Connect with us

NEWS

Hacked WhatsApp, Real Manager’s Name: The RM970,000 Lesson

A Tanjung Malim clerk sent RM970,000 after a scammer hijacked her manager’s WhatsApp. Here is how the takeover works and the first call to make.

Published

on

A 31-year-old clerk at a food distribution company in Tanjung Malim, Perak, transferred RM970,000 to two bank accounts after receiving WhatsApp instructions she believed came from her manager. She made three separate transactions. She only learned the truth when, after the third transfer, requests for still more money kept arriving and she phoned her boss on a separate line. Her manager had sent none of the messages.

Muallim district police chief Supt Khalid Mohamad laid out the case in a statement to the press. The clerk lodged a police report around 11 a.m. the previous day, after realising she had been deceived. The case is being investigated under Section 420 of the Penal Code for cheating.

The Three Transfers

The clerk worked at a food distribution company in Tanjung Malim, in the district of Muallim. She received what looked like an ordinary WhatsApp message from her manager’s number, complete with his real name, his real profile photo and the same digits she had dialled many times before. The request was the kind a junior employee receives often in Malaysian offices: make a payment, urgently, on the company’s behalf.

She made the first transfer, then the second, then the third. Together they added up to RM970,000 across two accounts. The structure matches what investigators across the region describe as a social media impersonation pattern, in which a hijacked account pushes a worker through a series of urgent transfers before suspicion sets in. The clerk only broke out of that sequence when she phoned her manager on a separate line and heard silence where confirmation should have been.

He had sent none of the instructions. The case is being investigated under Section 420 of the Penal Code for cheating. Supt Khalid told the press that the manager’s phone is believed to have been compromised, with the scammer impersonating him through the hacked device.

  • Total lost: RM970,000
  • Transactions: 3 separate transfers
  • Receiving accounts: 2 bank accounts
  • Statute: Section 420 of the Penal Code (cheating)
  • Police lead quoted: Supt Khalid Mohamad, Muallim OCPD

How A “Manager’s Number” Becomes A Fraud Tool

The numbers, names and profile pictures on a WhatsApp account belong to whoever owns the account, not to the device or SIM card sitting in front of you. When that account moves to a stranger, every familiar identifier moves with it. That is the trick at the centre of a wave of WhatsApp account takeover cases reported across Southeast Asia over the past year. The Malaysian Communications and Multimedia Commission (MCMC) issued a public advisory on 21 January warning that scammers were deceiving users into sharing the six-digit verification code WhatsApp sends by SMS.

The takeover usually starts with a contact whose own WhatsApp account has already been compromised. That contact asks you to “resend” a verification code they claim was sent to the wrong number. Once the six-digit code is shared, the attacker registers your number on a new device and the original account is logged out automatically. From that moment, every contact, every group chat and every recent message sits on the new operator’s screen. The Tanjung Malim clerk’s manager is one of those compromised contacts, according to the police.

Method How It Works What The Victim Sees
OTP forwarded by a contact A hijacked account asks you to “resend” a verification code Nothing unusual, the message comes from someone you know
Phishing link A fake WhatsApp Web page captures the code A login prompt or a security notice that looks ordinary
SIM-swap fraud A telco is tricked into porting the number to a new SIM The phone briefly loses signal, then everything reconnects

All three of those routes are documented in the MCMC’s January advisory on WhatsApp account takeovers, which pointed users to WhatsApp’s own recovery page and urged anyone who had already shared a code to file a report. The Sun’s report on the Tanjung Malim case has since put a number on what that advisory was designed to prevent.

Why The Same Pattern Keeps Crossing Borders

Singapore’s police logged at least 52 reported cases of social media impersonation scams arising from compromised WhatsApp accounts between 1 April 2026 and 8 May 2026. Total losses across those cases run to at least S$46,000, according to a regional police advisory on compromised WhatsApp accounts issued on 8 May. The mechanics in those cases track the playbook the Malaysian authorities describe, with the only differences being the local payment rails the victims are pushed onto. In Singapore, those include PayNow QR codes, Razer Merchant Services and Grab. In Malaysia, the cashier’s cheque and the direct bank transfer do the same job.

The Tanjung Malim case fits that pattern almost exactly. A WhatsApp account that looked legitimate pushed a series of urgent payment instructions. The victim made multiple transfers before growing suspicious. Verification through a separate channel revealed the deception. Only then was a formal report filed. In both Singapore and Malaysia, the most common entry point is a friend or colleague whose own account has already been hijacked, quietly forwarding their contact list to the next attacker.

The hardest hit victims in this pattern are not the people who forward the codes; they are the finance officers, clerks and managers who authorise transfers on the back of a chat. They are the ones moving the money, often within minutes, often without a phone call, often without any visible warning that the chat on the screen is now operated by someone in another country. The Malaysia Computer Emergency Response Team and the MCMC publish the same guidance in their respective advisories: keep the OTP private, set up two-step verification, and treat unexpected payment requests with the same suspicion as an unsigned cheque.

