CRIMINAL groups are now using AI to produce highly convincing communications, manipulate trusted digital environments, and influence user behavior in ways that traditional phishing tools never achieved, said a cybersecurity firm.
In fact, ESET, a global leader in cybersecurity solutions that had recently convened a media briefing in Kuala Lumpur noted Malaysia is entering a new era of AI powered social engineering.
Redefining social engineering in Malaysia
According to the cybersecurity firm, AI has now embedded itself into the anatomy of modern scams. Messages no longer arrive with broken English or generic requests and the communication feels personalised and precise, matching corporate tone, local slang, and emotional triggers engineered to prompt quick action.
Compounding this shift is the environment AI now operates in. AI systems themselves are increasingly polluted by a mix of misinformation and intentionally crafted fake content.
This polluted ecosystem provides attackers with endless material to weaponise, making it harder for users to recognise when something is fabricated, distorted, or malicious.
ESET telemetry reflects how these trends are taking root in Malaysia. In the six months from Dec 2024 to May 2025, phishing attacks accounted for roughly 37% of all threats detected in Malaysia, making it the most prominent category. Other threat types appeared in far smaller volumes.
Infostealers, information-stealing malware, has also risen to become to become a major driver of phishing and identity theft.
Formbook, a well-known threat designed to steal a wide variety of sensitive data, is also present in Malaysia and represented about 26% of all detected infostealers, surpassing multiple other families and reinforcing its status as the leading tool used to harvest credentials across the country.
More telling than the categories are the delivery mechanisms. Scripts and executable files now make up more than three quarters of all email threats in Malaysia, far exceeding malicious Office documents.
This shift aligns with global patterns, where attackers increasingly rely on AI assisted automation to scale their campaigns.
Five AI enabled methods are now shaping the threat landscape:
- Voice cloning for highly convincing impersonation;
- AI crafted messages mirroring organisational and local writing styles;
- Chatbot interference through poisoned prompts or injected instructions;
- Browser level manipulation that guides behavior without malicious links; and
- Contextual personalisation built from public digital footprints.
“AI was supposed to make information clearer, but today it is increasingly polluted by misinformation and deliberately crafted fakes. That polluted ecosystem is now feeding the next wave of cyberattacks. Threats are moving faster, adapting quicker, and sounding more human than ever,” said ESET senior research fellow Righard Zwienenberg.
“In Malaysia, phishing and infostealing remain dominant, but the real shift is in how AI accelerates and reshapes these attacks. The goal is no longer to trick someone into clicking a link, it is to influence their judgement in a moment of urgency or trust.
“As long as people overshare and systems remain underdefended, attackers will continue to exploit that gap.”
Emerging new tactics
Techniques once limited to more digitally mature markets are now appearing locally:
- High fidelity voice impersonation for financial and operational instructions;
- Manipulated chatbot interactions targeting AI powered service channels;
- Browser based influence operations operating within legitimate webpages;
- VR, AR and wearable device exploitation through malicious embedded URLs; and
- Scams built around Malaysia’s high reliance on mobile and AI assisted communication.
With 99.5% of households owning mobile phones, and 96.8% with internet access, Malaysia presents a wide digital surface for attackers to exploit. Behavioral trends amplify this exposure.
People worry about privacy yet overshare more than ever, especially on social platforms and messaging apps. Coupled with the country’s strong FOMO (fear of missing out)-driven culture, social engineering techniques thrive.
These behaviors continue to fuel ransomware cases, credential theft, and scam-related financial losses. For consumers, the best defense remains a mix of awareness and the right tools. Cybercriminals rely on human error. Reducing that gap is key.
AI–generated malware marks a new frontier
A major turning point in the global threat landscape emerged when ESET uncovered PromptLock, the world’s first AI-powered ransomware.
Unlike conventional malware, which must be coded and refined by human developers, PromptLock used a locally deployed language model to generate malicious scripts in real time.
The AI autonomously determined what to scan, copy, encrypt, or destroy, producing unique scripts with each execution.
ESET now detects more than 500,000 new unique malware samples every day, a number that continues to climb as generative AI makes creation of malicious code more efficient.
Strengthening human and system defenses
Drawing from ESET’s prevention-first model and the guidance shared during the briefing, Righard outlined the following steps:
For organisations
- Introduce cybersecurity awareness training modules for employees based on real AI era manipulation scenarios;
- Implement call back verification or secondary checks for sensitive requests;
- Apply strong authentication and remove unnecessary privileges;
- Monitor irregularities in communication tone, timing, or structure; and
- Strengthen chatbot governance and ensure audit trails for automated responses.
The boardroom remains a critical factor. Security expectations are rising, but investment often lags. Organisations looking to embrace AI must also commit to defending it. Security must evolve in tandem with technology.
For consumers
- Treat urgent or emotionally charged digital requests with caution;
- Validate voice-based instructions, even when the caller sounds familiar;
- Double check instructions received through chat or messaging platforms; and
- Seek advice or clarity when interactions feel unusual or pressured. ‒ Focus Malaysia
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.