SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

CHAPTER I: BACKGROUND OF RESEARCH

Introduction
In this modern era, Technology is working as human’s sixth finger. Technology made human life
much easier and simpler than expected. Everyone prefers their task to be completed with only
one click without knowing the cons they are going to face. One of the best examples that can be
outlined is the evolution of traditional banking method to online banking method which is
currently easing human life. But how many of us are aware of how secure/safe is the online
banking system or other online systems which have been commonly used by us in our daily life?

Computer Crimes Act 1997, the Digital Signature Act 1997 and the Telemedicine Act 1997 in
cyber legislation were introduced by the Malaysian government. However, we shall not overlook
the new dimension of the criminal Internet which is rapidly advancing. There, these advances
leave a space for them in some of our existent legislation.

Malaysia's criminal law, in specific the Penal code, does not explicitly provide for computer-
related crimes, and computer-related crimes are also not mostly covered in our Computer
Crimes Act 1997. The main limitation is that the existing legislation has not been drafted with
information technology in mind and, in many other cases; it’s insufficient to cover the different
types of activities related to computers.1

The rapid growth of online financial transactions has provided offenders with a new cyber malice
epidemic called Phishing, which has plagued consumers with increased frequency and
complexity. Phishing is a type of cybercrime where cybercriminal illegally acquires the personal
data, financial data and other login information of an individual and this cybercrime can be done
easily by sending emails or creating fake websites. Typical Internet users 'day-to-day activities,
such as checking email, trading online stocks, conducting banking transactions, and even surfing
websites, can provide enormous possibilities for phishing. In this context, the general question is
whether the current Malaysian Cyber law defends internet users from phishing scams as no anti-

1Khaw Lake Tee, ET. al, Laws and Policies Affecting the Development of Information Technology, Final Report,
National Information Technology Council, 1996.

Page | 1
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

phishing legislation has been established by the Government. The study also analyses the
constitutional stance taken by several countries, such as the United States of America, Australia
and Sweden, to address these issues.

Problem Statement

Phishing has always been a difficult and challenging task for a Digital Forensic Analyst or
Computer Forensic Investigator to identify the false positive because it does not present itself as
obviously malicious. Secondly, cybercriminals [Phishers] are constantly looking for new and
different ways to fool users into trusting that their actions involve legitimate websites or emails.
Even if the users are educated through phishing awareness, some phishing techniques are
difficult to identify.
Based on MyCERT statistics in Figure 1, the number of fraud incidents has increased enormously
over the last three months. Most of the forgery incidents involved phishing activities, mainly
involving international financial institutions such as eBay and PayPal, involving a few regional
financial institutions. Several factors led to this escalation. Cybercriminals [Phishers] took
advantage of modern technology to address the vulnerability of the servers. Lack of knowledge
among system administrators about updating the services or operating systems with the latest
patch is another factor that contributes to this fraud. According to the PDRM officer, Malaysia
receiving more than hundreds reports per day for phishing related offences and most of the
categories of the phishing cases are Vishing [Phishing done on phone calls], Smishing [SMS
Phishing] and Spear Phishing.

Page | 2
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

Figure 1: Reports Incidents based on General Incident Classification Statistics 2019

Source: Malaysia Computer Emergency Response Team [MYCert]

As shown below in Figure 2, 7774 fraud cases have been recorded for 2019 alone. 846 fraud
cases have been recorded for July, 835 cases have been recorded for September and 851 cases
have been recorded for October. Based on the analysis, the highest fraud cases have been
recorded for September.

Page | 3
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

Figure 2: Reports Incidents based on General Incident Classification Statistics 2019

Source: Malaysia Computer Emergency Response Team [MYCert]

Lack of cybersecurity knowledge and awareness about phishing among Malaysians are also
another factor that contributes to this phishing scam. Clicking the links in the emails and instant
messages without verifying the source, opening attachments in the suspicious emails, not
interested in installing paid Antivirus Software in computer or Smartphone, antivirus software
which was installed is not updated frequently with the latest signature, not running full antivirus
scan regularly are the common examples mentioned by the Cybersecurity officer.