Never relinquish WhatsApp OTPs to anyone as you will lose access to your WhatsApp accounts as a result.

The Singapore Police Force advisory put that line in bold. The Malaysian authorities have issued the same warning through the NSRC and through the MCMC advisory. Neither warning is theoretical. The Tanjung Malim transfer is the price of treating it as one.

What Could Have Stopped It

Two settings, both free and both inside the WhatsApp app itself, would have made the takeover harder to land cleanly. Two-step verification adds a six-digit PIN that must be entered on a new device alongside the SMS code, so a forwarded OTP alone is no longer enough. Reviewing “Linked Devices” under Settings shows every place the account is currently logged in, and lets a user kick off an unfamiliar session in seconds. A third, plain old control would have caught the company faster: a verbal callback requirement for any payment instruction sent by chat, no matter how senior the sender looks on screen. The manager in the Tanjung Malim case did nothing wrong under his company’s procedures; the procedures themselves are the gap, and they are the same gap at hundreds of other small and mid-sized firms that run authorisations over WhatsApp.

MCMC’s 21 January advisory pointed users to WhatsApp’s official recovery instructions for stolen accounts, which start with re-registering the phone number and waiting for the old device to be logged out automatically. Once a police report is filed, victims can also check whether the receiving bank accounts have already been flagged in other cases through the official portal for verifying suspect bank accounts maintained by the Commercial Crime Investigation Department. None of those steps reverses the RM970,000 transfer, but together they put the company on a more recoverable footing for the next attempt.

After The Transfer: The NSRC Route

For a clerk who has just realised she has wired the company’s money to a stranger, the Malaysian police route every victim through one number: 997. That is the National Scam Response Centre (NSRC) under the Royal Malaysia Police, set up to coordinate rapid freezes across banks and e-wallets. The NSRC went 24-hour in September 2022 and remains the fastest legitimate route to a recall. Speed matters at every step; the further a transfer moves through downstream accounts, the smaller the chance of clawing any of it back.

Alongside the police report, Malaysian victims can also file a complaint through MCMC’s Aduan portal at aduan.skmm.gov.my, and the commission publishes a WhatsApp contact line at 016-220 6262. Both routes feed into the same investigative machinery. The police keep emphasising 997 because the bank and telco freezes it triggers only work if the call arrives while the money still has somewhere to be frozen.

For clerks, accountants and finance officers in Malaysian small and mid-sized companies, the practical takeaway from the Tanjung Malim case is procedural rather than technical. Treat any WhatsApp payment instruction, however routine, the same way a bank treats an unsigned cheque. Require a verbal confirmation on a number you have called before, using a separate line from the device the request arrived on. Switch on two-step verification on every WhatsApp account that can be used to authorise a payment. Save 997 as a named contact on every phone that touches the company’s money, because the moment a transfer has been made, minutes decide what is left to recover.

Frequently Asked Questions

How does a WhatsApp account get “hacked” without me clicking anything?

The most common entry point in Malaysia is a forwarded one-time password (OTP). A contact whose own WhatsApp account has already been taken over messages you and asks you to forward the six-digit code WhatsApp just sent to your phone. Sharing that code lets the attacker register your number on a different device, kicking you off your own account. The MCMC advisory of 21 January set this method out as the dominant case pattern in the country.

What should I do the moment I realise I sent money to a scammer?

Call the National Scam Response Centre (NSRC) at 997 immediately, then lodge a police report at the nearest station. The NSRC was set up to coordinate rapid freezes across Malaysian banks and e-wallets, and the Royal Malaysia Police urge victims to dial 997 before doing anything else. Each minute between the transfer and that call typically narrows what can still be recovered.

Will the bank refund the money once a police report is filed?

No Malaysian source in this case promises an automatic refund once a police report is filed. The NSRC’s role is to attempt a real-time freeze on the receiving accounts, not to reverse completed transfers. Recovery depends on how far the funds have already moved through downstream accounts before the freeze lands.

Can a “verified” green tick on WhatsApp be trusted?

WhatsApp does not display a general verified tick for personal accounts the way platforms such as X or Instagram do for public figures. What looks like a trusted contact is simply the name, profile photo and number registered to that account. Once an account is taken over, those identifiers travel with the attacker, which is the entire point of the boss impersonation pattern.

Is this scam happening outside Malaysia?

Yes. Singapore’s police recorded at least 52 cases of social media impersonation scams arising from compromised WhatsApp accounts between 1 April 2026 and 8 May 2026, with combined losses of at least S$46,000. The mechanics in those cases match the Malaysian reports, with only the local payment rails changing.

Logan Pierce is a writer and web publisher with over seven years of experience covering consumer technology. He has published work on independent tech blogs and freelance bylines covering Android devices, privacy focused software, and budget gadgets. Logan founded Oton Technology to publish clear, no nonsense tech news and reviews based on real hands on testing. He has personally tested and reviewed dozens of mid range and budget Android phones, written extensively about app privacy, and built and managed multiple WordPress publications over the past decade. Logan holds a bachelor's degree in English and studied digital marketing at a certificate level.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending