Malaysia Scams & Online Safety Guide

Malaysia Scams & Online Safety Guide

How to spot, avoid, report, and recover from the scams targeting Malaysians

By Malaysia4U Editorial TeamUpdated 13 min read

Key Takeaways

  • Just got scammed? Call NSRC at 997 within minutes — the first 60 minutes after a transfer are your best chance of clawback.
  • Use Semak Mule (semakmule.rmp.gov.my) before transferring money to any unknown bank account or phone number — free, no login.
  • Macau scams (telecoms-fraud impersonating police/courts/banks) accounted for RM 715M in losses in 2025 alone — real authorities never ask for transfers over the phone.
  • Cambodia/Myanmar/Laos "job scam" trafficking is the most physically dangerous fraud — Wisma Putra crisis hotline +603-8887 4570 if a relative may be trapped.
RM2.7B
Losses Jan–Nov 2025
67,735
Reported Scam Cases (2025 YTD)
997
NSRC Scam Hotline
140
Avg Scam Attempts / Malaysian / Year

Just got scammed? Call 997 (NSRC) immediately. The first 60 minutes after a transfer are your best chance of clawback through Bank Negara's Financial Crime Investigation channel. Then file a police report and use Semak Mule to check the recipient account. Detailed steps below.

The Scale of the Problem

Malaysia is in the middle of an unprecedented scam crisis. Official numbers from the Royal Malaysia Police's Commercial Crime Investigation Department (CCID):

  • 2025 (Jan–Nov): 67,735 cases, RM2.7 billion in losses.
  • 2024 full year: ~50,000+ cases, RM1.57 billion in losses.
  • 2023: RM1.22 billion in losses.
  • 5-year cumulative (2020–2024): RM11.23 billion.

Independent research suggests the true figure is much higher. The Global Anti-Scam Alliance's State of Scam Report 2024 estimated Malaysians lost roughly US$12.8 billion (~RM54 billion) in a single year — because ~70% of victims never report, official police figures may represent only the tip of the iceberg.

The average Malaysian receives an estimated 140 scam attempts per year via SMS, WhatsApp, calls, and social media.

Scam calls in Malaysia rose 82.81% in 2024 alone.

Why the surge:

  • Sophisticated regional scam syndicates operating from compounds in Cambodia, Myanmar, and Laos (often using human-trafficked workers)
  • Pervasive data leaks: leaked MyKad numbers, phone numbers, and bank info make targeted ("spear") scams easy
  • Mass digitisation of payments — DuitNow QR + e-wallets make cross-bank transfers instant and irreversible
  • Genuine government urgency around contact-tracing, digital ID, and tax filings has habituated people to "official" calls and links

If you live in Malaysia, you are not the rare unlucky target. You are the everyday target.

The 10 Most Common Scams in Malaysia

1. Macau Scam (Telecom Impersonation Fraud)

The single largest category — 28,698 cases, RM715 million in losses in 2025 (Jan–Nov). The caller impersonates the police, courts, customs, banks, courier companies (Pos Laju, FedEx), or LHDN, claims you have an outstanding warrant / suspicious package / unpaid tax, and pressures you to transfer money to a "safe account" for "investigation". Real authorities never ask for transfers over the phone.

2. Investment Scams

Fake forex, crypto, gold, and unit trust schemes. Often promoted via Facebook/TikTok/Telegram with fake celebrity endorsements (Tony Fernandes, Awie, Vincent Tan, etc.) or fake "trader" personas. Always promise guaranteed returns of 5–30% per month. Always check the Securities Commission (SC) Investor Alert List before investing. Watch out too for "cash trust" schemes sold as investments — a cash trust is an estate-planning tool under the Trustees Act 1949, not an SC-regulated fund, and earns no investment return. If an agent pitches a cash trust with "fixed" or "guaranteed" high returns, treat it as a red flag; several insurers have banned their agents from distributing these schemes.

