BEN LEE once paid RM1,500 to a website for what he believed was a valuable stack of collectible comics.

At 30, the young executive thought he had made a smart purchase. But that confidence quickly gave way to worry when the package failed to arrive on schedule.

“I kept calling the number listed on the website to ask about my order. The woman on the other end gave excuses, saying the items were undergoing checks or being held for inspection at the postal office.

"After almost a month without a clear update, I knew I had been scammed. I even went to the address in Klang that was supposed to be their office. It turned out to be nothing more than a vacant factory lot. I just wanted my money back,” Lee recalls.

His case may not have involved sophisticated tactics, but Lee has become part of Malaysia’s growing online shopping scam statistics. A total of 1,381 cases were reported in January alone, with losses amounting to RM14.8mil, according to a report quoting Bukit Aman’s Commercial Crimes Investigation Department. In 2025, total losses from online fraud surged past RM2.9bil.

What happened to Lee represents one of the most basic forms of online fraud but newer scams now operate at scale using automation, stolen data and artificial intelligence, making them far harder to detect and prosecute.

These figures underscore the scale of the problem. But beyond the numbers lies a deeper concern: are Malaysian laws keeping pace with the evolving nature of cybercrime? The prevalence of scams and digital fraud raises another pressing question; how can existing legislation be made more effective?

The government is expected to table a new Cybercrime Bill this month to replace the Computer Crimes Act 1997 and bolster the legal framework against cyber-assisted and cyber-dependent offences.

In addition to provisions on data retention to aid investigations, the bill will also address the abuse of artificial intelligence (AI), including the proliferation of deepfakes and the dissemination of intimate images.

Cybercriminals also exploit encrypted communication channels and anonymous networks, making detection, attribution and evidence gathering significantly more difficult for investigators.

But can new laws adapt quickly enough to keep pace with rapidly evolving technology and its misuse?

Law, order and getting them online

Universiti Malaya criminologist Dr Haezreena Begum Abdul Hamid says there is a need to assess the capacity of the country’s laws to deal with emerging crimes, or traditional crimes transformed by technological advancement.

“These are challenging times, and it is a very important question whether our current laws can deter emerging crimes. Many are concerned about their adequacy. What we are facing now is not entirely new – traditional crimes such as theft, robbery and extortion still occur – but they are being committed through new, sophisticated methods,” said Haezreena when asked during the recent Convention on Criminal Justice and Legal Reforms, where she was among the panel members.

She said the first priority, which the Law Reform Committee (under the Prime Minister’s Department) is working on, is to enact clear and precise legislation that specifically addresses emerging crimes not yet defined in the Penal Code.

“Alongside this, we must examine our procedures and evidentiary standards. Do they suffice in the digital age? Technology has expanded the space for criminal harm, not only by creating new offences but also by transforming old crimes into scalable, anonymous, cross-border activities. This is why Parliament’s role, and the committee’s preparatory work, is foundational in clarifying prohibitions.”

She also cautioned against over-criminalisation.

“The Penal Code already covers many offences, but gaps remain due to the sophistication of online crimes. Other laws, such as the Online Safety Act 2025 (ONSA), have been introduced to address specific online harms like child exploitation.

“Another pressing issue is forced criminality, where individuals are coerced into committing crimes, such as being trafficked to work as scammers, drug mules or account mules. Many of these situations are not adequately governed under the Penal Code.”

It is all in the details

Two major gaps in current laws are the lack of clear legal definitions and an outdated focus on intrusion rather than manipulation, says International Islamic University Malaysia’s AI and computer science expert Prof Datuk Dr Tengku Mohd Tengku Sembok.

“Cybercrime laws were written for a very different digital world. When earlier legislation such as Malaysia’s Computer Crimes Act 1997 was enacted, the main concern was unauthorised access. Today, the threat landscape has changed dramatically.

“The biggest gap is that current laws focus on intrusion, not manipulation. In many cases, there is no hacking involved at all. The system is not breached, but the human mind is.

“Another major gap is the lack of clear legal definitions. Terms like ‘deepfake’, ‘synthetic media’ or ‘AI impersonation’ are often not clearly defined in legislation. Without precise definitions, prosecutors face difficulties and courts struggle to interpret emerging harms.”

At the same time, Prof Tengku Mohd suggests that it is high time for the country’s laws to broaden their perspective or risk enforcement paralysis.

“Cybercriminals operate across borders, using cloud infrastructure in multiple countries. Our laws remain national, but cybercrime is global. This creates enforcement challenges and delays in cross-border investigations.”

When asked whether general laws are sufficient, Haezreena said Malaysia currently relies on both broad Penal Code provisions and specific statutes.

“The Penal Code provisions are somewhat piecemeal, while specific laws, such as the recent Anti-Bullying Act or amendments like Section 507(b) to (g), provide greater clarity on particular offences.

“When we enact specific laws, the nature of the offences is clearer. If an act does not fall under these specific statutes, we can still rely on the Penal Code. For me, the Penal Code remains the most important law, as it governs the majority of criminal cases.”

However, she added that refinement remains crucial.

“Certain crimes, particularly those that are heinous, serious or subject to debate, require more precise legislation. While the Penal Code provides a broad foundation, targeted laws help ensure clarity and stronger enforcement.”

Preventing a state of disarray

So how should new laws be designed?

Prof Tengku Mohd says legislation should focus on harmful conduct. For example, the act of “digital impersonation intended to deceive or cause harm” should be a punishable offence.

“Second, the new cybercrime bill should clearly define categories of AI-related harm. This includes synthetic identity fraud, non-consensual deepfake content, automated scam infrastructure and many emerging threats.”

Third, he says digital platforms should be required to implement reasonable safeguards, such as detection systems and labelling of AI-generated content.

“Fourth, governments must balance enforcement with civil liberties. AI-powered systems and tools should operate under clear oversight, transparency requirements and data protection safeguards to prevent misuse or bias.”

Tengku Mohd says cybercrime is no longer just about breaking into systems; it is about “manipulating reality” itself.

“Our laws must evolve accordingly. In short, the next generation of cybercrime law must move beyond simply punishing hackers. It must regulate the broader digital ecosystem.

“This includes AI systems, platforms and cross-border collaboration while protecting citizens’ rights.”

When asked how Malaysia’s new Cybercrime Bill can be designed to remain future-proof against emerging threats such as AI-driven scams or digital manipulation, Universiti Teknologi Mara senior law lecturer Assoc Prof Dr Che Audah Hassan believes the task would be challenging.

“AI, like any technology, is constantly evolving. There is no guarantee that any law can be fully future-proof, as we do not know what new technologies may circumvent safeguards or even be used to worsen the problem.

“However, we can legislate in a way that makes technological fraud an offence. Punishment remains the main deterrent and should be proportionate to the severity of the crime.”