A Woman Fell Victim to a RM10,000 Phishing Scam While Fishing for a Buyer

Disclaimer: This narrative is based on a true incident involving a scam in Malaysia. To protect the privacy and identity of the individuals involved, all names and identifying details have been changed.

Suns out, kicked back, fan on, Amirah was enjoying a laid-back afternoon at home. In the midst of her scrolling, she had finally decided to do something productive and listed her makeup set for sale on the Carousel app for just RM30, which included a postage fee. After rejecting a few lowball offers, she received a message from a seemingly genuine buyer, who we'll call Buyer N. Buyer N showed genuine interest and offered to purchase Amirah’s makeup set at her listing price. Something felt off though, when Buyer N requested Amirah’s email to proceed with the payment. She shrugged it off and decided to provide it anyway as she was eager to make the sale.

Not long after, Amirah received an email from Carousel with a subject that read: “Congratulations, your eyeshadow palette has been sold. Please click the link below!” Eager to finalise the sale, she clicked on the link and was directed to what appeared to be the Carousel app. To her surprise, the app had requested that she log into her banking account through the web.

Amirah then received an authentication notification. Without giving it much thought, she approved it, assuming it was part of the transaction process. Later, as she checked her bank account, her heart sank when she discovered that a whopping RM10,000 had been deducted from her funds.

Desperate to understand what had just happened, Amirah did some quick research and uncovered some troubling truth: fake Carousel emails and impersonation apps were being used to scam unsuspecting users. She realised she had fallen victim to one of these schemes the moment she clicked the link in the email, leading her to the deceptive app designed to steal her information. The realisation hit her hard—what she thought was a straightforward sale had turned into a devastating loss.

What is phishing scam?

Phishing scams happen when scammers attempt to trick you into giving out personal information such as your online banking password, your bank account number, your credit card number or ATM pin. They often use deceptive methods such as emails, social media messages, phone calls, or text messages to lure you into providing this information. The scammer may pose as a legitimate entity, asking you to update your banking details or directing you to a fake website designed to collect your personal information.

How to spot one?

• Be wary of unexpected SMS, emails, or phone calls asking for personal or banking information. Legitimate organisations typically do not request sensitive information through these channels.
• Scammers often impersonate well-known organisations and claim they need your personal or banking details to "investigate" an issue or resolve a problem. Always verify such requests through official channels before providing any information.

Tips to avoid phishing scams

• DO NOT share your ATM card number, PIN number, username, password and Transaction Authorisation Code (TAC) number. 
• DO NOT respond to Secure2u requests for transactions that you did not initiate. Read the authentication notification before approving any transaction.
• Take extra precaution when giving out any confidential information (including your credit card number) over the internet/phone or any other channels.
• Do not login your banking credentials through any links. Always manually type the URL to log in.

If you suspect you've been scammed, immediately call Maybank’s 24/7 Fraud Hotline at 03-5891 4744 or the National Scam Response Centre at 997 (8am-8pm daily).

Be sure to stay updated with the latest information on security awareness and you’ll do just fine!

💡 The information provided above is purely for educational purposes.