3. Job Scams — Cambodia / Myanmar Trafficking

Fake overseas job offers (often "customer service", "data entry", "tech support") with absurd salary promises. Victims fly to Bangkok or Vientiane, then are trafficked overland to scam compounds in Cambodia, Laos, or Myanmar — passport confiscated, forced to run scams against their own countrymen. Consular rescues are slow and dangerous. Wisma Putra has issued repeated warnings.

4. Romance Scams

Long courtship via dating apps or social media leads to a request for money — usually framed as a "stuck inheritance", "customs fee", or "medical emergency". Often run by syndicates with multiple operators rotating through one persona.

5. Phishing — Bank, e-Wallet, MyDigital ID

Fake SMS/WhatsApp from "Maybank", "TnG", "MyKasih", "MyDigital ID", asking you to click a link to "verify your account" or "claim your aid". The link is a fake login page that captures your credentials. Real banks never ask you to log in via an SMS link.

6. Parcel / Courier Scams

"Your parcel has been seized at customs — pay the fee to release." Or: "Your delivery failed — confirm address by clicking link." Sometimes combines with Macau-scam police impersonation.

7. e-Commerce Non-Delivery

Fake online stores (often promoted via Facebook ads) take payment then disappear, or send a different/inferior product. Common around major sales events. Pay only via platforms with buyer protection (Shopee, Lazada, Carousell with Carouprotect).

8. Loan Scams

"Easy loan, no documents needed." Up-front "processing fee", "stamp duty", or "insurance" — paid, then no loan materialises. Real banks and licensed money-lenders never charge fees before disbursement. Check the MOF licensed money-lender list.

9. Tech Support Scams

Pop-up or call: "Your computer is infected. Call Microsoft now." The "technician" remote-controls your PC and either steals data, installs ransomware, or extracts a "service fee".

10. Charity / Disaster Scams

Surge after floods, mosque collapses, or any high-profile incident. Fake QR codes and fake foundation accounts solicit donations. Donate only to verified registered charities listed on JKM (Jabatan Kebajikan Masyarakat) or MyCare.

Universal Red Flags

If you see any of these in a call, message, or website — pause. They are universal scam indicators.

Pressure & urgency

  • "You must act in 30 minutes."
  • "If you don't pay now, you will be arrested / blacklisted / deported."
  • Calls outside normal business hours (especially weekends/late evenings).

Authority impersonation

  • Caller claims to be police / LHDN / customs / courier / bank.
  • Asks you to "verify yourself" by sharing IC, OTP, or bank details.
  • Asks you to download an app (often a remote-control app like AnyDesk, TeamViewer).

"Safe account" requests

  • Any demand to transfer money to an account "for safekeeping" or "to clear your name". This is the signature move of the Macau scam. Never legitimate.

Unsolicited investment opportunities

  • "Guaranteed returns" of any kind (real markets don't guarantee).
  • Pressure to recruit others, MLM-style.
  • Returns appear to "lock" — you can't withdraw without paying more.

Romantic strangers needing money

  • Met online, never met in person, suddenly has a financial emergency.
  • Refuses video calls or always has "camera issues".
  • Story shifts when challenged.

Suspicious links and SMS

  • Sender ID is a random phone number, not the company's short code.
  • Link domain is a near-miss (e.g. "maybank2u-verify.com" instead of "maybank2u.com").
  • HTTPS does not mean safe — phishing sites also use HTTPS.

Payment-method red flags

  • Asks for crypto, gift cards (Razer Gold, Steam, Apple), or transfer to a personal account for what should be a business transaction.
  • For e-commerce: cash-on-delivery refused, only direct bank transfer accepted.
  • For investments: returns paid to a different account from what you transferred to.

Too-good-to-be-true

  • Job offering 3x market salary for unskilled work overseas.
  • Loan with no documents, no credit check, immediate disbursement.
  • Phone or laptop at 70% off retail with "limited stock".

Verify Before You Transfer

Before sending money to anyone you don't know personally, do these three checks. Each takes under a minute.

1. Check the bank account on Semak Mule

The PDRM's public lookup at semakmule.rmp.gov.my lets you enter any Malaysian bank account number or phone number to see if it has been reported as a "mule" account in past scams. Hits on Semak Mule are a near-certain red flag. Misses don't guarantee safety, but a hit alone is enough reason to abort.

