A Bank of Valletta customer has revealed how he lost thousands of euro in a number spoofing scam after believing he had received an SMS from his bank.
The victim said he felt "embarrassed" to have been duped by the sophisticated cybercrime but decided to share his story to warn others.
It started with an SMS from what appeared to be a genuine BOV number, which he had previously received authentic messages from.
"I'm usually very vigilant and aware of scams, but when I saw that the message was from the real BOV mobile number I assumed it was real," he said.
The scam is known as number or ID spoofing.
In the scam message, the customer was warned that their mobile device has had its access limited for security purposes and asked to either visit a branch or re-authenticate their device by visiting the BOV website.
The message included a link to a fraudulent website where customers are instructed to verify their identity by logging into their BOV mobile app and carrying out a test transfer. Once the transfer is completed, money is withdrawn from the account.
Shortly after following the scammers’ instructions, money from the victim's account was transferred to what appears to be a Lithuanian bank account.
"A little while later I received the standard BOV SMS informing me that money had been transferred from my account. When I logged back into my online banking I could see that a large amount of money had been sent to a foreign bank", he explained.
People have also reported receiving similar messages claiming to be from HSBC.
Contacted for comment, a BOV spokesperson warned that scammers often clone the mobile numbers used by banks to make their scams appear more genuine.
“Bank of Valletta is aware of a number of such scams. We advise the public to be vigilant at all times”, the spokesperson said.
He said customer should question any SMS alerts containing links and instructions to divulge information or key in verification codes.
For example if one receives an SMS stating that their order is ready for processing – and they are aware that they never placed an order with the company described in the link, than the cardholder should not act upon such an SMS.
"When in doubt the customer should always refer to their issuing bank to confirm whether the SMS is genuine or otherwise”, he explained.