Page | 4
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

Research Objective
The research aims to study the challenges and issues faced by Cyber Security
Officers/Specialists in dealing with phishing related crimes. It will also study and analyse the
existing law related to phishing offences in Malaysia. Next, the research also aims to propose
possible solutions for the issues and challenges faced by Cyber Security Malaysia/PDRM. Last
but not least, to propose recommendations and measures to tackle the issues of phishing in
Malaysia.
Research Questions
The Research Questions of the Research Project are:
• What are the challenges and issues faced by Cyber Security Officers/Specialists in dealing
with Phishing related crimes?

• What are the possible solutions for the issues and challenges faced by Cyber Security
Malaysia/PDRM?

Research Methodology
The research was conducted adopting by a non – doctrinal qualitative research. Data
collection was carried out utilizing document analysis and interviews. Document analysis was
based on primary sources and secondary sources. Primary sources are legal documents such
as the Computer Crimes Act 1997, Digital Signature Act 1997 and The Penal Code. The
secondary sources include written materials from books, legal articles, newspaper articles
and websites related to the phishing crimes in Malaysia. To further enhance the rationality of
the research, interviews were conducted. The interviewers were chosen according to a non –
probability purposive sampling which focused on Malaysian Cybersecurity officers, PDRM
Commercial Department Officers, lawyers and academicians.

Page | 5
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

Scope of the Study

In fulfilling the above objectives, the following relevant regulations will be analysed:
 The Computer Crime Act 1997
 Digital Signature Act 1997
 Penal Code [Malaysia]
In the meantime, interviews have been conducted with PDRM officers at Bukit Aman
Commercial Crime Department, to identify investigation process flow of phishing related
crimes or how phishing related offences are being conducted and types of computer
forensic tools used to investigate the phishing related offences.

Limitation of the Study

There were several limitations for completing this research. The first limitation was obtaining
sufficient data from Cyber Security and the Royal Malaysia Police (Commercial Department).
Phishing scams/crimes were not included in the General Incident Classical Statistics 2019
which was provided by MyCERT. As per email conversation with Cyber Security Malaysia,
Cyber Security Malaysia explained that phishing scam activities have been merged with fraud
activities. The second limitation was checking the availability [free time] of the PDRM officers
to interview with them. An official letter is required to be sent to the respective department
and need to wait for their reply and also need to check for their availability of the relevant
police officer/cybersecurity officer for the interview section. This process was a major
challenge and time consuming too. The third limitation was the interviewee didn’t share
much information on the investigation process and computer forensic tools which will be
used to investigate phishing related offences.

Page | 6
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

Chapter Organization
CHAPTER I
This chapter lays out the research background which mainly focuses on the issues related to
phishing related crimes in Malaysia. Furthermore, the researcher includes a statement of the
problem, research objectives, research questions, methodology, scope of the study, limitations
of the study, and chapter organization in this chapter.

CHAPTER II
In this chapter, the study will be focusing on the challenges and issues faced by Cyber Security
Officers/Specialists in dealing with Phishing related crimes. Besides, the researcher also
examined the provisions of The Penal Code [Section 420 & 416] and also whether the available
provisions in the Computer Crime Act 1977 is sufficient enough for phishing related offences that
are increased in term of percentage in Malaysia.

CHAPTER III
This chapter focuses specifically on the solutions proposed by Academician and Expertise for the
issues and challenges faced by Cyber Security Malaysia/PDRM. It mainly focuses on the
introduction of new law solely for phishing related offences and measures that can be taken to
avoid being a phishing victim.

CHAPTER IV
The final chapter concludes the study with the recommendation and step proposed by
Academician and Expertise to overcome the issue.

