logo

RHB targets SME cyber risk as Malaysia's fraud losses double and AI sharpens attack tooling

RHB targets SME cyber risk as Malaysia's fraud losses double and AI sharpens attack tooling
Author
Written by Nanda Lakhwani
  • May 22, 2026
  • 7 min read

RHB's integration of anti-money laundering and fraud management, combined with an SME cyber self-assessment tool, points to a broader challenge: financial crime defence increasingly depends not only on bank-side controls, but on how well institutions can help customers address the operational weak points scammers exploit.

Malaysia’s RHB Bank Group will consolidate anti-money laundering and fraud management into a single Financial Crime Compliance Unit from 1 June 2026, drawing on data analytics and AI capabilities. Group managing director and chief executive officer Mohd Rashid Mohamad announced the move at the launch of the bank's Digital Trust Programme on 21 May.

"In today's environment, cybersecurity and financial crime are no longer separate domains," Mohd Rashid said in his welcome remarks. "They are part of the same risk landscape, and strengthening one helps strengthen the other." The integrated function, he said, would enhance how the bank detects, prevents and responds to financial and cyber-related threats through "increasingly data-driven and AI-enabled capabilities."

The bank, fourth-largest in Malaysia, also introduced a Cyber Secure Self-Assessment Tool aimed at small and medium-sized enterprises (SMEs), which it described as the first SME-focused instrument of its kind launched by a Malaysian bank. To encourage initial uptake, RHB offered complimentary antivirus solutions to the first 100 businesses to complete the assessment and subsequently process a payroll transaction through RHB Reflex, its transaction banking platform.

Businesses identified as higher-risk are referred to training sessions on RHB's transaction security controls, and to advisory and assessment services from CyberSecurity Malaysia. RHB and CyberSecurity Malaysia signed a memorandum of understanding at the launch, covering joint cyber awareness and capability-building initiatives.

Malaysia's Minister of Digital, Gobind Singh Deo, set out the scale of what is being protected. The digital economy contributed 23% of GDP in 2023, equivalent to roughly MYR 450 billion ($102 billion), and the government's target is to raise the share from 25% in 2025 to 30% by 2030. Users deciding whether to adopt a technology, he told the forum, ask two questions: whether it is affordable, and whether it is safe. If both are satisfied, he said, the decision becomes competitive. "The competitor that you have next to you, he decides to take on the challenge and he moves in, which means that you become irrelevant," Deo said.

The SME data layer

Wan Roshaimi bin Wan Abdullah, chief technology officer of CyberSecurity Malaysia, said that attackers have shifted their focus down-market. "These days the attackers in the industry, they're no longer targeting the big companies," he said. "They know these people have invested millions. Why go so hard and try to attack people that have preventive measures? Go to someone or some companies that probably don't have anything yet." Small businesses typically run IT functions with a single generalist employee, he added, which adversaries treat as a structural weak point. Two-thirds of global scam-related financial losses originate from the ASEAN region, he said, citing a Mastercard report.

Chua Choon Hong, head of the financial crime practice group for Asia Pacific and the Middle East at Moody's, argued that SME customer data is the mechanism that makes this targeting commercially rational. "You hold a lot of data of your customers," he said. "All this customer payment information, phone number information, becomes a source of assets for scammers." Purchase histories, contact details and transaction patterns build profiles that make subsequent fraud against those customers — or against larger institutions that deal with them — more targeted and credible.

Chua described a Singapore case from earlier in May 2026 in which an SME businessman transferred SGD 4.9 million ($3.8 million) to scammers who staged a Zoom call using deepfake video of senior government officials, including Prime Minister Lawrence Wong. The fabricated officials told the target the matter concerned the Straits of Hormuz crisis and required a signed non-disclosure agreement under Singapore's Official Secrets Act, cutting off external verification. "When we took the screenshot and we saw the facial expression," Chua said, "it looks so real."

