Maybank, CIMB & Public Bank Phishing: How to Spot Fake Banking SMS in Malaysia
Malaysian bank customers are the top target for phishing attacks. Learn how scammers impersonate Maybank, CIMB, and Public Bank through fake SMS, TAC theft, and Macau scam calls.
Maybank, CIMB & Public Bank Phishing: How to Spot Fake Banking SMS in Malaysia
If you have a Malaysian bank account, you have almost certainly received a suspicious SMS claiming to be from your bank. Phishing attacks targeting Malaysian bank customers have reached epidemic proportions. Maybank, CIMB, and Public Bank — the three largest banks by customer base — are the most frequently impersonated.
The Royal Malaysia Police (PDRM) Commercial Crime Investigation Department (CCID) reported that Malaysians lost over RM600 million to online banking fraud in 2025. And the attacks are becoming more sophisticated every month.
The Anatomy of a Banking Phishing SMS
A typical phishing SMS looks like this:
[Maybank] Your account has been temporarily locked due to suspicious activity. Verify immediately: maybank-secure.com/verify
Or:
CIMB: Unauthorized RM3,500 transfer detected. If not you, cancel here: cimb-alert.my/cancel
These messages exploit two psychological triggers: fear (your money is at risk) and urgency (act now or lose everything). The links lead to convincing replicas of your bank's login page.
Why These Fakes Are So Convincing
| Element | Real | Fake |
|---|---|---|
| Sender name | May appear as "Maybank" | Also appears as "Maybank" (sender ID can be spoofed) |
| Message tone | Professional, no urgency | Creates panic with words like "immediately" and "locked" |
| URL | maybank2u.com.my | maybank2u-secure.com, maybank-verify.my |
| Request | Never asks for password or TAC via link | Asks for full credentials including TAC |
The most dangerous aspect is sender ID spoofing. Scammers can make their SMS appear under the same thread as legitimate bank messages on your phone. This means a fake message sits right below real Maybank notifications, making it look authentic.
TAC (Transaction Authorization Code) Theft
TAC codes are the last line of defence for your online banking transactions. Scammers have developed multiple ways to steal them:
Method 1: The Phishing Page Relay
- You click a phishing link and enter your username and password.
- The scammer's system logs into your real bank account simultaneously using your credentials.
- The bank sends a TAC to your phone for the scammer's transaction.
- The phishing page asks you to enter the TAC "for verification."
- You enter the TAC, and the scammer uses it to complete their transaction.
This happens in real time. The entire process takes less than two minutes.
Method 2: The Phone Call
After obtaining your login credentials through phishing, the scammer calls you posing as a bank officer:
- "We detected a suspicious login to your account."
- "For security, I need to verify the code we just sent to your phone."
- "Please read me the 6-digit number."
The TAC they are asking about is actually for a transaction they are attempting on your account.
Method 3: SIM Swap
In more targeted attacks, scammers visit a telco outlet with fake identification documents and request a SIM card replacement for your number. Once they have your number on their SIM, all TAC codes go directly to them. (See our article on SIM swap fraud for more details.)
The Macau Scam: Malaysia's Most Costly Phone Fraud
The "Macau scam" — named after its suspected origin — is a sophisticated phone scam that has cost Malaysians billions over the years. It typically involves multiple callers playing different roles:
- The first caller claims to be from a delivery company, saying you have an unclaimed parcel.
- The second caller poses as a police officer, claiming your identity has been linked to money laundering or drug trafficking.
- The third caller impersonates a Bank Negara official or a court officer, demanding you transfer your money to a "safe account" for investigation.
The callers are highly trained. They use real police ranks, reference actual laws, and even provide fake badge numbers. Victims — including well-educated professionals — have lost hundreds of thousands of ringgit.
How to Identify a Macau Scam Call
- No government agency will ask you to transfer money by phone. Period.
- Police do not call to inform you of ongoing investigations. You would receive an official letter or visit.
- There is no such thing as a "safe account" managed by police or Bank Negara.
- Real officers will never threaten you with immediate arrest over the phone.
If you receive such a call, hang up. Call the CCID Scam Response Center at 03-2610 1559 to verify.
Protecting Your Malaysian Bank Accounts
Immediate Actions
| Action | How |
|---|---|
| Enable Secure2u or equivalent | Replaces SMS TAC with app-based approval |
| Set transaction limits | Reduce daily transfer caps in your banking app |
| Register for transaction alerts | Get notified for every transaction |
| Use biometric login | Enable fingerprint or face ID on banking apps |
| Lock international transfers | Disable unless actively needed |
Secure2u and App-Based Authentication
All major Malaysian banks now offer app-based transaction approval:
- Maybank: Secure2u
- CIMB: SecureTAC
- Public Bank: PB SecureSign
- RHB: RHB Mobile Banking approval
- Hong Leong: HLB Connect SecureSign
These systems are significantly more secure than SMS TAC because the approval happens within the authenticated banking app, not through an interceptable SMS.
If you have not switched from SMS TAC to app-based authentication, do it today. This single step eliminates the most common attack vector.
Sharing Banking Information Safely
There are legitimate situations where you need to share bank account numbers, transaction references, or financial details with others — splitting rent with housemates, sending payment instructions to clients, or providing bank details for salary deposits.
Sending these details in plain text through WhatsApp or SMS is risky. If either account is compromised, your financial information is exposed. LOCK.PUB lets you share banking details through password-protected, expiring links. The recipient accesses the information once, and the link can be set to self-destruct afterward.
What to Do If You Are a Victim
Act within the first hour — this is your best chance of recovery:
- Call your bank's fraud hotline immediately:
- Maybank: 03-5891 4744
- CIMB: 03-6204 7788
- Public Bank: 03-2170 8000
- Request an immediate account freeze.
- Lodge a police report at the nearest station.
- Call the National Scam Response Center (NSRC) at 997 — this hotline coordinates with banks for emergency fund freezing.
- Change all your banking passwords from a secure device.
Stay One Step Ahead
Banking scams in Malaysia are evolving faster than ever, with AI-powered phishing and deepfake voice calls on the horizon. Your best defences remain simple: never click links in SMS messages, never share TAC codes, and switch to app-based authentication today.
Protect your financial information. Share bank details and sensitive data securely at LOCK.PUB.
Keywords
You might also like
Diia App Phishing in Ukraine: How Scammers Exploit Digital Government Services
Learn how phishing attacks target Diia (Дія) app users in Ukraine, from fake government notifications to digital document theft. Complete protection guide for Ukrainian digital ID users.
Monobank & PrivatBank Phishing: How Scammers Steal Ukrainian Banking Credentials
A complete guide to Monobank and PrivatBank phishing scams in Ukraine, from fake SMS messages to Privat24 credential theft and card cloning. Learn how to protect your accounts.
OLX Ukraine Scams: Fake Nova Poshta Deliveries and Payment Fraud
How scammers exploit OLX Ukraine with fake Nova Poshta delivery notifications, off-platform payment tricks, and phishing links. Complete safety guide for Ukrainian buyers and sellers.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free