2. Check the entity on the SC Investor Alert List

The Securities Commission maintains a public list of unauthorised investment promoters at sc.com.my/investor-alert-list. Hundreds of entities are listed. If the "investment opportunity" is on this list, walk away.

3. Verify the institution via its real channels

If "your bank" / "the police" / "customs" calls you:

  • Hang up.
  • Look up the official number from their real website (not from the caller).
  • Call back via that number and ask "did you just call me?"
  • Real institutions accept this and confirm or deny without complaint.

Other useful verification tools:

  • BNM's Financial Consumer Alertwww.bnm.gov.my/financial-consumer-alert
  • MOF Licensed Money-Lenders — Verify any "loan company" before paying anything.
  • JKM Verified Charities — For donation requests.
  • Carikerja for jobs — Check government-vetted job postings.
  • Reverse image search — For dating profiles and "online sellers", drop their photos into Google Images. Stolen photos are a near-universal romance-scam indicator.

Two-second rule for SMS/WhatsApp links: never click a link in an unsolicited message. Always navigate to the institution's app or website directly.

I Just Got Scammed — What Now?

The first 60 minutes are critical. Mule accounts move money fast. Time spent agonising is money lost.

Step 1 — Call NSRC at 997 (within minutes)

NSRC (National Scam Response Centre) is a joint operation of PDRM, BNM, MCMC, and the major banks. The hotline can trigger an immediate freeze request on the recipient account.

  • Open Mon–Fri 9am–5pm (extended hours via 03-2272 5555 and the police 999 line outside hours).
  • Have ready: your bank account number, transferred amount, recipient account number, time of transfer, transaction reference, and a brief summary.
  • They will issue a case reference number — keep it.

Step 2 — Contact your bank fraud line immediately

Don't wait for NSRC. While you're calling, message your bank too:

Bank24/7 Fraud Hotline
Maybank1-300-88-6688
CIMB1-300-880-900
Public Bank1-800-22-5555
RHB1-300-88-9999
Hong Leong03-7626 8899
AmBank1-300-80-8888
OCBC1-300-88-7000
Bank Islam1-300-88-1413
GXBankIn-app chat (24/7)
Boost BankIn-app chat (24/7)

Banks can sometimes recall funds before the recipient withdraws — especially if the report is within 30–60 minutes. After that, your odds drop sharply.

Step 3 — File a police report (within 24 hours)

Visit the nearest Balai Polis (any branch) or the CCID Tactical Lab in Cyberjaya. Bring:

  • Your IC
  • All evidence: screenshots, transaction receipts, chat logs, voice recordings if any
  • Recipient's bank account number, phone number
  • The NSRC case reference if you have one

The police report is required for:

  • Any insurance claim
  • BNM mediation if your bank denies clawback
  • Civil suit (rare but possible for large losses)
  • Tax loss claim (limited)

Step 4 — Lodge with CCID online

File via the CCID portal for tracking. If multiple victims of the same scammer file, CCID can build a syndicate case.

Step 5 — Lock down everything else

  • Change passwords on all banking and email accounts (use a password manager).
  • Review recent transactions on every bank account.
  • Contact CTOS / CCRIS to flag identity theft if your IC was shared.
  • Enable transaction limits and alerts on every account.
  • If you shared your MyKad number, monitor your CCRIS for any new accounts opened in your name.

What to expect: Recovery rates are sobering. CCID estimates that less than 10% of scammed funds are recovered, even when reported within the hour. The earlier you act, the better your odds — but be prepared for the answer being "we couldn't recover anything" and treat the experience as a tax on inattention.

Day-to-Day Protection

Phone & SMS hygiene

  • Enable your phone's built-in spam-call filter (iPhone Silence Unknown Callers; Android Caller ID & Spam).
  • Install TrueCaller or Whoscall for unknown-number identification.
  • Never click links in SMS — regardless of who they appear to be from.

