So you got an email from your company asking you to update your details to claim a performance bonus? Or maybe a message urging you to sign up fast for free pizza – limited to the first 99 staff? What about a request from a superior asking for a fund transfer?

Before you click on any links, pause and think because it might not be what it seems. In fact, it could be your own company testing how well you can spot a scam.

Experts share that it is becoming increasingly ­common now for companies in Malaysia to send phishing emails to their own employees to test their cybersecurity awareness.

“We’ve seen leading organisations in Malaysia adopt phishing simulations as part of a broader cybersecurity culture-building effort,” says Palo Alto Networks Malaysia country manager Sarene Lee in a statement to LifestyleTech.

Specific company examples are confidential but Fortinet Malaysia country manager Kevin Wong says it’s clear that organisations across various sectors in Malaysia are actively ­incorporating phishing ­simulations into their ­cybersecurity programmes.

Wong says that employees are common targets for phishing scams because they have knowledge of a company’s daily operations and access to ­sensitive data. — FORTINET

“From large enterprises to public institutions, these ­simulations are being used not only to assess employee vigilance but also to improve overall digital resilience within the workplace,” says Wong.

He adds that the simulations are designed to test an employee’s ability to spot and respond to suspicious emails – before a real attack occurs. “Effective simulations closely mirror real-world phishing techniques using realistic lures and branding, and measure how individuals react – do they click, report, or ignore?”

When contacted, Monash University Malaysia School of Business associate ­professor Dr Manjeevan Singh Seera shares that he has seen his fair share of simulated phishing emails at current and previous workplaces.

“It’s part of the standard cybersecurity awareness test. Usually something like ‘You’ve won a voucher, click here to redeem’. If you click, then you get flagged and will be asked to complete a short training ­module,” says Manjeevan.

He adds that the practice isn’t uncommon, especially among employees in banking or tech firms, where some organisations even monitor responses over a period of time.

“It’s a good idea if done sensitively, so staff don’t feel shamed or penalised,” he says.

Target practice

Essentially, phishing is a type of social engineering attack where a victim is tricked into giving out personal information, or to perform certain actions such as to transfer money out to an unknown account. This is because they are under the assumption that the entity that they have been engaging with is genuine.

Lee says it’s most effective when mimicking real-world ­situations, such as emails impersonating those sent from internal ­stakeholders and vendors, or fashioned as timely business updates. She adds that attackers also exploit moments of organisational change such as mergers, leadership announcements, or system upgrades.

Lee says phishing simulations must move on from being a checkbox exercise to a strategic initiative embedded into the company’s cyber risk framework. — PALO ALTO NETWORKS

“Phishing has reemerged as a primary attack vector, because it targets the most unpredictable variable in any cybersecurity strategy – human behaviour,” says Lee.

Wong adds that employees are common targets for phishing scams because they have knowledge of a company’s daily operations and access to ­sensitive data.

“Phishing exploits two core vulnerabilities: human trust and the urgency of routine tasks. Whether it’s processing invoices, resetting passwords, or responding to an executive request, employees are conditioned to act quickly, ­making them ­susceptible to well-­crafted deception,” he says.

Multiple attack vectors

Apart from emails, Lee adds that attackers can exploit other available channels such as SMS, voice calls and even QR codes. With minimal effort, cybercriminals can craft deceptively simple campaigns to plant malware, gain unauthorised access or retrieve private information.

“Financial institutions, healthcare providers and ­government sectors are ­particularly attractive targets because of their access to ­sensitive data and financial resources,” she adds.

Manjeevan says phishing works well because “it targets people, not systems” by playing on emotions such as urgency, curiosity or fear. When people get emails with messages like “account suspended” or “click here to update info”, they may feel more compelled to act quickly.

“Most people also don’t look too closely, especially when they’re busy or distracted. These emails are often well-timed too, for example, around bonus payout periods, you might get ones about ‘HR bonus statements’ or ‘update your bank details’,” adds Manjeevan.

Manjeevan says a phishing simulation must be done with careful consideration and that companies should avoid public shaming to prevent staff from becoming anxious and less willing to engage. — MANJEEVAN SINGH SEERA

According to Wong, phishing remains the most reported cyberthreat in Malaysia where 810 cases were recorded in Q4 2024 alone based on Malaysia Computer Emergency Response Team (MyCert) stats.

“An encouraging trend is the growing use of localised ­phishing templates in simulations. Instead of generic or global examples, more organisations are now designing training scenarios based on threats that Malaysians are likely to encounter,” he says.

For example, Wong says that employees may receive emails with claims to offer government financial assistance but they need to provide banking details, bogus traffic summons seeking urgent payment via fraudulent links or income tax rebate scams during tax-filing season. He adds that simulations offering deals or vouchers are also common during major shopping periods.

