Woman Loses Money After WhatsApp Call — Without Clicking Any Links Or Downloading Anything

Her bank rejected her dispute on the grounds that her credentials were used and her device may have been compromised by malware.

Facebook: Michael Kong Feng Nian

Subscribe to our FREE Newsletter, or Telegram and WhatsApp channels for the latest stories and updates.

A Malaysian woman lost money from both her savings and credit card accounts after receiving a WhatsApp call from someone posing as a food vendor — without downloading any application or clicking any link, according to her lawyer.

The case, highlighted on Tuesday (5 May) by Michael Kong Feng Nian, Special Assistant to Stampin MP and DAP Sarawak chairman Chong Chieng Jen, has drawn attention to the allegedly used method: the financial loss appeared to follow a single phone call.

The victim, known as Madam Chan, came across a Facebook advertisement for home-cooked food and contacted the seller via WhatsApp.

During the call, the person on the other end repeatedly insisted on sending her a menu.

Chan declined — she already knew what she wanted to order, and when the caller persisted, she ended the call.

Within minutes, her phone began behaving abnormally; her son then alerted her that multiple contacts had received messages from her number asking to borrow money.

Chan contacted her local bank and found three unauthorised transactions on her savings account and one on her credit card account.

The Legal Grey Area

Chan filed a dispute with the bank, which later rejected her claim, citing two reasons: that her User ID and password had been used to access the account, and that her device “may have been compromised due to malware.”

Kong said the explanation was unsatisfactory.

Mdm Chan has categorically stated that she did not download any applications or click on any links; the only interaction she had was a WhatsApp call with the alleged scammer.

The bank’s rejection rests on the premise that, because valid credentials were used, the account holder is responsible.

But the bank’s own acknowledgement that the device “may have been compromised by malware” complicates that position — if the device was compromised without the user’s knowledge or action, it is unclear on what basis the user can be held liable.

Kong and his team are now assisting Chan in filing an appeal with the Financial Markets Ombudsman Services (FMOS), which handles disputes between consumers and financial institutions in Malaysia.

A Different Kind of Scam — And the Limits of Standard Advice

Most scam cases in Malaysia involve a victim clicking a link, downloading an app, or entering credentials on a fake site — Chan’s account fits none of those patterns.

Security researchers have previously documented call-based WhatsApp exploits that compromise a device without the recipient taking any action, though it is not confirmed whether such a method was used here.

The most practical protection sits at the bank, not the phone: low transfer limits, real-time alerts, and cooling-off periods can limit damage even on a fully compromised device.

On the device itself, keeping WhatsApp updated and enabling “Silence Unknown Callers” reduces — but does not eliminate — exposure.

If a caller is unusually insistent about sending any material, that insistence is the warning sign; end the call, and if the phone behaves abnormally afterwards, switch to airplane mode and call the bank from a separate device.

The harder truth, as Kong’s appeal to FMOS underscores, is that when a bank’s own rejection letter acknowledges possible malware compromise, the burden of that compromise cannot reasonably be placed on the customer who answered a call about lunch.