Phishing scams: What they are and how to avoid them

Have you received an urgent email about a “suspended” bank account or a text promising prizes? You may have encountered phishing — a growing scam in Malaysia. Cybercriminals are constantly evolving their tactics, but with awareness and the right tools, you can protect yourself. Here’s what you need to know.

What is phishing?

Phishing is a form of cybercrime where scammers disguise themselves as legitimate, trusted entities, such as banks, courier companies, or even telcos, to trick you into revealing sensitive personal information. This could include your IC number, online banking login details, or one-time TAC codes. The goal? To steal your identity, access your accounts, or drain your funds.

What makes phishing especially dangerous is that it doesn’t rely on complex technical skills. Instead, it exploits human psychology — counting on you to click on a fake link, download a malicious attachment, or respond to a convincing message.

Common types of phishing scams

Phishing can take many forms, often disguised as everyday communication. Here are some common tactics used by scammers:

1. Email phishing

Scammers send emails that appear to come from banks or service providers, warning of suspicious activity and urging recipients to click a link to “verify” their details. These links often lead to fake websites designed to steal sensitive information.

Example: An email saying “Your bank account has been restricted. Click here to update your information.”

2. SMS phishing (Smishing)

Fake text messages may claim a prize has been won or a delivery has failed. These messages typically contain shortened URLs that redirect to malicious sites or install spyware on the device.

Example: “Your package could not be delivered. Please click this link to reschedule.”

3. Phone call phishing (Vishing)

Scammers may call while impersonating authorities such as the police, tax authorities, or banks. They often use fear tactics, claiming the victim’s identity has been linked to a crime, and pressure them into revealing personal or banking information.

Example: “Your IC is involved in money laundering. We need your banking details to investigate.”

4. Fake social media accounts

Fraudsters create fake profiles mimicking brands, influencers, or public figures, often promoting giveaways, job offers, or easy loans. These are used to collect personal information or request “processing fees” from unsuspecting users.

Example: “Congratulations! You’ve won RM3,000. Just send us your IC and bank details to claim.”

5. Clone websites

Lookalike websites are created to mimic legitimate banking or telco platforms, often with subtle differences in spelling or URL structure. When users log in, their credentials are captured and used by scammers.

Example: Instead of www.celcomdigi.com, the site might be www.celcomd1g1.com

Red flags to watch out for

Phishing scams often follow certain patterns. Here’s how to spot one before it catches you:

• Urgent or emotional language: Messages that try to create a sense of urgency, fear, or excitement — such as “Act now or your account will be frozen!” — are classic phishing tactics meant to pressure you into reacting without thinking.
• Generic greetings: Legitimate organisations usually address you by name. Be cautious of messages starting with vague greetings like “Dear Customer” or “Dear User” as they could be mass phishing attempts.
• Poor spelling and grammar: Many phishing messages contain noticeable spelling errors or awkward phrasing. These are often signs that the message didn’t come from a professional or trustworthy source.
• Suspicious links: Hover over links before clicking. If the URL looks unusual, doesn’t match the official site, or uses misspelled domains (e.g. www.celcomd1g1.com), it’s likely a scam.
• Unexpected requests for personal data: Banks, telcos, and other trusted companies will not ask for sensitive details like passwords or TAC codes through email, SMS, or calls. Always treat such requests as red flags.
• Offers that seem too good to be true: Be wary of messages promising huge prizes, easy loans, or free gifts in exchange for personal information — these are often bait for phishing scams.

What to do if you’ve been targeted

If you receive a suspicious message or call:

1. Don’t respond, click, or share any details. ‍
2. Report it immediately to the relevant authorities. ‍
3. Change your passwords if you’ve entered details anywhere suspicious. ‍
4. Enable security features like 2FA on important accounts. ‍
5. Monitor your bank and eWallet activity for unusual transactions.

How to stay protected

Phishing attacks can be scary — but they can be prevented. Here’s how you can reduce your risk:

• Verify first: Always double-check with the official website or customer service before taking action. ‍
• Use strong, unique passwords and update them regularly. ‍
• Keep your phone and apps updated with the latest security patches. ‍
• Install security software or use built-in protections on your phone. ‍
• Stay alert: Educate yourself and your loved ones about common scams.
  ‍

Phishing scams may be evolving, but so can your defences. A little digital awareness goes a long way. With some caution and a habit of double-checking before you click or share, you can build safer online habits and navigate the digital world with confidence. For more tips on staying safe online, visit CelcomDigi's S.A.F.E. Internet page.