The phishing attempts can also be adjusted to target different age groups where younger users may be drawn to messages promoting free games or access to popular shows, while older individuals may be ­targeted through messages about issues with their pension fund or device malfunctions.

“What makes phishing so effective is its familiarity. These scams are made to blend into the digital noise of everyday life, often mimicking real ­services or communications,” adds Wong.

He says that the first line of defence should be caution and verification where employees should pause, validate unexpected requests and report ­anything suspicious.

“Ongoing awareness, training, and simulation can help embed these habits across the organisation,” he adds.

Don’t get fooled again

Thanks to generative artificial intelligence (AI), employees now need more advanced skills to spot potentially fraudulent emails as it’s no longer just about catching spelling mistakes.

From AI-generated deepfake videos, emails using AI to ­various writing styles and reconnaissance bots gathering public data, experts say AI has made phishing more scalable and even harder to detect. — Pixabay

“Today’s phishing emails are not only grammatically flawless – they are context-aware, emotionally intelligent and indistinguishable from legitimate communication,” says Lee, adding that internal data shows a 30% increase in success rate for AI-­generated phishing emails.

She says that phishing simulations must move on from being a checkbox exercise to a strategic initiative embedded into the company’s cyber risk framework.

“Employees should be trained not just to spot suspicious messages, but to adopt a default posture of verification, especially when the message seems legitimate,” Lee says.

From AI-generated deepfake videos, emails using AI to ­various writing styles and reconnaissance bots gathering public data, Wong says AI has made phishing more scalable and even harder to detect. He also agrees that phishing ­simulations must adapt to ­current trends and move beyond basic email tests.

“Training should reflect ­current realities – using realistic scenarios, varying difficulty levels, and offering immediate feedback to build real-world readiness,” he adds.

He also believes that defending against AI-driven threats requires a combination of well-informed staff and robust technology infrastructure, including AI-powered security tools capable of detecting anomalies, flagging malicious content in real time, and analysing behavioural patterns.

When done effectively, Lee says simulations can become a valued part of a company’s ­culture where employees feel informed, empowered and motivated to stay vigilant.

Similarly, Wong says organisations report that employees feel more confident and better prepared to identify or handle suspicious emails after participating in regular simulations.

“Over time, we’ve seen a noticeable reduction in click-through rates, an increase in incident reporting, and clearer identification of users who may need additional support or targeted training,” adds Wong.

On the flip side

However, Manjeevan says a phishing simulation must be done with careful consideration.

“There are companies that take a more heavy-handed approach and publicly shame staff who fail the test. But honestly, that just makes people more anxious and less willing to engage.

“It’s better to keep it low-key; send a private note, explain what went wrong, and give them a short refresher. The idea is to build awareness, not fear,” adds Manjeevan.

The benefits also depend on how the simulation is designed and delivered. Wong adds that companies should be transparent about its purpose, with the aim to educate rather than penalise.

The phishing attempts can also be adjusted to target different age groups where younger users may be drawn to messages promoting free games or access to popular shows, while older individuals may be ­targeted through messages about issues with their pension fund or device malfunctions. — Pixabay

“If employees feel deceived, singled out, or embarrassed, these programmes can erode trust and morale. Poorly ­executed simulations risk being perceived as punitive rather than educational. Feedback should be constructive, turning a mistaken click into a learning opportunity,” Wong says.

For employees, he advises them to start learning to ­recognise subtle warning signs before clicking or replying to any forms of communication. He says it can make all the ­difference in preventing a ­possible breach.

Apart from common red flags like spelling errors in emails or domain names, he says to also be extra cautious of inconsistencies like mismatched filenames or unexpected attachments. On top of that, if the email sounds urgent – beware because ­phishing often uses pressure to make the recipient act quickly without verifying.

“Even subtle cues – like ­unusual language, unexpected requests, or a vague tone – can indicate something is off.

“Developing this kind of awareness doesn’t happen overnight, but through regular training and simulation, employees can sharpen their instincts and become a powerful line of defence against phishing attacks,” adds Wong.

In today’s environment, Lee says phishing detection relies less on obvious errors and more on contextual analysis and behavioural cues. She advises employees to be on the lookout for messages that include expected requests for sensitive information.

“Especially if the tone is out of character or the request is outside standard protocol,” she adds.

She says that employees should also develop a habit of verifying requests through a second, trusted channel. For instance, if a senior leader supposedly emails you about a fund transfer, a quick phone call can prevent irreversible damage.

“Most importantly, phishing simulations should be framed within a Zero Trust mindset where every digital interaction is verified, not assumed to be safe by default. Employees should be empowered to treat even internal messages with a critical lens,” she says.