Maybank, CIMB & Public Bank ফিশিং: কীভাবে চিনবেন Fake Banking SMS in Malaysia
Malaysian bank customers are the top target for ফিশিং আক্রমণs. Learn how scammers impersonate Maybank, CIMB, and Public Bank through fake SMS, TAC theft, and Macau scam calls.
Maybank, CIMB & Public Bank ফিশিং: কীভাবে চিনবেন Fake Banking SMS in Malaysia
If you have a Malaysian bank account, you have almost certainly received a suspicious SMS claiming to be from your bank. ফিশিং attacks targeting Malaysian bank customers have reached epidemic proportions. Maybank, CIMB, and Public Bank — the three largest banks by customer base — are the most frequently impersonated.
The Royal Malaysia Police (PDRM) Commercial Crime Investigation Department (CCID) reported that Malaysians lost over RM600 million to online banking fraud in 2025. And the attacks are becoming more sophisticated every month.
The Anatomy of a Banking ফিশিং SMS
A typical ফিশিং SMS looks like this:
[Maybank] Your account has been temporarily locked due to suspicious activity. Verify immediately: maybank-secure.com/verify
Or:
CIMB: Unauthorized RM3,500 transfer detected. If not you, cancel here: cimb-alert.my/cancel
These messages exploit two psychological triggers: fear (your money is at risk) and urgency (act now or lose everything). The links lead to convincing replicas of your bank's login page.
Why These Fakes Are So Convincing
| Element | Real | Fake |
|---|---|---|
| Sender name | May appear as "Maybank" | Also appears as "Maybank" (sender ID can be spoofed) |
| Message tone | Professional, no urgency | Creates panic with words like "immediately" and "locked" |
| URL | maybank2u.com.my | maybank2u-secure.com, maybank-verify.my |
| Request | Never asks for password or TAC via link | Asks for full credentials including TAC |
The most dangerous aspect is sender ID spoofing. Scammers can make their SMS appear under the same thread as legitimate bank messages on your phone. This means a fake message sits right below real Maybank notifications, making it look authentic.
TAC (Transaction Authorization Code) Theft
TAC codes are the last line of defence for your online banking transactions. Scammers have developed multiple ways to steal them:
Method 1: The ফিশিং Page Relay
- You click a ফিশিং link and enter your username and password.
- The scammer's system logs into your real bank account simultaneously using your credentials.
- The bank sends a TAC to your phone for the scammer's transaction.
- The ফিশিং page asks you to enter the TAC "for ভেরিফিকেশন."
- You enter the TAC, and the scammer uses it to complete their transaction.
This happens in real time. The entire process takes less than two minutes.
Method 2: The Phone Call
After obtaining your login credentials through ফিশিং, the scammer calls you posing as a bank officer:
- "We detected a suspicious login to your account."
- "For security, I need to verify the code we just sent to your phone."
- "Please read me the 6-digit number."
The TAC they are asking about is actually for a transaction they are attempting on your account.
Method 3: SIM Swap
In more targeted attacks, scammers visit a telco outlet with fake identification documents and request a SIM card replacement for your number. Once they have your number on their SIM, all TAC codes go directly to them. (See our article on SIM swap fraud for more details.)
The Macau Scam: Malaysia's Most Costly Phone Fraud
The "Macau scam" — named after its suspected origin — is a sophisticated phone scam that has cost Malaysians billions over the years. It typically involves multiple callers playing different roles:
- The first caller claims to be from a delivery company, saying you have an unclaimed parcel.
- The second caller poses as a police officer, claiming your identity has been linked to money laundering or drug trafficking.
- The third caller impersonates a Bank Negara official or a court officer, demanding you transfer your money to a "safe account" for investigation.
The callers are highly trained. They use real police ranks, reference actual laws, and even provide fake badge numbers. Victims — including well-educated professionals — have lost hundreds of thousands of ringgit.
কীভাবে শনাক্ত করবেন a Macau Scam Call
- No government agency will ask you to transfer money by phone. Period.
- Police do not call to inform you of ongoing investigations. You would receive an official letter or visit.
- There is no such thing as a "safe account" managed by police or Bank Negara.
- Real officers will never threaten you with immediate arrest over the phone.
If you receive such a call, hang up. Call the CCID Scam Response Center at 03-2610 1559 to verify.
Protecting Your Malaysian Bank Accounts
Immediate Actions
| Action | How |
|---|---|
| Enable Secure2u or equivalent | Replaces SMS TAC with app-based approval |
| Set transaction limits | Reduce daily transfer caps in your banking app |
| Register for transaction alerts | Get notified for every transaction |
| Use biometric login | Enable fingerprint or face ID on banking apps |
| Lock international transfers | Disable unless actively needed |
Secure2u and App-Based অথেন্টিকেশন
All major Malaysian banks now offer app-based transaction approval:
- Maybank: Secure2u
- CIMB: SecureTAC
- Public Bank: PB SecureSign
- RHB: RHB Mobile Banking approval
- Hong Leong: HLB Connect SecureSign
These systems are significantly more secure than SMS TAC because the approval happens within the authenticated banking app, not through an interceptable SMS.
If you have not switched from SMS TAC to app-based অথেন্টিকেশন, do it today. This single step eliminates the most common attack vector.
Sharing Banking Information নিরাপদে
There are legitimate situations where আপনাকে করতে হবে share bank account numbers, transaction references, or financial details with others — splitting rent with housemates, sending payment instructions to clients, or providing bank details for salary deposits.
Sending these details in plain text through WhatsApp or SMS is risky. If either account is compromised, your financial information is exposed. LOCK.PUB lets you share banking details through পাসওয়ার্ড-সুরক্ষিত, expiring links. The recipient accesses the information once, and the link can be set to self-destruct afterward.
কী করবেন If You Are a Victim
Act within the first hour — this is your best chance of recovery:
- Call your bank's fraud hotline immediately:
- Maybank: 03-5891 4744
- CIMB: 03-6204 7788
- Public Bank: 03-2170 8000
- Request an immediate account freeze.
- Lodge a police report at the nearest station.
- Call the National Scam Response Center (NSRC) at 997 — this hotline coordinates with banks for emergency fund freezing.
- Change all your banking passwords from a secure device.
Stay One Step Ahead
Banking scams in Malaysia are evolving faster than ever, with AI-powered ফিশিং and deepfake voice calls on the horizon. Your best defences remain simple: never click links in SMS messages, never share TAC codes, and switch to app-based অথেন্টিকেশন today.
Protect your financial information. Share bank details and sensitive data সুরক্ষিতভাবে at LOCK.PUB.
Keywords
You might also like
BDO, BPI & Metrobank ফিশিং স্ক্যামs: How Filipinos Lose Money to Fake Bank Messages
Learn কীভাবে identify and avoid ফিশিং স্ক্যামs targeting BDO, BPI, and Metrobank customers in the Philippines. Covers fake SMS, OTP theft, and love scam bank fraud.
DuitNow QR Scams: How Fake QR কোডs Are Stealing Money at Malaysian Restaurants and Markets
Scammers are replacing legitimate DuitNow QR কোডs at restaurants, markets, and stalls across Malaysia. Learn how fake QR scams work and কীভাবে protect yourself when paying.
GCash & Maya Scams in the Philippines: কীভাবে সুরক্ষিত রাখবেন Your E-Wallet
Learn কীভাবে spot and avoid GCash and Maya (PayMaya) scams in the Philippines, from fake cash-in schemes to social engineering and QR কোড fraud.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free