The following commentary piece is contributed by Fortinet Malaysia Country Manager Kevin Wong
Phishing remains one of the most persistent cyber threats worldwide, leading to financial losses, stolen data, reputational harm, and even the spread of malware. These scams often serve as the entry point for wider fraud schemes, identity theft or network compromise, creating ripple effects far beyond the initial click.
In Malaysia, phishing continues to be featured prominently in fraud statistics. The Cyber999 Incident Response Centre reported a 24% rise in fraud cases in the second quarter of this year, with phishing making up nearly seven in ten incidents. The scale underscores how deeply entrenched this threat has become.
What makes the problem even more urgent is the role of artificial intelligence (AI). Attackers are now using generative tools to craft highly convincing emails, clone voices and even produce synthetic video messages that mimic trusted figures. These AI-powered lures are polished, personalised and increasingly indistinguishable from genuine communication, making them far harder for traditional defences or even vigilant individuals, to catch in time. By combining automation with personalisation, criminals can launch thousands of targeted attacks simultaneously, raising both their reach and their effectiveness.
Phishing campaigns today also span multiple digital environments, exploiting the trust people place in familiar platforms. FortiGuard Labs has observed campaigns running in parallel across social networks, gaming communities, messaging apps, e-commerce sites and financial services. By spreading their efforts widely, scammers improve their odds of finding victims and make it more difficult for any single platform or tool to block every attempt.
The rise of AI-driven phishing is happening against a backdrop of uneven readiness. Almost half
of Malaysian organisations say they encountered AI-powered threats over the past year. Of these, more than half reported the volume of attacks had doubled, while almost a quarter said it had tripled. Yet only 19% of organisations expressed strong confidence in their ability to defend against them. More than one in four admitted their detection capabilities are lagging, and one in five confessed to having no ability to monitor AI-based attacks at all. The gap between attacker innovation and defender preparedness is widening.
Closing this gap requires both technology and people. On the technology side, organisations need real-time anti-phishing systems that harness AI and machine learning to detect anomalies and stop campaigns as they unfold. Unlike static filters, these systems learn continuously, adapting to new tactics without needing constant human tuning. By providing speed and scale, they give defenders a fighting chance against AI-enabled campaigns.
But technology alone cannot solve the problem. Malaysia faces a well-documented shortage of cybersecurity talent. As of mid-2024, the country only had 16,765 cybersecurity professionals, far short of the 26,430 needed by the end of this year and the 28,068 projected by 2026. This shortfall means many organisations are unable to fully deploy, manage or optimise the advanced tools they need.
Beyond specialists, the wider workforce remains a critical line of defence. Phishing often succeeds because an employee clicks on a malicious link or shares information without verifying the source. Building resilience therefore requires a cultural shift in which every employee sees themselves as part of the defence strategy. Regular phishing simulations, role-specific training and awareness campaigns can help instil this mindset, creating an organisation-wide culture of vigilance.
The way forward is clear. Phishing is evolving rapidly, blending AI-driven deception with multi-platform reach. Organisations can no longer rely on periodic training sessions or legacy filters. Real-time, AI-enabled defences must be paired with skilled professionals and a cyber-aware workforce. This layered approach, combining smarter technology with stronger human readiness is the best path to protecting Malaysia’s digital economy from one of the oldest yet most enduring threats.
Phishing is not going away, but neither is the opportunity to outpace it. With urgent investment in both advanced defences and human capability, Malaysian organisations can stay ahead of attackers and preserve the trust that underpins digital progress.
