€1 million scam puts bank security under scrutiny

A €1 million scam to which 200 people fell victim has led to questions about local banks’ internal controls.

Former journalist and ex-PN candidate Norman Vella last week accused Bank of Valletta, Malta’s largest bank, of failing to address “known security weaknesses” that allowed scammers to move money out of the bank without detection.

BOV is one of several banks from which 25-year-old Tammy Caruana is alleged to have extracted money from client accounts via an elaborate fraud scheme perpetrated by impersonating local banks.

Caruana was charged last week with money laundering, fraud and being part of an organised crime group and criminal association.

Although details of the fraud scheme have yet to emerge in court, a common tactic used by scammers is spoofing the telephone number used by the bank to contact its clients, and manipulating them into handing over sensitive account details.

Vella claims BOV’s reliance on text messages, coupled with substandard controls when a client logs into internet banking from a new device and transaction monitoring failures are fertile ground for scammers.

A spokesperson for BOV clarified that the bank does not use text messages to authenticate customers or authorise payments.

“Text messages are only used for general information or fraud-awareness alerts, and spoofing of SMS senders is unfortunately a well-known global issue outside any bank’s technical control. This has been acknowledged by the financial arbiter.”

The bank said all payments through internet and mobile banking are secured through multi-factor verification built directly into the application, fully aligned with strong customer authentication requirements.

BOV said its customer service centre also authenticates customers through the secure BOV App or through detailed verification questions, never through sensitive information sent via SMS.

Many scammers often dupe the victims into authorising large transactions themselves.

This has led the financial arbiter, an independent adjudicator of complaints against financial institutions, to adopt a compensation model that apportions responsibility for scam losses between the bank and its client.

Vella argued in his social media post that BOV’s failure to fix its “serious security failures” should mean it is held 100% responsible for scam losses, rather than shifting the burden onto customers.

BOV said in recent cases the arbiter has ruled in favour of the bank when customers themselves approved transactions or disclosed confidential information to fraudsters.

Another of Vella’s claims is that BOV’s transaction monitoring repeatedly fails to prevent money from being stolen, even when warning signs are obvious.

Transfers made just seconds after the BOV app is installed on a new device go through, and large sums paid out of accounts that have never made similar payments are processed by the bank, Vella alleges.

The bank said it operates advanced transaction-monitoring system with both pre- and post-transaction checks supported by AI-driven capabilities.

These systems continuously monitor, stop and investigate transactions in line with the risk-based expectations established by regulators, the bank said.

The bank said notwithstanding its existing measures to combat scams, it remains deeply committed to further strengthening its defences, enhancing monitoring tools and improving customer education so that clients are better equipped to identify and avoid evolving fraud threats.