Page | 7
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

CHAPTER II: Challenges and issues faced by Cyber Security Officers/Specialists in dealing with
Phishing related crimes
The first challenge outlined by the interviewee during the interview session was the
unavailability of an appropriate law for phishing related crimes in Malaysia. There is no specific
law is legislated for phishing crimes under the Computer Crimes Act 1997. Currently, phishers
are being charged under Section 420 or 416 of the Malaysian Penal Code. According to the
interviewee, Investigation officer [IO] will charge the cybercriminal under Section 420 because
the punishments for Section 420 are higher compared to Section 416. Lack of solid evidence will
have to lead the Investigation officer [IO] to charge the cybercriminal [phisher] under Section
416, at least being charged for impersonation offence. Section 416 defined as any person is said
to "cheat by personation" if he /she cheats by pretending to be some other person. The offence
of cheating by personation is punishable with imprisonment for a term which may extend to
seven years and/ or a fine while Section 420 defined as whoever cheats and thereby dishonestly
induces the person deceived to deliver any property to any person, shall be punished with
imprisonment of either description for a term which may extend to ten years with whipping, and
shall also be liable to fine.2 Section 416 is related to impersonation while Section 420 is related
to cheating another person by the gain of the property of the victim. The term "property" which
was mentioned in the provision is also known as money. Both Section 416 and 420 of the Penal
Code are not related to phishing and may apply to Identity Fraud or Identity Theft. Identity theft
defined as when cybercriminal utilizes an individual's private information to masquerade that the
particular individual is engaged in fraud activities.3 Comparing to modern world example, when
an individual A stole money from individual B, the court has to wait till individual A use the
money to prove that he/she has used the money of individual B in order to charge him/her
[individual A] and not being charged for stealing the money from individual B. In this example,
"money" is referred to personal data of the victim while "used money of the individual" referred

2 The Penal Code (October 1, 2018).Laws of Malaysia. Retrieved from

http://www.agc.gov.my/agcportal/uploads/files/Publications/LOM/EN/Penal%20Code%2018%20Dis%202018.pdf
3 What is identity theft? Retrieved from https://us.norton.com/internetsecurity-id-theft-what-is-identity-theft.html

Page | 8
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

to identity theft or identity fraud. Sections 416 or 420 are not cyber specific and they are
legislated in general.
Corrupted Emails are the second challenge that was addressed by the interviewee during the
interview section. Royal Malaysia Police officers or Cyber Security Malaysia will perform Email
Header Analysis if the phishing scam is related to email. After analysing the email header Digital
Forensic Analyst will try to find the authentic sender of the email with the help of computer
forensic tools like GSuite Toolbox Message header, MXToolbox Email Header Analyzer and IP-
Address Email Header Tracer.

Figure 3: Sample Screenshot of GSuite Toolbox Message header

Page | 9
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

When the emails are corrupted, the email sender's internet protocol address [IP] may be
incomplete and it will cause difficulties to the digital forensic analyst to investigate the phishing
case. This is one of the most common challenges faced by Royal Malaysia Police officers and
Cyber Security Malaysia.

Page | 10
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

The third challenge which was outlined was conducting cross-border investigations. Once Royal
Malaysia Police officers [RMP] receive a police report regarding phishing websites or phishing
related cases, the Investigation Officer [IO] will start the initial investigation which includes
locating the phishing website base and obtain the internet protocol address [IP] of the phishing
website. The origin of the phishing website can be either local or from foreign countries. If the
internet protocol address [IP] of the phishing website is located within Malaysia, Royal Malaysia
Police will block the phishing website, disable the website [not accessible by the general public]
and conduct an investigation. If the phishing website is located from foreign countries, the Royal
Malaysia Police will block the phishing website and unable to conduct the investigation. Royal
Malaysia Police need to notify about the phishing website and provide the internet protocol
address [IP] of that particular phishing website to the relevant country. Next, documents need to
be translated and witness statements from non-speaking English countries to be assisted by the
translators. Then, the relevant country will conduct an investigation, collect as much as evidence
against the accused person while Malaysia will seek assistance from the relevant country to
make an arrest and deport the cybercriminal [phisher] to Malaysia. This is done under the
mutual agreement or understanding between both countries or also simply known as
extradition. The accused will be charged under Section 420 or Section 416 [under The Malaysian
Penal Code]. This also applies for Malaysia where if the cybercriminal [phisher] located in
Malaysia, Malaysia has to send the cybercriminal to the relevant country. According to the PDRM
officer, Malaysia has worked with countries like Thailand, Indonesia and China to combat
phishing related offences.

