Malaysia’s Battle Against AI-Powered Cybercrime – Is It Winning?

Introduction

Not everything that Artificial Intelligence (AI) touches turn to gold.

According to research conducted by Deepstrike [1], the 2025 threat landscape is dominated by AI driven phishing, which has surged by over 4,000%. Tactics used by cybercriminals are rapidly evolving, driven by AI, automation and a professionalised service economy through services such as Ransomware-as-a-Service (RaaS) and Malware-as-a-Service (MaaS). In Malaysia, MyCERT has recently reported a 24% percent increase in computer security incidents from Q1 2025 to Q2 2025 [2]. Fraud incidents overwhelmingly involved phishing and impersonation, which has proliferated due to adoption of AI tools by cybercriminals.  

As described by Crowdstrike [3], AI-powered cyberattacks specifically leverage AI or machine learning algorithms and techniques to automate, accelerate, or enhance various phases of a cyberattack. This can include identifying vulnerabilities, deploying social engineering attacks (such as phishing, deepfakes and synthetic media), advancing attack paths, establishing backdoors within systems, exfiltrating or tampering with data, and interfering with system operations. 

Days where farms of call center workers made calls to targeted victims to extract information or cash seem like a distant past, replaced by personalised phishing emails and texts generated by AI models designed to interact with victims and automate extraction. Impersonation by AI is far easier in the current era than ever before as well, making it difficult to tell a human from a computer apart in an increasingly digitalised era. 

In these times, rigorous data protection and cybersecurity frameworks have become more crucial than ever. Robust regulations on corporations and government entities alike to safeguard personal data and key information are vital to maintain the general public’s trust in a digitalised system, which is the cornerstone of this modern world. 

Data Protection and Cybersecurity as Concepts

Before diving further, it should be noted that cybersecurity is the broad concept and that data protection is a subset of cybersecurity.  

With the Singapore Cybersecurity Act 2018 as an illustration, such Act defines cybersecurity as the state in which a computer or computer system is protected from unauthorized access or attack, and because of that state –  

1. the computer or computer system continues to be available and operational; 

2. the integrity of the computer or computer system is maintained; and 

3. the integrity and confidentiality of information stored in, processed by or transmitted through the computer or computer is system is maintained. 

This illustrates the three concepts of cybersecurity – confidentiality, integrity and availability, also known as the CIA triad. This means keeping data secret from unauthorised access, ensuring data is accurate and unchanged and ensuring data and systems are accessible when needed. 

Common cybersecurity measures include endpoint, data, application and network security, encryption as well as identity and access management (IAM). 

By contrast, data protection focuses on ensuring data integrity. Typical data protection controls include encryption, masking, erasure and backups. 

Cybersecurity and Data Protection in Malaysia

Cybersecurity regulations in Malaysia are largely in its infancy, with the recent introduction of the Cyber Security Act 2024 (“CSA”) being of note. The CSA identifies critical infrastructure systems (such as government, banking, energy etc.) whose disruption would significantly impact public safety and national functions (known as National Critical Information Infrastructure, NCII). In general, designated NCII entities are subject to compliance with relevant codes of practice and reporting requirements, conducting cybersecurity risk assessments and audits as well as notification in the event of a known cybersecurity incident. 

On the other hand, data protection in Malaysia is governed by the Personal Data Protection Act 2010 (“PDPA”) and further supplemented by regulations as well as guidelines and circulars issued by the Personal Data Protection Commissioner. Broadly, the PDPA seeks to protect data subjects by setting out standards of data collection and treatment as well as the rights of such data subjects. 

So far, how successful has Malaysian legislation fared? And how does the rest of the world fare?

While efforts are being made by the Malaysian government to shore up its regulation on cybersecurity and data protection, the losses suffered by Malaysians are growing. In a recent press release by the Ministry of Digital [4], the Ministry acknowledged the prevalence of scams driven by AI, and that Malaysia recorded 12,110 online scams involving fraudulent activities such as fake e-commerce offers, bogus loans and non-existent investment schemes, resulting in total losses of RM573.7 million in the first three months of 2025 alone.  

Piecing the data of MyCERT as well as the Ministry of Digital to form a broad picture, Malaysia is struggling to contain the losses caused by AI-powered cybercrime.  

Looking globally, the wider world is equally wrestling with the havoc of AI- powered cybercrime. In the UK, Marks & Spencer (M&S) suffered a  ransomware attack by Scattered Spider, costing the business £300 million and forcing M&S to resort to pen and paper to move billions of pounds of fresh food, drinks and clothing after it switched off its automated stock systems [5]. While in the US, cyberattacks on United Natural Foods Inc (UNFI) led to empty shelves and supply chain disruptions countrywide [6]. 

What can companies do, and what would be the likely road ahead for regulation?

In the Ministry of Digital’s press release, the Ministry has set out its plans to introduce new guidelines on Data Protection Impact Assessment (DPIA), Data Protection by Design and Automated Decision Making (ADM) and Profiling. The Prime Minister of Malaysia has also announced that the Cybercrime Bill will be tabled in Parliament at the end of 2025, which highlights an overall focus on improving cybersecurity in Malaysia [7]. 

It is a well-known cybersecurity adage that “a hacker only needs to succeed once, while a defender must be successful every time.” Cybercriminals have an inherent strategic advantage, and perhaps the global struggle is a reflection of this natural disadvantage corporations and nations face. 

However, corporations can still minimise its exposures by taking proactive steps. Taking risk-based approaches, vulnerability and incident management, supply chain security are part of a long list of steps that corporations can take.

As a nation, wider engagement with the public on the risks in the cyberspace as well as the need to have good cyberhygiene habits is a first step. In the long term, robust regulation and international cooperation remain key to ensuring that stakeholders are protected appropriately against the majority of cyberattacks.