single highest-value SME control this year is a tested, offline backup. It turns a business-ending event into a bad week.
Prediction 4: Supply-chain and third-party risk becomes a main breach route
Attackers increasingly reach their target through someone smaller and less defended: a vendor, an outsourced IT provider, a plugin, or a cloud service. For Malaysian SMEs this is a double bind. You can be the victim through a compromised supplier, and you can be the weak link that lets attackers into a larger client.
What we expect through 2026:
- More breaches trace back to a third party than to a direct hit on the main target. One compromised software update or contractor login can expose many downstream businesses at once.
- Larger clients push security requirements downstream. Enterprises and government-linked companies bound by the Cyber Security Act 2024 will increasingly demand baseline security from their SME suppliers as a condition of doing business.
- Identity is the new perimeter. With staff, contractors and cloud apps everywhere, controlling who can log in to what matters more than any firewall. Multi-factor authentication on every account and prompt removal of ex-staff access do more than most tools.
Our take: know your suppliers' access. Anyone who can log into your systems or hold your data is part of your attack surface, and their weakness is your risk.
Prediction 5: Regulation tightens and starts to bite
2025 was the year Malaysian cyber and data law grew teeth. 2026 is the year enforcement and expectations settle in.
Two regimes now shape the landscape:
| Law | What changed | In force | Who it affects |
|---|---|---|---|
| Cyber Security Act 2024 (Act 854) | Duties for national critical information infrastructure (NCII) sectors; licensing of cyber security service providers | Act in force 26 Aug 2024; provider licensing mandatory from 2025 | NCII operators; anyone selling pen-testing, SOC, forensics and similar services |
| PDPA (Amendment) Act 2024 | Mandatory data breach notification and mandatory Data Protection Officer (DPO) appointment | 1 June 2025 | Any organisation, including SMEs, that handles personal data |
Key duties to plan around:
- Breach notification is now mandatory. Under the amended PDPA, a data controller must notify the Personal Data Protection Commissioner as soon as practicable, and within 72 hours of becoming aware of a breach; affected individuals must also be told where the breach is likely to cause significant harm.
- Every business needs a DPO. Both data controllers and processors must appoint at least one Data Protection Officer and notify the Commissioner within 21 days of the appointment.
- Penalties are real. Failure to report a breach can draw up to RM250,000 and two years' imprisonment. Providing licensable cyber security services without a licence under Act 854 can draw up to RM500,000, ten years' imprisonment, or both.
Our take: "we're too small to be regulated" stops being true in 2026. Any SME holding customer data has PDPA duties, and the cheapest time to build a breach-response habit is before the breach.
What individuals should do now
- [ ] Turn on passkeys for your email, then your bank, e-wallet and social accounts wherever offered.
- [ ] Where passkeys are not available, use an authenticator app or in-app approval, not SMS OTP.
- [ ] Never install banking or payment apps from links, QR codes, or APK files sent to you. Use only the official Google Play or Apple App Store.
- [ ] Treat any "urgent" money or OTP request, by call, video, or message, as fake until you confirm through a known channel. Deepfakes are now cheap.
- [ ] Keep your phone and its registered banking device updated and locked.
- [ ] Save the National Scam Response Centre hotline, 997, and call it within minutes if money leaves your account.
What SMEs should do now
- [ ] Keep an offline or immutable backup and test restoring from it at least quarterly. This is your ransomware insurance.
- [ ] Enforce multi-factor authentication on every account, and remove ex-staff and ex-contractor access the day they leave.
- [ ] Appoint a DPO and register the appointment with the Commissioner, as the amended PDPA now requires.
- [ ] Write a one-page incident and breach-response plan covering the PDPA 72-hour clock, so a breach is not the first time anyone thinks about it.
- [ ] Map who your suppliers are and what they can access. Their weakness is your risk.
- [ ] Train staff to verify unusual payment and payee-change requests out of band, because AI-written and deepfaked business email compromise is here.
2026 prediction scorecard
| Prediction | Confidence | Watch for |
|---|---|---|
| AI-generated phishing and deepfakes become mainstream | High | Localised Malay/Manglish lures; deepfake voice/video payment scams reaching SMEs |
| Passkeys begin displacing passwords and SMS OTP | High | Banks and e-wallets retiring standalone SMS OTP under RMiT |
| Ransomware keeps hitting SMEs steadily | High | MyCERT quarterly counts staying in the mid-teens, businesses most affected |
| Supply-chain and third-party breaches rise | Medium-High | Breaches traced to vendors; larger clients imposing security terms on SME suppliers |
| Regulation enforcement tightens | High | First PDPA breach-notification penalties and NACSA licensing actions |
Bottom line for 2026: the cheap wins have not changed, they have just become non-negotiable. Passkeys on your key accounts, MFA everywhere, a tested offline backup, out-of-band verification of money requests, and a written plan for the PDPA 72-hour clock. Individuals and SMEs that do these five things this year will sit ahead of most of the threats above.
Last updated: July 2026. General guidance, not legal or professional security advice; verify current figures and rules before relying on them. In an emergency call the National Scam Response Centre (NSRC) on 997 and your bank hotline immediately.
Sources & References
This guide is cross-referenced against primary official sources, regulatory references, and locally relevant materials.