IT STARTED with a simple text message at 2am some time last year, when a man in Kuala Lumpur was woken up from sleep by the notification that his credit card had been charged for game credits he never bought.

By the time he was fully awake to take action, “the money had already vanished into digital gaming store credits; swiftly converted and laundered,” says a fintech fraud specialist who wants to remain anonymous and had worked into the case.

At first, the victim thought someone had hacked into his account on an e-commerce platform system.

But investigators later discovered the breach was not in the e-commerce platform’s system, but in the victim’s email.

“A phishing attempt had compromised his inbox, allowing fraudsters to reset passwords, bypass two-factor authentication (2FA) and gain access to his banking accounts. With instant digital delivery, the fraud was completed before the victim could react.

“This case shows how fraudsters exploit the weakest link, which is the user’s own email.

“Once they control that, 2FA becomes meaningless. Education and vigilance are just as important as technology.”

The case also highlights a bigger weakness in today’s cybercrime landscape, which is the lack of understanding on the need to constantly update or strengthen the security of their online data, says the specialist.

“While designed to protect users, 2FA often fails because people don’t understand how it works, or how easily it can be bypassed once their email is compromised.”

The specialist warns that protection through technology alone isn’t enough.

“The 2FA is only as strong as the user’s awareness. If your email is hacked, the second factor collapses instantly.

“Laws and systems need to go beyond tech fixes and focus on user education and cross-platform cooperation.”

The specialist says the problem is not just negligence; cybercrime laws are lagging behind the speed of online fraud.

“Current cybercrime laws make investigations slow, as banks and fintechs are restricted from sharing data under privacy rules. Without streamlined cooperation, fraudsters exploit the gaps, moving money across platforms faster than investigators can respond.”

The specialist says victims often spend precious minutes waiting on customer service lines, while fraudsters move money across platforms in seconds.

“Fraudsters exploit ignorance as much as technology. Mandatory education across banks, fintechs, and e-commerce platforms is essential. At the same time, regulators must build a framework where institutions can share fraud-related data quickly and securely, without breaching privacy.”

The specialist proposed changes that are straightforward but urgent.

“Cybercrime awareness should be embedded into apps through frequent campaigns and alerts. Biometric verification should become the default, ensuring only the rightful user can access accounts. And most importantly, a unified fraud investigation system under Bank Negara would allow faster fund recovery and better tracking of fraudsters.”

In such instances when it comes to recouping losses, Universiti Teknologi Mara’s senior law lecturer Associate Professor Dr Che Audah Hassan says the power to order restoration of money fully or in part should be optimised and maximised in achieving justice to the victim.

“The law may be sufficient to prosecute the offender with severe imprisonment or fine, but justice to the victim, will not be served if the money scammed and benefitted by the scammer are not refunded or compensated to the owner. “

She says currently, the restoration of stolen money is possible under the Criminal Procedure Code in section 426(1A). It gives discretionary power to the court to make order of compensation to the convicted person upon an application made by the Public Prosecutor.

“Although, the compensation order is allowed under the current procedure, it raises a question on how frequent this provision is actually implemented and ordered by the court for cases of scam since it is under discretionary power of the court. It is hoped that this new bill will strengthen the restorative justice theory in protecting the victim.”

For Consumer Choice Centre’s Country Associate for Malaysia, Tarmizi Anuwar, one of the biggest frustrations for scam victims is the slow pace of legal enforcement.

“Consumer safety must include recovery, not just prevention. The new cybercrime framework should incorporate rapid redress mechanisms such as temporary fund freezing across banks once a scam report is lodged, streamlined inter-bank coordination protocols, and a centralised real-time scam response unit.”

He says Malaysia could also explore a victim compensation or pooled insurance mechanism funded partly by industry contributions, particularly from sectors with higher scam exposure.

“Small claims processes for digital fraud should be simplified and digitised to reduce procedural barriers and accelerate resolution. When victims see credible and swift recovery pathways, public trust in the digital economy is significantly strengthened.”