PETALING JAYA: Malaysia’s RM1.12 billion in online scam losses recorded in the first half of 2025 point to a cyber threat landscape that is becoming more sophisticated, more automated and increasingly focused on exploiting human behaviour.
Enterprise IT management software firm ManageEngine’s regional vice-president, Arun Kumar, said phishing has emerged as the primary entry point for fraud, accounting for 69% of cases handled by Cyber999, as cyber criminals shift away from purely technical exploits towards social engineering techniques that are harder to detect and prevent.
“The threat environment has evolved significantly. Phishing today is no longer limited to email scams but spans phone calls, SMS, messaging applications, corporate collaboration platforms, cloud services, VPNs (virtual private networks) and endpoints,” he told SunBiz.
Operated by CyberSecurity Malaysia, Cyber999 serves as the national point of contact for reporting computer security incidents and supports Malaysian internet users in responding to and resolving them.
Arun noted that attackers are increasingly weaponising generative artificial intelligence (AI) to scale up operations and improve success rates.
The use of deepfake videos, voice cloning and highly personalised messages has made it more difficult for individuals and organisations to distinguish between legitimate and fraudulent communications, he said.
He added that the distribution of malicious Android application packages through phishing campaigns is becoming more common, particularly targeting mobile banking users.
At the same time, AI is being used to automate attacks, accelerate password cracking and adapt malicious activity to bypass traditional security controls.
According to Arun, the continued rise in scam cases also reflects persistent gaps in public awareness and digital literacy.
He said many victims still choose not to report incidents due to scepticism over the speed or effectiveness of enforcement, allowing cyber criminals to continue their activities largely unchecked.
While awareness of cybersecurity risks has improved, Arun said, many organisations remain overly reliant on annual training sessions and ad-hoc campaigns, which have proven insufficient in changing behaviour.
“A cybersecurity-first culture is not built through one-off awareness programmes. It requires shared responsibility across the organisation, continuous security practices and leadership that treats cybersecurity as a core business issue,” he said.
He added that companies which embed identity-first security, Zero Trust principles, behavioural monitoring and automated incident response into daily operations are better positioned to reduce human error and limit the impact of breaches.
To ensure awareness translates into secure day-to-day behaviour, Arun said, organisations must shift to continuous, role-based training that reflects the real-world risks employees face across functions, including finance, human resources and operations.
This approach should be supported by technology that enforces secure-by-default workflows. Strong authentication, least-privilege access and contextual controls can reduce reliance on individual vigilance.
At the same time, user and entity behaviour analytics and automated response tools help detect and correct unsafe actions in real time.
“Secure behaviour becomes sustainable when systems guide employees towards the right actions instead of depending on memory or periodic reminders,” he said.
Leadership remains a decisive factor in embedding cybersecurity across organisations, Arun said, stressing that security initiatives tend to fail when they are treated as the sole responsibility of IT teams.
“When leaders consistently prioritise cybersecurity in budgeting, governance and strategic planning, it sends a clear signal that security is a business imperative,” Arun said.
Sustaining these efforts, he added, requires ongoing policy reviews, post-incident learning, transparent communication about threats and performance metrics that track both technical and behavioural maturity.
At the national level, Arun said, Malaysia’s National Cyber Security Strategy 2025-2030 highlights the importance of collaboration between government, businesses and the wider community to strengthen digital resilience.
He said organisations can contribute to the national cybersecurity ecosystem by aligning with recognised frameworks, sharing anonymised threat intelligence with authorities and industry groups, and participating in public-private exercises coordinated by agencies such as the National Cyber Security Agency.
Businesses also have a role to play in addressing talent shortages by supporting cybersecurity skills development through partnerships with academic institutions and internal upskilling programmes, he added.
Looking ahead, Arun warned that cyber risks are expected to intensify over the next three to five years, driven by the growing use of AI by threat actors, the expansion of cloud and SaaS environments, and increasing reliance on third-party vendors.
“Identity is becoming the new perimeter. Compromised credentials, shadow IT, and supply chain weaknesses will remain major attack vectors unless organisations adopt identity-first and Zero Trust controls,” he said.
He added that organisations that fail to move from awareness to action risk continued financial, operational and reputational damage as threats become faster and more adaptive.
“In this environment, cybersecurity can no longer be reactive. It has to be built into how organisations operate every day,” Arun said.
