SIM Swap Fraud Targeting Celcom, Maxis & Digi Customers in Malaysia
Malaysian telco customers are increasingly targeted by SIM swap attacks. Learn how criminals hijack your Celcom, Maxis, or Digi number to access your bank accounts and e-wallets.
SIM Swap Fraud Targeting Celcom, Maxis & Digi Customers in Malaysia
Imagine waking up to find your phone has no signal. You restart it, check the SIM — everything looks normal, but there is no network. A few hours later, you discover your bank account has been emptied, your e-wallet drained, and your email password changed. Welcome to SIM swap fraud.
SIM swap attacks have surged across Malaysia, affecting customers of all major telcos — Celcom, Maxis, Digi, and U Mobile. The Malaysian Communications and Multimedia Commission (MCMC) has acknowledged the growing threat, and banks have begun issuing warnings to customers about this specific type of fraud.
How SIM Swap Fraud Works
A SIM swap attack does not require any technical hacking. It exploits the process telcos use to replace lost or damaged SIM cards. Here is the step-by-step:
Step 1: Gathering Your Information
The attacker collects your personal details through:
- Data breaches — leaked databases containing IC numbers, phone numbers, and addresses
- Social media — your birthday, workplace, phone number shared publicly
- Phishing — fake emails or SMS designed to extract personal information
- Social engineering — calling you while posing as a bank or government officer
Step 2: Visiting the Telco Outlet
Armed with your IC number and personal details, the attacker visits a telco outlet (or authorised dealer) and requests a SIM replacement. They may:
- Use a fake IC with your number but their photo
- Bribe or manipulate a telco employee
- Use the online SIM replacement process with stolen credentials
- Present a fraudulent police report claiming the SIM was stolen
Step 3: Activating the New SIM
Once the new SIM is activated, your original SIM is deactivated. Your phone loses signal. The attacker now receives all calls and SMS intended for you — including:
- Banking TAC (Transaction Authorization Code) messages
- OTP (One-Time Password) codes for e-wallets
- Password reset codes for email and social media
- Two-factor authentication codes
Step 4: Draining Your Accounts
With access to your phone number, the attacker:
- Resets your online banking password using SMS verification
- Logs into your Maybank2u, CIMB Clicks, or other banking portal
- Initiates transfers to mule accounts
- Empties your Touch 'n Go eWallet, GrabPay, and other linked wallets
- Changes passwords on your email and social media to lock you out
The entire process — from SIM activation to account drainage — can happen in under 30 minutes.
Why Malaysia Is Particularly Vulnerable
Several factors make Malaysian telco customers especially susceptible:
| Factor | Explanation |
|---|---|
| IC-centric system | Almost everything ties back to your 12-digit IC number |
| Widespread data breaches | Multiple large-scale leaks of Malaysian personal data |
| SMS-based TAC | Many banks still default to SMS for transaction verification |
| Dealer network | Thousands of authorised dealers with varying security standards |
| Mandatory SIM registration | Linking real identity to SIM makes the number more valuable |
Warning Signs of a SIM Swap Attack
| Sign | What It Means |
|---|---|
| Sudden loss of mobile signal | Your SIM has been deactivated |
| Unable to make or receive calls | The new SIM is active on your number |
| Unexpected password reset emails | Attacker is taking over your accounts |
| Bank transaction notifications you did not initiate | Money is being moved |
| Friends receive strange messages from your number | Attacker is using your number |
Critical: If you lose signal unexpectedly and it does not return within a few minutes, do not wait. Act immediately.
Immediate Response Plan
If you suspect a SIM swap:
- Contact your telco immediately from another phone:
- Celcom: 1111
- Maxis: 123
- Digi: 016-221 1800
- U Mobile: 018-388 1318
- Request immediate suspension of your number.
- Call your bank's fraud hotline:
- National Scam Response Center (NSRC): 997
- Maybank: 03-5891 4744
- CIMB: 03-6204 7788
- Public Bank: 03-2170 8000
- Change passwords for email, banking, and e-wallets from a secure device using WiFi (not mobile data).
- Lodge a police report at the nearest station.
- Report to MCMC at aduan.skmm.gov.my.
How to Protect Yourself
Switch Away from SMS-Based Authentication
This is the single most important step. Replace SMS TAC with app-based authentication wherever possible:
| Bank | App-Based Option |
|---|---|
| Maybank | Secure2u |
| CIMB | SecureTAC |
| Public Bank | PB SecureSign |
| RHB | RHB Mobile Banking |
| Hong Leong | HLB Connect SecureSign |
For e-wallets, enable biometric authentication (fingerprint or face ID) instead of relying on SMS OTP.
Strengthen Your Telco Account
- Set a SIM replacement PIN with your telco if available. This adds an extra verification step before any SIM changes.
- Enable account alerts — some telcos notify you of account changes via email.
- Use the telco app to monitor your account status.
- Ask your telco about port-out protection — this prevents your number from being transferred to another carrier without additional verification.
Reduce Your Exposure
- Limit the personal information you share on social media.
- Use unique passwords for every account — a password manager helps.
- Enable two-factor authentication using an authenticator app (Google Authenticator, Microsoft Authenticator) instead of SMS wherever possible.
- Regularly check your CCRIS report for unauthorized credit applications.
Share Sensitive Data Carefully
When you need to share your phone number, IC details, or account information with others, avoid putting them in plain text messages. Use LOCK.PUB to create password-protected links that expire after a set period. This prevents sensitive information from sitting permanently in chat histories where it could be extracted if an account is compromised.
The Telco Industry Response
Malaysian telcos have introduced several measures to combat SIM swap fraud:
- Biometric verification at outlets for SIM replacement
- Cooling-off periods — some telcos now delay SIM activation to give the legitimate owner time to respond
- SMS notifications to the existing number before a SIM swap is processed
- Stricter dealer audits to reduce insider fraud
However, implementation varies, and the dealer network remains a weak point. Authorised dealers may not always follow the same security protocols as official telco outlets.
The Future of SIM Security
MCMC is working on tighter regulations for SIM replacement processes, including:
- Mandatory biometric verification for all SIM changes
- Real-time notification systems
- Centralised reporting for SIM fraud
- Penalties for telco employees involved in fraudulent SIM swaps
Until these measures are fully implemented, your best protection is proactive: switch to app-based authentication, monitor your accounts, and act fast at the first sign of trouble.
Protect your digital identity. Share sensitive information through encrypted, expiring links at LOCK.PUB.
Keywords
You might also like
SIM Swap Attacks Targeting Kyivstar, Vodafone UA, and lifecell Customers
How SIM swap fraud works in Ukraine, targeting customers of Kyivstar, Vodafone Ukraine, and lifecell. Learn how criminals hijack your phone number to access banking and Diia accounts.
حملات SIM Swap در سوئد: از حساب Telia، Tele2 و Tre خود محافظت کنید
بیاموزید چگونه کلاهبرداری SIM swap مشتریان موبایل سوئدی را هدف میگیرد.
Bangladesh Freelancer Payment Security: Protecting Your Earnings on Upwork, Fiverr, and bKash
A guide for Bangladeshi freelancers on securing payments from Upwork, Fiverr, and other platforms. Learn to protect bKash withdrawals, avoid payment scams, and safeguard your income.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free