Skip to content

National Security 101: A Persistent Scammer Called, Data Breaches & OTP Scams

e-wallet credit card banking bank online financial scam

We hardly go to the bank and use the old school passbook for our banking transactions which reduced the element of scams in the old days. But now, we are performing bank transactions from the comfort of our homes and via our mobile phones & laptops which may be exposed to malware and another method of scamming. Photo by Andrea Piacquadio from Pexels

Read these first:-

Insurance Scam Call

The First Scam Call

It was one fine day at work and I was so busy with work that I did not think much when I saw a call from an unknown number. Without thinking much, I picked up and on the other side, there was a lady’s voice. She said she was calling from an insurance company head office and was calling in regards to my “3rd” medical claim.

My mind that was focussing on the work at hand stopped for a moment as soon as I noticed some red flags. Firstly I don’t have any policy with that particular insurance company, secondly, I don’t have any pending insurance claim and thirdly the number called was a mobile number which is not listed in the insurance company’s contact numbers.

Immediately my mind screamed “SCAM”!!!

So I maintained my calmness in the conversation although I was really pissed off as the scammer had my full name, mobile number AND more importantly my national ID. I asked the scammer for my policy number, the number of times I have “claimed”, the dates of claim and the hospital name. None of the information provided was unheard of. Then I asked the scammer what is my registered house address in their “system” and she gave me a location somewhere in Ampang which was nowhere close to my actual residential address.

I keep asking for more information but none was true and I sensed the scammer on the other end of the call realised that she was not getting through with me. She then told me that she passing the call to her “supervisor” and I noticed it was the number when I heard another lady speaking. She said she is the supervisor and repeated the same thing as earlier.

Before I could ask for more information, the scammer told me that they called me out of courtesy and is not responsible if anything unfortunate happens. Then she ended the call.

The Second Scam Call

I was rather pissed off after the first scam call from the so-called insurance company so I wrote to the actual insurance company with the scam details and asked them to double confirm if it is a genuine call. They confirmed that it is a scam call as they will not call from the said mobile number. They advised me to ignore the call and be more alert in similar scam calls.

Just when I thought it was the end of it, a week later, I got a call from another mobile phone and it was the same narration. This time, it was on a public holiday and I was just pulling into a petrol station to refuel. This time I did not have time to entertain the call so I told the caller up straight that I know it is a scam call and I am driving at the moment. The lady on the other line perhaps did not hear the word “scam”. She played cool and replied that she will call back once I am free. I am still waiting for the call.

Data Breach Surfshark Scam Fraud

As of Q3, 2022, Malaysia is at 31st position in the most breached country list which seems to be an improvement from the 11th place in Q2, 2022 but in actual fact, it is not considering the number of breaches has increased by 719% in the last 2 quarters. The top place in the list is the US. Data source: Surfshark

One Of Most Data Breached Country

It is not a big surprise that Malaysia is one of the most breached countries in the country considering that personal data is openly sold by insiders from the companies mainly Telcos.

According to cybersecurity company Surfshark shows that Malaysia is the 11th most breached country of Q2, 2022, as determined by analysing millions of breached accounts April through June.

The company said more than 665.2K Malaysian users have been breached during this period, while since 2004 there have already been 44.2M breached accounts.

(Source: NST)

The data breach is also happening to a lack of IT security infrastructure that allows hackers to easily breach and news of personal and sensitive data is almost a monthly affair:-

According to the statement from the group which was published by Sin Chew Daily, among items that it claimed to have obtained from ePenyata Gaji is a database in JSON and CSV format which has more than a million rows of identities.

Among the information that apparently contained within the database includes full name, MyKad number, position, department, pay slip number, mobile phone number, and e-mail address.

Furthermore, the group also claimed that it has extracted almost two million pay slips and tax forms in PDF format with a total file size of 188.75GB.

SinChew noted that it has sighted several screenshots that the group has attached in its statement that include pay slips of several notable politicians such as Finance Minister Tunku Zafrul, former Deputy Finance Minister Ahmad Zahid Hamidi, and former Speaker of the Dewan Rakyat Mohamad Ariff Md Yusof.

(Source: Low Yat)

And this one which is more serious to national security and the financial sector:-

Just in case you missed it, it was discovered yesterday that an individual has allegedly gained JPN’s dataset containing personal data of Malaysians born from 1940 to 2004, and placed it up for sale on a well-known database marketplace forum.

