Published
Visa, Maybank, CIMB and Alliance Bank just activated agentic-AI layers that don't just alert you to fraud — they predict and block deepfake scams in real time. Here's what's automatic, what still needs your attention, and how to track every near-miss in Duitful so the patterns stay visible.
Real-time
Block-before-debit, not alert-after-debit
Agentic AI runs the fraud check inside the same milliseconds the transaction is being authorised — if the model's confident it's a scam, the transaction simply doesn't go through.
The old model: bank's fraud system flags suspicious activity, sends you an SMS asking "was this you?", and the money has already moved. The agentic model: AI evaluates the full context (your usual merchants, time of day, device fingerprint, voice on the call instructing the transfer) before authorisation completes, and blocks anything it scores high-risk without waiting for you to confirm.
A scammer cloning your relative's voice to ask for an "emergency transfer" used to work because the bank only saw the transaction, not the call. Agentic AI cross-references the phone session, the destination account's history, and your behavioural baseline. Most never reach the OTP screen now.
Money moved into accounts that the network has flagged (recently opened, multiple small inflows from different victims) gets paused for review automatically. The window between scam and irreversible debit shrinks from minutes to seconds.
Visa's agentic layer sees patterns across issuers — if a fraud ring hits a Maybank customer at 9:14am with a particular MO, CIMB and Alliance customers seeing the same MO at 9:16am get extra scrutiny without anyone reporting anything yet.
A card showing first-time use at an unusual high-risk merchant + a velocity spike + a foreign IP gets soft-frozen mid-transaction, with the legitimate path being a quick in-app re-authentication rather than a 30-minute phone call to the call centre.
AI handles
You still handle
The pattern that still wins for scammers: socially-engineered self-authorisation. If the AI sees you logging in, typing the right OTP, and confirming the transfer yourself — it's a much harder block. The fraudster's pivot is no longer "steal your credentials" but "convince you to push the button."
Real banks never call to ask you to move money to a "safe account." There is no safe account. Hang up, call the number on the back of your card.
Cloned voices are now indistinguishable from real ones over a phone call. Set a family code-word offline. If the caller can't say it, end the call.
None of these agencies ask for transfers, OTPs, or screen-share access. Confirm via the agency's official channel before responding to anything.
When your bank blocks a transaction or pings you about an attempt, open Duitful → add an income entry of RM 0 with Category Fraud-blocked, and put the merchant/scam type in the note. Zero amount keeps the totals clean.
Every "your parcel was held" / "your account compromised" call gets a Fraud-attempt entry with the channel (call, SMS, WhatsApp) in the note. The pattern of who's targeting your number becomes visible in 60 days.
Filter Reports by Category = Fraud-attempt over the last 90 days. The trend tells you whether to switch SIM, tighten Telegram privacy settings, or update older relatives' contact verification habits.
Still on you
Passcode hygiene, OTP discipline, callback verification
The AI is a layer of defence, not a free pass. If you authorise the transfer yourself, you're still the last gate.
If you'd like the deeper "no cloud sync, encrypted everything" angle on personal-finance privacy, the privacy section of the landing page covers it. For everyday tracking, the SME/freelancer guide and the Budi95 fuel guide are common starting points.
Probably yes. Agentic AI evaluates more context than the old rules-based system, so legitimate transactions on new merchants or while travelling are less likely to be blocked. False positives haven't disappeared — they've just become the exception rather than the routine.
E-wallets run their own fraud layers, often less mature than tier-1 banks. Treat e-wallet balances like cash — if you wouldn't carry RM 1,000 in a wallet, don't park RM 1,000 in TNG eWallet either. Top up before spending, not as a savings account.
Within the bank's environment, yes — it always has. The new layer doesn't expose your transactions to anyone new; it just lets the bank's existing fraud team act faster. Your spending data isn't shared with Visa's competitors or with merchants beyond the standard transaction footprint.
In-app or call-back re-authentication is the path. The AI logs the override, and your behavioural baseline updates so the same pattern doesn't trigger again. If a transaction repeatedly fails with no clear reason, escalate via the bank's complaints line — you have rights under the Consumer Credit Act and BNM's financial-consumer-protection rules.
Yes — read it in Bahasa Melayu here.
When the AI blocks a transaction or you spot a scam attempt, log it as an entry with Category `Fraud-attempt`. After 90 days the pattern of who's targeting you and how is in your Reports — not lost in WhatsApp screenshots.
Open Duitful →