Your Money, Your Responsibility: The RM574 Million Warning

The Rising Tide: AI-Powered Banking Scams in 2025

In the first quarter of 2025 alone, over 12,000 Malaysians fell victim to sophisticated online banking scams, with financial losses approaching RM574 million (the Star, 24.4.2025). This alarming surge represents not just statistics on a page, but thousands of individuals and families facing financial devastation. Behind this dramatic increase lies a troubling catalyst: artificial intelligence.

Gone are the days of easily identifiable scam emails riddled with spelling errors and implausible scenarios. Today’s financial fraudsters wield AI tools to craft hyper-personalised, convincing deceptions that can fool even the most cautious consumers. Banking transactions, once considered secure through multiple authentication layers, have become prime targets for these tech-savvy criminals.

The sophistication of these scams has reached such levels that even C-suite banking executives themselves are not immune. In April 2024, Maybank Malaysia’s CFO nearly fell victim to an elaborate fraud where scammers impersonated the Maybank Singapore CEO through WhatsApp messages and a convincing Zoom call. The scheme included a second impersonator posing as Maybank Malaysia’s Chairman to authorise a USD985,000 transfer to Hong Kong. The scam was only uncovered when JP Morgan flagged the suspicious transaction, allowing the CFO to cancel it before funds were lost. This case highlights the sophisticated multi-layered tactics now employed by financial fraudsters targeting high-level executives.

A Growing Crisis

As digital banking continues to dominate our financial interactions, understanding these evolving threats has become not just prudent but essential. The increasingly sophisticated nature of these scams, combined with their widespread deployment, has created what authorities are calling a “perfect storm” in the cybersecurity landscape.

This article examines the alarming rise in AI-enhanced banking scams, how they operate, and, most importantly, how you can protect yourself and your finances in an increasingly treacherous digital environment.

When Banks Aren’t Liable: The Legal Reality of Online Banking Scams

The dramatic rise in AI-powered banking scams has left many victims questioning who bears responsibility when fraud occurs. While it’s natural to look to financial institutions for reimbursement after falling victim to sophisticated scams, Malaysian court cases consistently demonstrate a crucial legal reality: customers typically bear primary responsibility for safeguarding their own accounts.

Recent Malaysian court decisions have established important precedents regarding liability in online banking fraud cases:

(a) Alliance Bank Malaysia Bhd v Wong Toon Kai [2025] MLJU 715 - The Court ruled against a customer who claimed unauthorised BigPay transactions, holding that when OTPs are sent to a customer’s registered mobile number and transactions are subsequently approved, the customer bears responsibility. The burden of proof falls on the customer to demonstrate they were not negligent in safeguarding their credentials.

(b) Lee Cheong Chee v HSBC Bank Malaysia Bhd [2021] MLJU 574 - The High Court ruled that banks have no duty to investigate or advise customers on the risks of transactions they choose to make. When customers authorise transactions themselves, even to what later turn out to be fraudulent entities, the bank cannot be held liable.

(c) Luno Malaysia Sdn Bhd v Yew See Tak [2024] MLJU 2703 - Even in cryptocurrency platforms, the court established that when a customer’s personal email is compromised (the “starting point” of the fraud), the institution cannot be held responsible for subsequent transactions made through that compromised account.

These cases establish a consistent legal framework: banks are generally not liable for customer-authorised transactions, even when those transactions were induced by scammers. The relationship between banks and customers is primarily contractual, and banks have limited obligation to protect customers from their own decisions.

Banks do have certain legal duties, but these are more limited than many customers assume:

(a) Banks must execute your payment instructions accurately;

(b) Banks must maintain reasonable security systems for account access;

(c) Banks must investigate reports of unauthorised transactions according to established timeframes; and

(d) Banks must comply with Bank Negara Malaysia’s regulatory directives.

However, banks are not legally required to:

(a) Investigate the legitimacy of third parties you choose to transact with;

(b) Warn you about potential scams (unless specifically directed by Bank Negara);

(c) Monitor your account for suspicious but properly authenticated transactions; and

(d) Reimburse you for authorised payments made to fraudulent entities.

As the Federal Court noted in Chang Yun Tai & Ors v. HSBC Bank (M) Bhd and other appeals [2014] 1 MLJcon 134, which was cited in Lee Cheong Chee’s case: “The respondent is not a party to the SPA. The SPA is the respective appellant's contract with the developer. Therefore, the duty is cast on the appellants rather than the respondent to ensure that the SPA is free from any legal infirmity.”

This principle extends to online banking: your relationship with entities you pay is separate from your relationship with your bank.

One crucial factor in all these cases is timing. Banking agreements typically provide a specific window (often 60 days) during which customers must report unauthorised transactions. Failure to do so within this timeframe effectively waives your right to dispute the transactions later.

In Wong Toon Kai’s case, although the defendant claimed fraud, the court emphasized that the customer’s failure to report within the specified period significantly weakened his case. Similarly, in Yew See Tak’s case, the plaintiff's delay in contesting transactions worked against him.

Given the legal framework established by Malaysian courts, the primary responsibility for preventing banking scams falls on account holders. Our key observations (non-exhaustive):

(a) Secure your digital identity (Luno’s case): Use unique passwords with two factor authentications and maintain dedicated banking email.

(b) Verify independently: Confirm requests through official channels and be skeptical of urgency.

(c) Create personal safeguards: Set transaction limits and use separate accounts for different purposes.

(d) Monitor continuously (Wong Toon Kai’s case): Check accounts daily, report suspicious activity immediately and respect the 60-day reporting window.

(e) Verify partners (Lee Cheong Chee’s case): Research before transferring funds, for example, by checking Bank Negara’s alert list.

(f) Separate access methods: Use different devices for email and banking and never click email links to banking portals.

Malaysian courts have consistently held that account holders bear the primary responsibility for protecting their accounts and verifying transactions. While banks provide security systems, the ultimate responsibility for your financial safety rests with you.