The seller also claims that the leaked 160GB dataset consisted of various critical details such as name, IC number, address, date of birth, gender, race, religion, mobile number, and Base54-based photo.

As we’ve pointed out prior to this, the individual also went as far as to publish the personal information belonging to Hamzah Zainudin as proof. In the forum post, the dataset is being placed on sale for US$ 10,000 (~RM43,870), accepted in Bitcoin or Monero cryptocurrencies.

(Source: Low Yat)

Why we are having these breaches in the first place?

Scam OTP Phishing

OTP scam incidents are on the rise considering that scammers are getting smarter in getting the latest technology and they vary their method of scamming their victims. Image source: Scam Alert

OTP Financial Losses

The more frightening scams are the One-Time-Password (OTP) that you are not aware of and unable to stop especially when it happens. And these scam victims are not dumb people but rather professionals.

Yesterday, Dr Rafidah Abdullah, a nephrologist based in Malaysia complained about CIMB Bank’s security measures after RM13,000 was taken out from her account in the early hours in the morning.

According to her social posts, there were three CIMB Clicks transactions performed on her account between 2.00 and 2.30 am which were completed without any TAC verification. She said the situation was ridiculous and has lost faith in the bank. A formal report was made with the police and CIMB.

(Source: Malay Mail)

And another:-

Chef Loses RM7k Despite Not Sharing Out The OTP, Nearly Lost Another RM10k.

According to China Press, he questioned if there were loopholes in the bank’s security system, which led to opportunities for hackers.

The victim’s father said that his son suddenly received a one-time password (OTP) message from the bank on one evening, and found that RM7,000 in his bank account was gone.

The father said that his son had never downloaded any suspicious mobile applications and application download packages (APKs).

He added that his son did not disclose the personal information of his bank account to a third party.

(Source: The Rakyat Post)

And another:-

A semi-retired contractor is shocked that about RM3,700 from his bank account have been transferred out without his knowledge and consent.

Leong Yoe Wai, 56, said the money had been transferred to the accounts of two people whom he does not know on July 30.

“I was about to transfer some money to my insurance agent and I was shocked to find out that my savings account only had about RM11 left.

“There had been three transactions made on July 25 within two minutes,” he said, adding that he did not get any one time password (OTP) text messages at all.

“In fact, the only time I got the OTP was when I set up my online banking account and subsequent transactions did not prompt me,” he added.

Leong said he rarely uses the account and the money was for emergencies only.

(Source: The Star)

The problem that is reported by most of the scam victims is that they did not download any unauthorised apps and they don’t get any OTPs before the transactions take place. So how do OTP scams happen?

In most cases, OTP fraud occurs when –

1. Your phone is infected by a malware. The malware can then read your messages that contain the OTP and compromise your account.

2. You are duped into revealing the OTP to a fraudster on call/sms/email. Fraudsters will try to lure you by making false promises of helping with a transaction or providing better services and if their attempts succeed, trick you into completing unauthorized transactions or even cause identity theft.

(Source: Citibank)

In Malaysia, there have been reported scams due to unauthorised apps:-

Malaysians have been urged to avoid using house cleaning or food delivery services that require customers to download a third party application under the Android Package Kit (APK).

Deputy Finance Minister II Yamani Hafez Musa (Perikatan Nasional-Sipitang) said the APK application would allow scammers to read victims’ SMS carrying the one-time password (OTP), which is commonly used to facilitate financial transactions.

(Source: NST)

At the end of the day, it is all about being careful not to reveal any OTP to third parties, install any unauthorised APKs and be vigilant when talking to anyone who claims from the bank or insurance company.

Scam PDPA Personal Data Protection

These days, almost every country in the world has some form of personal data protection and the modus operandi and scope are similar in nature. The objective at the end of the day is to prevent misuse of the data for identity fraud, scams and financial losses. Image source: Personal Data Protection Commission, Singapore

Personal Data Protection Act 2010

Malaysia passed a personal data protection law (PDPA 2010) that provides the definition of personal data and legal action against those who abuse personal data.


