Maybank, CIMB & Public Bank Phishing: Cum sa identifici Fake Banking SMS in Malaysia
Malaysian bank customers are the top target for atac de phishings. Learn how scammers impersonate Maybank, CIMB, and Public Bank through fake SMS, TAC theft, and Macau scam calls.
Maybank, CIMB & Public Bank Phishing: Cum sa identifici Fake Banking SMS in Malaysia
If you have a Malaysian cont bancar, you have almost certainly received a suspicious SMS claiming to be from your bank. Phishing attacks targeting Malaysian bank customers have reached epidemic proportions. Maybank, CIMB, and Public Bank — the three largest banks by customer base — are the most frequently impersonated.
The Royal Malaysia Police (PDRM) Commercial Crime Investigation Department (CCID) reported that Malaysians lost over RM600 million to online banking fraud in 2025. And the attacks are becoming more sophisticated every month.
The Anatomy of a Banking Phishing SMS
A typical phishing SMS looks like this:
[Maybank] Your account has been temporarily locked due to activitate suspecta. Verify immediately: maybank-secure.com/verify
Or:
CIMB: Unauthorized RM3,500 transfer detected. If not you, cancel here: cimb-alert.my/cancel
These messages exploit two psychological triggers: fear (banii tai is at risk) and urgency (act now or lose everything). The links lead to convincing replicas of your bank's login page.
Why These Fakes Are So Convincing
| Element | Real | Fake |
|---|---|---|
| Sender name | May appear as "Maybank" | Also appears as "Maybank" (sender ID can be spoofed) |
| Message tone | Professional, no urgency | Creates panic with words like "immediately" and "locked" |
| URL | maybank2u.com.my | maybank2u-secure.com, maybank-verify.my |
| Request | Never asks for password or TAC via link | Asks for full credentials including TAC |
The most dangerous aspect is sender ID spoofing. Scammers can make their SMS appear under the same thread as legitimate bank messages on telefonul tau. This means a fake message sits right below real Maybank notifications, making it look authentic.
TAC (Transaction Authorization Code) Theft
TAC codes are the last line of defence for your online banking transactions. Scammers have developed multiple ways to steal them:
Method 1: The Phishing Page Relay
- You click a phishing link and enter your username and password.
- The scammer's system logs into your real cont bancar simultaneously using your credentials.
- The bank sends a TAC to telefonul tau for the scammer's transaction.
- The phishing page asks you to enter the TAC "for verification."
- You enter the TAC, and the scammer uses it to complete their transaction.
This happens in real time. The entire process takes less than two minutes.
Method 2: The Phone Call
After obtaining your login credentials through phishing, the scammer calls you posing as a bank officer:
- "We detected a suspicious login to contul tau."
- "For security, I need to verify the code we just sent to telefonul tau."
- "Please read me the 6-digit number."
The TAC they are asking about is actually for a transaction they are attempting on contul tau.
Method 3: SIM Swap
In more targeted attacks, scammers visit a telco outlet with fake identification documents and request a SIM card replacement for your number. Once they have your number on their SIM, all TAC codes go directly to them. (See our article on SIM swap fraud for more details.)
The Macau Scam: Malaysia's Most Costly Phone Fraud
The "Macau scam" — named after its suspected origin — is a sophisticated phone scam that has cost Malaysians billions over the years. It typically involves multiple callers playing different roles:
- The first caller claims to be from a delivery company, saying you have an unclaimed parcel.
- The second caller poses as a police officer, claiming identitatea ta has been linked to money laundering or drug trafficking.
- The third caller impersonates a Bank Negara official or a court officer, demanding you transfer banii tai to a "safe account" for investigation.
The callers are highly trained. They use real police ranks, reference actual laws, and even provide fake badge numbers. Victims — including well-educated professionals — have lost hundreds of thousands of ringgit.
Cum sa identifici a Macau Scam Call
- No government agency will ask you to transfer money by phone. Period.
- Police do not call to inform you of ongoing investigations. You would receive an official letter or visit.
- There is no such thing as a "safe account" managed by police or Bank Negara.
- Real officers will never threaten you with immediate arrest over the phone.
Daca primesti such a call, hang up. Call the CCID Scam Response Center at 03-2610 1559 to verify.
Protecting Your Malaysian Cont Bancars
Actiuni imediate
| Action | How |
|---|---|
| Enable Secure2u or equivalent | Replaces SMS TAC with app-based approval |
| Set transaction limits | Reduce daily transfer caps in your banking app |
| Register for transaction alerts | Get notified for every transaction |
| Use biometric login | Enable fingerprint or face ID on banking apps |
| Lock international transfers | Disable unless actively needed |
Secure2u and App-Based Authentication
All major Malaysian banks now offer app-based transaction approval:
- Maybank: Secure2u
- CIMB: SecureTAC
- Public Bank: PB SecureSign
- RHB: RHB Mobile Banking approval
- Hong Leong: HLB Connect SecureSign
These systems are significantly more secure than SMS TAC because the approval happens within the authenticated banking app, not through an interceptable SMS.
If you have not switched from SMS TAC to app-based authentication, do it today. This single step eliminates the most common attack vector.
Partajarea securizata a informatiilor bancare
There are legitimate situations where you need to share cont bancar numbers, transaction references, or financial details with others — splitting rent with housemates, sending payment instructions to clients, or providing bank details for salary deposits.
Sending these details in plain text through WhatsApp or SMS is risky. If either account is compromised, your informatii financiare is exposed. LOCK.PUB lets you share banking details through protejat cu parola, expiring links. The recipient accesses the information once, and the link can be set to self-destruct afterward.
Ce sa faci daca esti victima
Act within the first hour — this is your best chance of recovery:
- Call your bank's fraud hotline immediately:
- Maybank: 03-5891 4744
- CIMB: 03-6204 7788
- Public Bank: 03-2170 8000
- Request an immediate account freeze.
- Lodge a police report at the nearest station.
- Call the National Scam Response Center (NSRC) at 997 — this hotline coordinates with banks for emergency fund freezing.
- Change all your banking passwords from a secure device.
Stay One Step Ahead
Banking scams in Malaysia are evolving faster than ever, with AI-powered phishing and deepfake voice calls on the horizon. Your best defences remain simple: never click links in SMS messages, never share TAC codes, and switch to app-based authentication today.
Protect your informatii financiare. Share bank details and sensitive data securely at LOCK.PUB.
Keywords
You might also like
Diia App Phishing in Ukraine: Cum escrocii Exploit Digital Government Services
Learn how atac de phishings target Diia (Дія) app users in Ukraine, from fake government notifications to digital document theft. Complete protection guide for Ukrainian digital ID users.
Monobank & PrivatBank Phishing: Cum escrocii Steal Ukrainian Banking Credentials
A complete guide to Monobank and PrivatBank inselaciune de tip phishings in Ukraine, from fake SMS messages to Privat24 credential theft and card cloning. Learn how to protect contul taus.
OLX Ukraine Scams: Fake Nova Poshta Deliveries and Payment Fraud
How scammers exploit OLX Ukraine with fake Nova Poshta delivery notifications, off-platform payment tricks, and phishing links. Complete safety guide for Ukrainian buyers and sellers.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free