Defender and attacker productivity

Chris Ooi, acting chief information security officer of Payments Network Malaysia (PayNet), said the operator's R&D team has developed an AI-assisted security assessment tool that compresses a full application penetration test from three days to three hours. PayNet has submitted zero-day vulnerabilities identified through the tool to Microsoft, one of which has been approved for patching. The operator plans to open-source the tool and issue guidelines for SMEs to use it.

Ooi said PayNet is also preparing for "harvest now, decrypt later" risk, in which adversaries collect encrypted transaction data with the expectation of decrypting it once quantum computing matures, and is treating it as an active design constraint on national payment infrastructure. "We have to make sure that the last piece of the puzzle within Malaysia is secure and protected," he said. "The hacker is trying now to link a lot of our account number with some of the data that was there already in the market. Our name as well as our phone number is really known. It's just the last piece of puzzle, which is the account number that basically links."

Chua said offensive tooling enabled by generative AI (Gen AI) can now scan systems and develop attack strategies in minutes, citing recent reporting on AI models that can be turned against the systems they are deployed to evaluate.

Malaysian banks’ response architecture

Malaysia operates several national response channels. CyberSecurity Malaysia runs Cyber999 for general cyber incidents. The National Scam Response Centre handles financial fraud via a dedicated hotline, and in April 2026 alone received 19,000 calls and froze MYR 2.9 billion ($659 million) in fraudster accounts, according to Ooi. PayNet operates the National Fraud Portal. The Royal Malaysian Police runs the Semak MULE suspect-account verification portal, which allows users to check an account number or phone number before transferring funds.

"A lot of people don't know about it," said Amina Kayani, executive director of the Association of Banks in Malaysia, referring to the police-operated portal. She set out the control stack Malaysian banks have built since 2022: removal of clickable hyperlinks in bank communications, minimum operating system requirements for banking apps, malware shielding implemented across all member banks from August 2024, and a kill switch feature. Some banks reported zero malware cases in 2025, she said.

Under Bank Negara Malaysia's framework for ensuring fair treatment of victims of unauthorised e-banking transactions, the share of affected customers who received full or partial compensation rose 26% year on year in 2025. Authorised-payment scams, where the customer is manipulated into transferring funds themselves, remain a structural gap in the consumer protection regime, she added. The Association of Banks in Malaysia also runs a Frontline Heroes recognition programme jointly with the police; in its inaugural 2025 event, 67 bank staff were recognised for collective action that prevented MYR 12.4 million ($2.8 million) in scams. The next event is scheduled for 10 June 2026.

Repositioning the SME customer conversation

Dev Raaj Shanmugam, head of group transaction banking at RHB, said the bank's frequent SME touchpoints are being repositioned to carry cybersecurity content alongside product conversations. "Whilst the infrastructure, the information and the controls have been placed, but yet the consumers, both retail and non-retail, are still subjected to fraud-related incidents," he said. "We are slowly moving away from just positioning products and services as a form of conversation. Slowly, as a bank, RHB is moving into more of a consultancy and advisory role in educating our customers."

Shanmugam acknowledged the tension between security and usability. "Convenience and security is a very, very tough balance," he said. Customers who can satisfy the bank that they have adequate protections in place can access lower-friction transaction routes, he added, but the default remains protective for the broader base. "We have no choice but to impose those controls to protect them," he said.

Speaking earlier in the day, Deo had pressed a wider point. "You don't know what they're doing, but they operate around us constantly," he said of AI bots. "They don't sleep. While we are asleep, they still operate." He called on industry to translate forum conversations into follow-through with government, and flagged the National AI Office, which he said is now examining the financial sector, as the institutional vehicle for that engagement.

RHB's self-assessment tool, integrated financial crime unit and CyberSecurity Malaysia partnership are calibrated to a threat environment that, as Deo put it, does not sleep. If Gen AI continues to compress the gap between vulnerability discovery and active exploitation, the question is not whether Malaysian SMEs need better cyber hygiene, but whether a voluntary programme can move fast enough to matter.

Chat with us WhatsApp