Page | 11
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

The fourth challenge which was addressed by the interviewee was money transaction in mule
accounts. Money mules play an essential role in today's cybercrime world and allow
cybercriminals to continue to initiate new approaches to exploiting personal and business
information for their benefit. Cybercriminals need the owners of a mule account to seem as
normal users.4 A mule account is either set up with fake documents using a stolen or
compromised or distorted identification identity or owned by a valid customer who has
permitted cybercriminals to use their accounts. In return for cash, money mules allow phishers
to hold illegal funds in their bank accounts before being distributed to other accounts, helping to
conceal dirty money. Cybercriminals [Phishers] aim vulnerable individuals, those who are
struggling financially, by enticing them with cash to allow access to their accounts. According to
the PDRM officer, most of the mule account holders in Malaysia are drug addicts, old folks,
jobless people, etc.
The fifth challenge which was outlined was upgrading computer forensic tools. Development in
computer forensic tools also poses a challenge to the digital forensic analyst as they need
enhancements. These software upgrade and computer data recovery processes usually incur
higher costs. For example, the licence for computer forensic tools like Encase and Magnet Axiom
needs to be renewed yearly and dongle [USB stick] is required to run the computer forensic
software. Evidence acquired from piracy or freeware computer forensic tools will not accepted
by the court of law because it will raise the question of the authenticity of the collected evidence
against the cybercriminal and using unlicensed computer forensic tool violates the law.

4Allan Kelly. (February 14, 2018) How Cybercriminals Use Money Mule Accounts to Profit from Online Fraud.
Retrieved from https://securityintelligence.com/how-cybercriminals-use-money-mule-accounts-to-profit-from-
online-fraud/

Page | 12
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

CHAPTER III: Solutions for the Issues and Challenges faced by Cyber Security Malaysia/PDRM
Introduction of new law related to phishing would be the first solution that can be proposed to
deal with or handle phishing related offences in Malaysia. As mentioned and discussed before,
the existing Section 416 and 420 of The Penal Code are not related to phishing crime and it's
related to Identity theft or identity fraud. A new act solely for phishing offences needs to be
introduced. By this, it will be easier to punish cyber criminals whoever commits phishing offence
without depending to other or related cyber law. Other than that, we also can avoid
cybercriminals acquitted easily from the cybercrime cases because of the unavailability of
suitable provisions in the existing cyber law legislation. United States of America 5, Australia6, &
Sweden are an example of some countries that are covered by Anti Phishing law. The provisions
on fraud in the Swedish Penal Code apply to Phishing. The penalty for a crime is either a fine or a
maximum of two years in jail. Serious phishing crimes are punishable by at least six months in
prison, but not more than six years in prison. For example, The Malmo District Court sentenced
four individuals to incarceration for sending e-mails imitating e-mail communications from
banks. The emails caused some recipients to provide the fraudsters with their payment
information in the belief that they were communicating with the bank.7 In a nutshell, major
amendment in the Computer Crimes Act 1997 is vital where a new law for Phishing need to be
added. Next, according to the academician during the interview section, he stated that with a
new anti-phishing law or introduction of anti-phishing law the chances are high to control and
deter phishing related offences in the near future.

5 Edward McNicholas & Kevin Angle(October 22, 2019,).USA Cybersecurity: 2020.Retrieved from
https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/usa
6 Dennis Miralis & Philip Gibson(October 22, 2019,).Australia Cybersecurity: 2020.Retrieved from
https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/australia
7 Anders Hellstorm & Erik Myrberg(October 22, 2019,).Sweden Cybersecurity: 2020.Retrieved from
https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/sweden

Page | 13
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

“Prevention is better than cure” was the second proposed solution outlined by the Academician
during the interview session. This is because according to the academician it is better to prevent
the danger rather than repair the damage from the danger. First, conduct Phishing Awareness
Training for company staffs because they are the easiest prey of cybercriminals [phishers]. A
security breach is not only disastrous to the reputation of a company, but it is also a major
financial hit. The main objective of the phishing awareness training or campaign is to evaluate a
company's resilience to a phishing attack. These evaluations may be carried out on a single or
recurrent basis. Cybercriminals [Phishers] tend to shift their strategies often, so a recurrent
evaluation is incentivized for companies of any size. These campaigns measure the weakness or
flaws and involvement of company staff, as they have been attempted to exploit. The advantage
of the phishing awareness campaign is that they are entirely imitation and it will not store
personal data of the user.8 KPMG Malaysia, Deloitte and PwC are some examples of
multinational professional companies conducting testing individual for a security awareness
program on phishing for most of the company employees in Malaysia. Next, the Malaysian
Government should allocate more funds for the cybersecurity sector. By this, Digital Forensic
Analysts able to acquire sufficient resources such as updated computer forensic tools for
investigation purposes and also allow them to renew the license of computer forensic tool on a
yearly basis. Other than that, the allocated funds also can be used to train computer forensic
specialists to expertise in certain skills and methods during conducting a cybercrime case, the
key points that shouldn’t be ignored or left behind and strategies completing a cybercrime case
within a stipulated time frame.