Banking & e-wallet security

  • Enable transaction limits on every banking app — set the daily transfer limit as low as you can tolerate.
  • Enable instant push notifications for every transaction.
  • Set up Kunci/PetuiKey (BNM's account-locking feature) — lets you instantly freeze your account from the bank app if you suspect compromise.
  • Use biometric authentication wherever possible.
  • Review your e-wallet "recurring payments" and "linked merchants" monthly.

MyKad protection

  • Don't share photocopies of your MyKad casually. If you must, watermark with the purpose ("FOR LOAN APPLICATION ONLY — date").
  • If you suspect your MyKad data has been leaked, request a CCRIS check from BNM (free, online) to monitor for new accounts in your name.
  • Sign up for MyDigital ID (see our MyDigital ID guide) — it makes future SIM/account openings require your active verification.

E-mail & social media

  • Use 2FA (preferably an authenticator app, not SMS) on every account.
  • Treat anyone who DMs you about an "investment opportunity" as a scammer until proven otherwise.
  • Run a quarterly check at haveibeenpwned.com for breached passwords.

For seniors and family

  • Set up your parents' / grandparents' phones with scam-call filtering on by default.
  • Tell them: no real official will ever ask for money over the phone.
  • Create a "scam check" agreement — they call you before transferring any amount above a threshold (e.g. RM500).
  • The Semak Mule app is simple enough for most people to use. Add it to their home screen.

For businesses

  • Train staff on Business Email Compromise (BEC) — the rising "fake CEO email" scam in Malaysia.
  • Use bank account-name verification (where available) before vendor payments.
  • Insist on a call-back protocol for any new payment instructions: any new bank account from a known vendor must be verified by calling a previously-known phone number.

Useful free tools:

Job-Scam Trafficking — A Special Warning

Job-scam trafficking is the most physically dangerous scam targeting Malaysians today. Hundreds of Malaysians have been trafficked into scam compounds in Cambodia, Laos, Myanmar (especially the KK Park compound near Myawaddy), and increasingly the Philippines. Several have died.

The pattern:

  1. Job ad on Facebook, Telegram, or TikTok offering "tech support", "data entry", "customer service", "translator", or "live host" jobs in Bangkok / Phnom Penh / Vientiane.
  2. Salary is 3–5x market rate (RM6,000–15,000/month for entry-level work).
  3. Employer pays for your flight; sometimes pays a "signing bonus" up front.
  4. On arrival, you're met at the airport, then driven across an international border — usually overland into Cambodia, Laos, or Myanmar.
  5. Passport confiscated. Phone monitored. Forced to scam victims back home (often Malaysians) under threat.
  6. Beating, electrocution, and forced organ-harvesting threats are documented.
  7. Escape requires either ransom paid by family (US$5,000–30,000) or risky cross-border rescue by Wisma Putra.

Red flags for any overseas job offer:

  • Salary far above market for the skill level required.
  • Recruiter contacts you on social media, not via a registered agency.
  • Refuses to provide a registered Malaysian recruitment agency licence number.
  • Asks for your passport before you fly.
  • Pays for your flight and accommodation (legitimate employers pay only for senior roles).
  • Will not let you talk to existing employees on a public call.
  • Refuses to confirm the company's physical address with photos.

Verification steps:

  • Check the recruiter at the Department of Labour (JTKSM) registered private employment agency list.
  • Search the company at MITI Malaysia for any registered foreign-investment record.
  • Reverse-image-search the company's website photos.
  • Ask Wisma Putra (Foreign Affairs Ministry) about advisories: travel.gov.my.
  • For any Cambodia / Laos / Myanmar / Philippines posting, treat as guilty until proven innocent.

If a relative may already be trapped:

  • Wisma Putra Crisis Hotline: +603-8887 4570 (24/7) or email [email protected].
  • File a missing-persons report at any Malaysian police station.
  • Contact the Malaysian embassy in the destination country.
  • Do NOT pay the ransom directly — the syndicate often takes the money and keeps the victim. Coordinate with Wisma Putra.

Wisma Putra estimates 200+ Malaysians have been rescued from these compounds since 2022. The rescue process typically takes 2–8 weeks.

Sources & References

This guide is cross-referenced against primary official sources, regulatory references, and locally relevant materials.

Keep exploring