TAC/OTP Hijacking — How Scammers Steal Your Banking Code
Transaction Authorization Code (TAC) and One-Time Password (OTP) hijacking is not a standalone scam — it is the final step in almost every banking fraud in Malaysia. Whether the initial contact is a Macau Scam call, a phishing SMS, or a fake banking app, the scammer's ultimate goal is to obtain your TAC or OTP to authorize fraudulent transactions.
Malaysian banks use TAC and OTP as the last line of defence for online transactions. Once a scammer obtains this code, they can transfer your money out within seconds.
Scammers use several methods to obtain your codes. The most common is social engineering — calling or messaging you while posing as a bank officer, police officer, or BNM official. They claim there is a problem with your account and ask you to read out the TAC code "for verification."
More sophisticated methods include SIM swap attacks, where scammers convince your telco to transfer your phone number to a new SIM card, allowing them to receive your TAC messages directly. Malware-infected apps can also intercept SMS messages silently.
Some phishing websites display a fake "verification" page that asks you to enter the OTP you just received, which is then used in real-time to complete a fraudulent transaction on the real banking site.
Will my bank ever ask for my TAC or OTP?
No. Malaysian banks explicitly state they will never ask for TAC, OTP, PIN, or passwords via phone, SMS, or email. Any such request is a scam.
What should I do if I accidentally shared my OTP?
Call your bank's fraud hotline immediately to freeze your account. Then call 997 (NSRC) and lodge a police report.
⚠ Red Flags
- !Anyone asking for your TAC or OTP — your bank will never ask for these codes by phone, SMS, or email
- !Unexpected TAC messages — receiving a TAC code you did not request means someone is trying to access your account
- !Calls claiming to be from your bank — scammers spoof caller IDs to display bank hotline numbers
- !Phone suddenly loses signal — this may indicate a SIM swap attack in progress
- !Unfamiliar apps requesting SMS permissions — malware apps intercept TAC messages
🛡 How to Protect Yourself
- 1If your phone loses signal unexpectedly, contact your telco to check for SIM swap attempts
📞 How to Report
- 1Never share your TAC, OTP, or PIN with anyone — not even someone claiming to be from your bank
- 2If you receive an unexpected TAC, call your bank immediately to report unauthorized access
- 3Call 997 (National Scam Response Centre) if you suspect your account has been compromised
- 4Lodge a police report at your nearest station
- 5Enable biometric authentication on your banking apps as an additional security layer
Want to learn more?
Book a scam awareness workshop for your family, community group, or organisation.
View Anti-Scam Programme