Para 4 – “personal data” means any information in respect of commercial transactions, which:-

(a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose;

(b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or

(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject; but does not include any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010;

“sensitive personal data” means any personal data consisting of information as to the physical or mental health or condition of a data subject, his political opinions, his religious beliefs or other
beliefs of a similar nature, the commission or alleged commission by him of any offence or any other personal data as the Minister may determine by order published in the Gazette;


40. (1) Subject to subsection (2) and section 5, a data user shall not process any sensitive personal data of a data subject except in accordance with the following conditions:

(a) the data subject has given his explicit consent to the processing of the personal data;

(b) the processing is necessary—

(i) for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data user in connection with employment;

(ii) in order to protect the vital interests of the data subject or another person, in a case where—
(A) consent cannot be given by or on behalf of the data subject; or
(B) the data user cannot reasonably be expected to obtain the consent of the data subject;

(iii) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld;

(iv) for medical purposes and is undertaken by—
(A) a healthcare professional; or
(B) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a healthcare professional;

(v) for the purpose of, or in connection with, any legal proceedings;
(vi) for the purpose of obtaining legal advice;
(vii) for the purposes of establishing, exercising or defending legal rights;
(viii) for the administration of justice;
(ix) for the exercise of any functions conferred on any person by or under any written law; or
(x) for any other purposes as the Minister thinks fit;


(c) the information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.


Para 5 (2) – (2) Subject to sections 45 and 46, a data user who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding three hundred thousand ringgit or to imprisonment for a term not exceeding two years or to both.

Para 16 – (4) A person who belongs to the class of data users as specified in the order made under subsection 14(1) and who processes personal data without a certificate of registration issued in pursuance of paragraph 16(1)(a) commits an offence and shall, on conviction, be liable to a fine not exceeding five hundred thousand ringgit or to imprisonment for a term not exceeding three years or to both.

Para 29. A data user who fails to comply with any provision of the code of practice that is applicable to the data user commits an offence and shall, on conviction, be liable to a fine not exceeding one hundred thousand ringgit or to imprisonment for a term not exceeding one year or to both.

Para 40 (3) A person who contravenes subsection (1) commits an offence and shall, on conviction, be liable to a fine not exceeding two hundred thousand ringgit or to imprisonment for a term not
exceeding two years or to both.

Obligations to protect data

9. (1) A data user shall, when processing personal data, take practical steps to protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure,
alteration or destruction by having regard—

(a) to the nature of the personal data and the harm that would result from such loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or destruction;
(b) to the place or location where the personal data is stored;
(c) to any security measures incorporated into any equipment in which the personal data is stored;
(d) to the measures taken for ensuring the reliability, integrity and competence of personnel having access to the personal data; and
(e) to the measures taken for ensuring the secure transfer of the personal data.

Scam Password IT Technology Hacker

It is amazing that some people are still using predictable & weak passwords for their online transactions and expose themselves to scams and fraud. Always use strong passwords which can be easily stored and generated using password managers like the free, open-source Keepass. Image source: Yuga Tech

Government Reaction

Despite having a PDPA legislation that handles the manner personal information is used and the punishment for those who abused it, the response from the Government has been rather lukewarm and non-committal:-

Just recently, a database showed up on a popular database marketplace that contained the personal information of about 22.5 million Malaysians. Minister of Defence Hishammuddin Hussein, speaking up about the issue, said that the data leak won’t be able to affect national security as his ministry has systems in place to prevent such a situation.

Hishammuddin said he is confident that Malaysia’s relevant intelligence agencies are prepared for any eventuality that could come from the breached data, although he did not clarify what specific mechanisms would prevent the data from being misused.

(Source: Low Yat)

And this:-

The Ministry of Home Affairs (KDN) has denied that personal data of 22.5 million Malaysians from the national registration department (JPN) have been leaked online.

Its minister, Hamzah Zainudin, further added that the alleged dataset did not belong to the department, despite the claims of a database seller.

(Source: Low Yat)

It is not enough to have legislation that protects personal data and provides severe punishment for the abuse of the data. The storage and protection of data at the source are more critical considering that there have been allegations of several breaches from the government departments. More often, the response from the government has been reactive rather than proactive to protect the breach in the first place.

Final Say

It is not the end of the story when it comes to scams and financial fraud as anyone who has their personal data stored by third parties such as government agencies, utility companies and banks is exposed to data breaches at any time.

And whilst it is not possible to enforce strict security protocols on these third parties, the exposure of breach to scammers can be minimised by exercising some common sense namely ensuring passwords, OTPs or answers to secret questions is not revealed to anyone, ensuring password is not weak and ensuring no unauthorised applications is installed in the laptops and smartphones.

Always beware of scam calls from scammers who masquerade as the police, bank or insurance officers and try to get your personal and banking information. Don’t panic, remain calm and focus on asking questions after questions to verify the information and if not sure, put down the phone.

Please Leave Your Thoughts on the Post