KUALA LUMPUR, May 10 — Malaysians have been repeatedly warned to be on high alert as scammers increasingly mimic Google alerts, search ads and mobile apps to steal passwords, banking details and one-time codes. 

But how do you know what’s a red flag, and what can you do to stay safe?

Google Malaysia country managing director Ben King said scammers are deliberately designing messages and websites to look familiar and trustworthy, making them harder to detect.

“Simple habits such as pausing before clicking on links, verifying the source of messages, and avoiding downloads from unfamiliar channels can go a long way in preventing scams,” he said in a recent interview.

The most common trap — fake Google emails

These scam emails often claim there has been a “Suspicious sign-in detected”, warn that an account will be disabled, or pressure users with messages such as “Storage full — upgrade now”.

King said users should be cautious of emails sent from unofficial domains, urgent language demanding immediate action, and links redirecting to fake login pages designed to steal credentials.

He said users should avoid clicking links in unsolicited emails and instead verify account alerts directly through official apps or websites.

‘Sponsored’ ads pushing fake banking and crypto sites

King also warned about fraudulent advertisements appearing at the top of Google search results through paid “Sponsored” placements.

These scam ads commonly impersonate banking services, PayPal, Microsoft and cryptocurrency exchanges before redirecting users to fake login pages.

King said users searching for banking or online services should pay close attention to website addresses before entering passwords or personal information.

The risk of downloading apps downloaded outside official stores 

Another growing threat involves “internet sideloading”, where users are persuaded to install apps through links sent via browsers or messaging platforms instead of official app stores.

“Internet sideloading, where users are prompted to download apps through links in browsers or messaging platforms.

“These apps can request access to sensitive permissions like SMS or notifications, which scammers then exploit to intercept one-time passwords or monitor user activity,” King said.

He said apps installed outside trusted platforms may abuse permissions to read messages, intercept OTPs and potentially compromise devices.

He advised users to install apps only from official app stores and avoid downloads sent through WhatsApp, Telegram or browser pop-ups.

AI tools flag scams, but users still key line of defence

King said Google is using artificial intelligence tools across its products and services to detect and block scam attempts.

“Spam Detection on Google Messages helps filter fraudulent texts, while Safe Browsing blocks millions of malicious websites on Chrome,” he said.

He said Google recently introduced enhanced Google Play Protect tools in Malaysia to block sideloaded apps attempting to access sensitive permissions.

The warning comes as Communications Minister Datuk Fahmi Fadzil recently revealed Malaysians lost about RM2.9 billion to online scams.

Fahmi described online fraud as a growing national threat and welcomed greater cooperation between technology firms and the National Scam Response Centre (NSRC).

King said victims should immediately secure email, banking and linked accounts by changing passwords and reviewing suspicious activity.

“From our perspective, the first step is to secure your digital accounts, particularly your email, banking, and any linked services, by changing passwords and reviewing any suspicious access.

“At the same time, it is critical to notify your bank or relevant service providers immediately so they can take steps to prevent further loss,” he said.

King also urged victims to report scam cases to the authorities, including the NSRC, and remove suspicious apps installed outside trusted platforms.