MALAYSIA has suffered losses exceeding RM7.5 million to business email compromise (BEC) scams between 2023 and the first half of 2025, according to global cybersecurity and digital privacy firm Kaspersky.
In its latest update, Kaspersky also reported that Malaysian companies faced 64,778 phishing attempts during the period, averaging over 5,300 incidents a month in 2024. This places the country third in Southeast Asia for such attacks, behind Thailand (247,560) and Indonesia (85,908).
“While BEC attacks may begin with phishing to compromise email accounts, follow-up tactics often take different forms,” the firm said. “They rely heavily on social engineering to bypass technical defences and exploit human trust.”
Cybercriminals, it added, often conduct detailed research on their targets and craft highly convincing emails. These messages frequently contain no suspicious links or malware, instead masquerading as legitimate instructions from CEOs, vendors or colleagues — making them harder to detect and easier to fall for.
Local media in recent years have reported BEC scams involving significant financial losses, with individual incidents ranging between RM250,000 and RM6.2 million. Victims have spanned sectors such as logistics, manufacturing and home appliance production.
Kaspersky Asia Pacific managing director Adrian Hia said the real danger of BEC scams lies in their simplicity and timing. “All it takes is one well-timed email to exploit someone’s trust, routine or momentary lapse in judgement,” he said.
“Cybersecurity today must go beyond detection. It’s about anticipation — helping businesses identify the unusual in what appears ordinary, and supporting stakeholders in building strong, lasting cyber habits even under pressure,” Hia added.
To protect against BEC fraud, Kaspersky recommends using strong, unique passwords, enabling two-factor authentication, investing in security tools with anti-BEC features, and training staff to recognise social engineering tactics. It also advises companies to limit the public visibility of corporate hierarchies and key personnel relationships, and to verify suspicious emails through alternate communication channels. - July 7, 2025