Tap Wisely or Pay Dearly — Digital Payment Safety in Malaysia

Are Your Digital Payments as Safe as You Think?

Police reported 35,368 scam cases in Malaysia in 2024, with losses totalling RM1.6 billion. Scams now represent 84.5% of all commercial crime reports in the country. In response, the Association of Banks in Malaysia (ABM) and the Association of Islamic Banks and Financial Institutions Malaysia (AIBIM) launched the "Percaya Dulu, Menyesal Kemudian" campaign under the #JanganKenaScam umbrella on 30 March 2026 to address the growing threat to digital payment users.

The numbers tell a mixed story. Bank Negara Malaysia prevented over RM399 million in attempted fraudulent transactions in 2024, and unauthorised transactions from malware and phishing fell by 52% — suggesting that technical controls are working. But overall scam volumes remain dangerously high, and new attack vectors are emerging as fast as old ones are closed.

The Risks You Need to Know

Digital payment fraud in Malaysia takes several forms, each exploiting different vulnerabilities:

**Malware-embedded apps and links.** One victim highlighted in the banking industry's campaign — Liz Fernandez, a 67-year-old retiree — lost RM26,000 from her savings after downloading a malware-embedded APK from a fake pet-grooming service link on Facebook. Scammers also attempted to steal RM100,000 from her fixed deposit. Downloading apps from unofficial sources remains one of the most dangerous digital payment risks.

**Fake QR codes.** Scammers paste fraudulent QR codes over legitimate payment terminals at food courts, parking machines, and retail outlets. Scanning the fake code directs your payment to the scammer's account instead of the merchant.

**E-wallet account takeover.** If a scammer gains access to your phone number or email, they can potentially reset your e-wallet credentials and drain your balance. SIM swap attacks — where criminals convince your telco to transfer your number to a new SIM — are a known vector.

**Phishing for payment credentials.** Fake SMS messages, emails, or social media ads mimicking banks and e-wallet providers trick users into entering login details on counterfeit websites.

How to Tap Wisely

Protecting yourself does not mean avoiding digital payments. It means using them with awareness:

1. Enable transaction notifications. Turn on real-time SMS or push alerts for every transaction on your cards and e-wallets. If an unauthorised charge appears, you can act within minutes rather than discovering it days later on a statement.

1. Set spending limits. Most Malaysian banks and e-wallet providers allow you to set daily transaction limits for contactless payments. Lower the limit to an amount that matches your actual daily spending.

1. Lock unused cards. Many banking apps let you temporarily disable contactless functionality or lock your card entirely when you are not using it.

1. Verify QR codes before scanning. At physical merchants, check that the QR code has not been tampered with or pasted over. If a QR code at a hawker stall or parking meter looks altered, ask the merchant or use an alternative payment method.

1. Secure your phone number. Contact your telco to add a SIM lock or additional verification requirement for SIM changes. This protects against SIM swap attacks that can compromise your e-wallets and banking apps.

1. Use biometric authentication. Enable fingerprint or face recognition for your banking and e-wallet apps. This adds a layer that stolen passwords alone cannot bypass.

1. Never share OTPs or TAC codes. No bank, e-wallet provider, or legitimate organisation will ever ask for these codes. Anyone who does is attempting to compromise your account.

What to Do If Something Goes Wrong

If you notice an unauthorised transaction or suspect your digital payment credentials have been compromised:

• Contact your bank or e-wallet provider immediately to freeze the account
• Change all passwords and PINs associated with the compromised service
• Call 997 (National Scam Response Centre) if fraud has occurred
• Lodge a police report at your nearest station
• Report via SemakMule (semakmule.rmp.gov.my)

Speed matters. The faster you report, the more likely your bank can freeze or reverse the fraudulent transaction.

Frequently Asked Questions

Can someone tap my contactless card without me knowing?

Technically, yes — contactless cards can be read at close range. However, the transaction limits and the need for a payment terminal make this uncommon. The greater risk is a lost or stolen card being used for multiple small contactless transactions.

What should I do if I see an unauthorised e-wallet transaction?

Contact your e-wallet provider immediately to freeze your account, change your password and PIN, and report the incident to police and 997 (NSRC).

Are QR code payment scams common in Malaysia?

QR code fraud has been reported at food courts, parking facilities, and retail locations in Malaysia. Always verify that a QR code has not been tampered with before scanning, particularly at unmanned terminals.