Malaysia recorded a staggering 4,017,161 Internet-borne cyberthreats in the first quarter of 2025, according to new data from Kaspersky. This translates to more than 44,000 daily attacks, reflecting a rising trend in cybercrime coinciding with the disbursement of the Sumbangan Tunai Rahmah (STR) government financial aid during the March–April period.
Kaspersky’s analysis, gathered through its global telemetry system — the Kaspersky Security Network (KSN) — suggests that threat actors are capitalising on periods of heightened digital activity among citizens.
A significant proportion of these cyberthreats stems from phishing scams distributed through popular messaging platforms such as WhatsApp and Telegram. These scams often impersonate official STR notifications, tricking recipients into clicking malicious links under the guise of verifying payment statuses.
The phishing messages are primarily written in Malay and Chinese, mimicking legitimate government communication and often accompanied by fake screenshots of government websites. Clicking these links can lead to data theft, account lockouts, or compromised messaging apps.
“Cybercriminals today exploit trust, urgency, and everyday habits of users. The recent wave of phishing attacks demonstrates how quickly threat actors subtly adapt their tactics to local events and time-sensitive situations. A single tap on a malicious link can be enough to compromise personal data, often without the victim realising it. As cyber risks grow more personal and sophisticated, protection must be just as seamless. Malaysians’ digital life deserves complete protection, not just reactive defence,” said Adrian Hia, Managing Director for Asia Pacific at Kaspersky.
The problem has become widespread enough to prompt Deputy Communications Minister Teo Nie Ching to issue a public warning on her official Facebook page. She reminded users to avoid unfamiliar links and to only trust websites ending with “.gov.my”, the standard domain for Malaysian government websites.
Cybersecurity Guidance for Malaysians
To counter these rising threats, Kaspersky advises the public to follow these key practices:
- Avoid SMS messages containing links, personal data requests or callback numbers. Since 1 September 2024, such elements have been banned in SMS communications by the Malaysian Communications and Multimedia Commission (MCMC).
- Verify all links and ensure domains end with “.gov.my” when dealing with government websites.
- Never click on embedded links from unknown senders. Instead, manually type the official website URL.
- Ignore alarming messages requesting passwords or banking details via messaging platforms.
- Activate two-factor authentication (2FA) on apps like WhatsApp and Telegram to secure accounts from takeover.
- Use reputable security software that offers real-time phishing and malware protection.
The rise in scams during STR disbursements is part of a broader pattern in Southeast Asia, where cybercriminals increasingly tailor their attacks to local developments and social behaviour.
As cyberthreats grow in volume and sophistication, experts are urging Malaysians to stay informed and adopt preventive digital habits — especially during periods of public financial distribution when users are most vulnerable. 
