Malaysia’s Inland Revenue warns of new wave of phishing scams

AvantiKumar | Nov. 15, 2017
Here are 5 keys to spotting phishing scams from network and security strategist Gavin Chow.

hacker (Storyblocks)

Credit: Storyblocks


  In the wake of the nationwide warning of a new wave of phishing scams from Malaysia's Inland Revenue Board (IRB, industry players sent out reminders of safe practice.

In a statement last week, Malaysia's IRB has reported that a syndicate was using the names of its chief executive officer, board members as well official logos of IRB and banks to try and fool email recipients that they have tax refunds due and need to confirm their bank details.

There are some key traits that Malaysian taxpayers need to keep in mind when looking at email phishing attempts.

Computer users should beware of attempts to divert them to malicious websites, said Gavin Chow (pic below), who is Malaysia-based network and security strategist for network security specialist Fortinet.

Gavin Chow - Network and Security Strategist, Fortinet APAC

Chow said that with email scams, cyber criminals often pose as a trusted person or organisation and often go to great lengths to create websites that appear legitimate, but which contain phony login pages to trick victims into providing money, passwords and other important financial information.

Five keys

"Links in phishing emails often lead to malicious websites that are controlled by the attacker," he said. "It is important that Malaysians learn to be on their guard against potential fake emails and rogue websites."

Chow gave Fortinet's five essential guidelines to help identify phishing emails or websites that steal personal information:
1. Generic greeting. Phishers often send thousands of emails at one time. Be sceptical of any email received that starts with 'Dear Customer' or 'Dear Taxpayer'
2. Incorrect "From" address. Look at the sender's email address. Phishers often use addresses that are similar to, but not the same as a company's official email address. According to IRB, every official email will be sent from the "" email domain. The public must not follow instructions from emails that are not sent from IRB's official email domain.
3. Urgent action required. Fraudsters often include urgent calls to action to try to get you to react immediately. Remember that the IRB will never send an email requesting taxpayers to reveal their bank account number, threaten lawsuits, liens, arrest, or other actions.
4. Link to a fake IRB website. To trick you into disclosing your user name and password, cybercriminals often include a link to a fake website that looks exactly like the sign-in page of the legitimate IRB website. Before clicking on the link, put your mouse cursor over it to view the real site address, which is typically provided in the lower left corner of your browser.
5. Poor spelling and grammar. If you end up on a potentially fake site, look for misspelled words and poor language within the site content. You would think that this would be an easy problem for cybercriminals to fix, but a remarkable percentage of phishing emails and websites are riddled with misspelled words, bad punctuation and improper grammar.
"If an email still looks and feels suspicious after passing the above checks, directly contact the organisation that allegedly sent you that email to verify its contents," concluded Chow.

To see other recent Malaysian security news, visit:

The latest edition of this article lives at Computerworld Malaysia.