Not too long ago, Malaysian business community was shocked with the news of the sudden and immediate departure of Maybank Chief Financial Officer. Details were scant, leaving everyone to postulate. The news was, there were some wrongdoing and that the CFO, whose an old timer at the bank was asked to leave. The CFO has been with the bank for 33 years! What could have caused the sudden and unwarranted departure?
Focus of this case study
It was determined that there were multiple fronts of which the alleged offense taken place which caused the Bank to take drastic decision. This article focuses solely on the phishing incident that took place, which became the centerpiece of the argument.
There are the angle of non-compliance, industrial relation and others which I will exclude from this article. There may be some arguments or debate of whats right and not, but that won't be the focus of this case study.
This case study objective is to understand what happened, blow by blow, and provide lessons learnt for organizations to not fall into the same pitfall. Create a sense of awareness and vigilance as there is always an attempt for nefarious activities.
This article is purely based on the writings quotee from The Edge Weekly on the matter. Reference at the bottom of the article. I am happy to take erratas from official sources (either the Bank or ex-CFO). Every care has been taken to ensure that the case study remains factual.
Timeline
To simplify the article, I have summed up the events that took place in an infographics.
My assessment/review
Looking at the timeline, I can't help to wonder that there are some nuggets and some "hmm" moments in the whole incident. So lets break it down.
-
CFO received call on her personal line from someone claiming to be CEO Maybank SG. From here, I can see that there is some compartmentalisation happening. The Bank would have issued company line to the executive to keep company business in company assets. Or like most of us poor denizens, we have multiple lines just to do that (I miss the days of corporate issued Blackberry's). At the same time, the call was more of "I want something, trust me bro...". For me, this is first red flag. Why is someone calling me on my personal line, when its business related? Fine, maybe my corporate line was busy and I needed to be contacted. Begs the question - how did someone at work get my personal number? The other angle is that scammers were able to get CFO's personal number? How? Maybe they social engineered someone else to get the number? Perhaps family member? Or maybe social media unknown leakage? Or third party sites that sell personal information like phone numbers and email address?
-
Alleged Maybank SG CEO used an unknown Malaysian number to call the CFO. Hmmm lets just entertain this and say that the CEO (supposedly) has a Malaysian number. Why did the CEO use personal number to call for business matter? It fails the second test and this becomes a second red flag.
-
Alleged Maybank SG CEO asking the CFO what is the Bank's bank balance. This takes the cake. As a CEO, one signs financial documents related to the Bank's standing for regulatory and financial reporting reasons. This is a major red flag, and at this point already warrants a full stop to the endeavour.
-
Maybank Group CEO (allegedly) using an unknown number messaging personal line of CFO "authorising" the transfer to company in HK. My contention is the supposedly Group CEO making authorization over the phone. Was there a follow up via email on the matter to ensure there is sufficient check/balance and records? Otherwise the CFO has failed governance 101. I get it with the urgency and stuff, but no excuse for lack of governance, especially at that level, and being with the Bank for 33 years.
-
I'm elated with JP Morgan Chase Bank Berhad. Their fraud management worked flawlessly, causing the transfer to be suspended (this is by no means an advertisement for them, though I am happy to receive some credit or funds for it). If it's not for them, Maybank would have been RM4++million poorer. JPMCBB raised the red flag to Maybank which would have spurred the flurry of verification at the Bank. (You can donate some millions to me... I could use some!)
-
Very late the same day, CFO only then emails the real Maybank SG CEO to confirm the transaction, and to their horror, got the confirmation that the transaction was not initiated or required by them. Oh NO! Somewhat good news, no money lost as JPMCBB confirmed that the transfer was suspended (victory for the Bank). The real Maybank SG CEO also confirmed that he has no knowledge of the CFO's personal line number. (back to point 1).
-
One final comment, I am rather surprised that the CFO did not lodge a police report right after the incident (or so reported). Having such details like phone numbers would have made it easier to nab the culprits as time is of essence. Very sure the trace would have been wiped off with the numbers and the phone disposed as it took too long to get to the attention of the relevant people.
The rest, I would say, is history.
Lessons learnt
The key mantra I would like to emphasize throughout this incident is ...
Trust, but verify
-
Compartmentalisation is necessary to keep business matters strictly business. However, it always goes back to the human to ensure such matters are enforced. Are companies willing to pay for a line for the staff? Usually in a form of claim or just some minor sum, but the line still belongs to the staff. Even the phone is usually staff owned.
-
The key question - how do you validate the person on the other side of the line? Companies may have some policies. Either not allow any phone based transactions, sticking to purely financial system requests. Or have means to validate the person on the other side of the line. I have a concept, but I'll only do it if there is enough interest on the matter. (meaning I'll vibe code it, or someone willing to pay me for it).
-
Be on the lookout for red flags. Any requests should be followed up with an email which needs to be acknowledged. Today's age of 5G coverage and mobile penetration is no excuse for a decent timely response.
-
Scammers key weapon, authority and urgency. They will claim to be of right authority or even higher to force the lower subordinates to comply. I understand the Asian culture of "pleasing the boss" instead of "being a pest", but when it comes to business security, somethings are a must.
-
Make a timely police report. Whatever's done is done, you need to move on and do the necessary. Maybe in this case there isn't any loss, one would think might as well sweep it under the carpet, but crooks are out there and they will try again and again. Again, the Asian mindset of "It's okay la, no damage" is of no help.
Reference
The Edge Weekly - Newsbreak - Maybank CFO's sacking - the allegations and rebuttals (April 28, 2025)
Author: ORCID ID - Suresh Ramasamy: 0000-0003-4562-037X
This article is mirrored in Linkedin at
https://www.linkedin.com/pulse/case-study-maybank-phishing-incident-ts-dr-suresh-g3luc