8Kaite Saglimbene. (August 16, 2016). Gone Phishing – The Benefits of a Phishing Campaign. Retrieved from
https://justask.net/gone-phishing-the-benefits-of-a-phishing-campaign/.

Page | 14
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

CHAPTER IV: Conclusion & Recommendation

Conclusion
This research paper has been presented as a qualitative research result that shows the
challenges and issues faced by Cyber Security Officers/Specialists in dealing with Phishing related
crimes in Malaysia. The interview session with PDRM officers & Cyber Security Malaysia officers
contributed to point out the key issues faced by the Royal Malaysia Police [RMP] in handling
phishing related offences. This paper also focuses on proposed solutions for the challenges and
issues faced by Cyber Security Officers/Specialists in dealing with Phishing related offences in
Malaysia. Strategies used to combat phishing are also presented in this research paper. In
conclusion, a high level of the initiative must be made to educate internet users on how to
classify, identify and prevent phishing attacks, as phishing not only impacts security, but also the
culture and economy.

Recommendation

Malaysian Government has a crucial responsibility in educating the general public about the
seriousness and impacts of phishing scams. Talks on how can we avoid being prey or victim in
the hand of cyber criminals [phishers], advertisements regarding phishing attacks, telecasting
television programmes which are related to Cyber or IT Security are the easiest initiatives or
steps that can be taken by Malaysian Government to educate Malaysian citizens. In addition, it is
not purely the Government’s responsibility to educate and create public awareness on phishing
attacks. As a responsible Malaysian citizen, we should know how phishing attacks are done,
consequences of phishing attacks and how we can protect ourselves from phishing attacks. A
simple initiative by reading online articles, reading newspapers, and watching or listening to
news related to cybercrimes [phishing] can make an individual understand clearly about phishing
attacks. Rather than pointing others, and hoping for the change from others why can't we be the
change for the issue that is threatening digital world?

Page | 15
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

APPENDIX

Page | 16
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

INTERVIEW QUESTIONS
1. How phishing related crimes are being investigated in Malaysia?
2. What are the steps taken after the police department receive a phishing related report?
3. Briefly explain the investigation process of phishing related cases which have been
conducted in Malaysia
4. The time frame or period of time required by an Investigation Officer [IO] to investigate
or complete a phishing related case?
5. Please list down few computer forensic tools which will be used to investigate phishing
related crimes?
6. Functions of the computer forensic tools & how the tools will be utilized in conducting
phishing related investigations?
7. The act which will be used to charge a cybercriminal [phisher] after the accused proven
guilty by the court of law
8. What are the challenges/issues faced by PRDM/Cyber Security Malaysia in handling
phishing related crimes?
9. Has Malaysia worked with other countries for phishing related offence? If yes, please list
down the countries and briefly explain the procedure.
10. What are the possible solutions or recommendations that can be taken to overcome the
challenges and issues faced by PDRM/Cybersecurity Malaysia?
11. What are the necessities/ importance of anti-phishing law?
12. Why new anti-phishing law is required to be introduced in Malaysia?
13. [Phishing Awareness Programs or campaigns, conducting training for company
employees] Do you think it’s effective in deterring phishing related offences? And Why?
[Based on the answer given]
14. ‘Prevention is better than cure’. Based on this statement what are the initiatives taken by
PDRM/Cybersecurity Malaysia in combatting phishing related offences?
15. The best advice that can be recommended for the general public and how can the
general public avoid being victim or prey of phishing scam?

Page | 17
SELVAKUMAR BALAKRISHNAN | MASTER OF CRIMINAL JUSTICE

MyCERT has been using the following guidelines to prioritize incidents and respond to the
cybercrime cases within the target timeline. Actual response times may be shorter or longer
based on the volume and sophistication of the cybercrime case.

Page | 18