How scammers duped a Bank of Valletta client

A Bank of Valletta client was duped into handing over confidential information by a Maltese-speaking woman claiming to be a bank representative.

While the client was on the call with the woman, who identified herself as Cynthia, a series of fraudulent payments amounting to €3,773 were siphoned out of his account.

In a recent ruling, Financial Arbiter Alfred Mifsud warned that he has received several complaints from bank customers that, while varying in certain details, share many common features.

It was noted how fraudsters have successfully replicated communication channels normally used between the bank and its customers, generally through SMS or email.

Fraudulent payments are typically for amounts under €5,000 to avoid triggering daily transfer limits.

In the case in question, the BOV client received an SMS that appeared to be from the same number the bank usually uses to send notifications, informing him of suspicious activity on his account. Ten minutes later, a person claiming to be called Cynthia called him from what appeared to be the bank’s normal telephone number.

She spoke in Maltese and appeared familiar with bank procedures.

‘Cynthia’ discussed his three accounts with him and told him she was looking at a specific account, providing him with the balance he held in that account. This made the call appear genuine.

The caller told him she was seeing scheduled payments for the following Wednesday and that if he had not requested these payments, they should be cancelled.

At 10.37am, he received an SMS requesting him to click on a fake BOV website and enter his internet banking user ID to go through a fresh authentication process. BOV records show an activation code was generated at 10.43am and sent to the client’s registered mobile number.

Though the client denied giving the activation code to the scammer, bank logs indicate this code enabled registration of a new device to access internet banking.

‘Spot the Scam’

Four payments totalling €3,773 were then executed between 10.54am and 11.09am.

The bank customer told the arbiter that the fraudster’s detailed insider knowledge of his accounts and security protocols strongly suggested a possible breach of confidential data or a lapse in information security.

BOV maintains that it implements security measures in line with EU rules, including strong customer authentication.

The bank argued the transactions were authorised through the customer’s credentials, and its systems showed no indication they were fraudulent.

BOV said it had sent its client five messages from its “Spot the Scam” campaign, all stating that the bank will never ask for card details, passwords, pin codes, or verification codes via telephone, SMS or e-mail. One of those messages was sent in April 2025, less than one month before the incident.

The arbiter noted that this particular case was the first time that a scammer not only sent a fraudulent SMS but sustained the credibility of the SMS through a convincing telephone call from a person speaking in Maltese, who provided information that only the bank could have.

It remains unclear how ‘Cynthia’ appeared to have access to internal bank information, and it is up to BOV to conduct investigations into this, the arbiter said, as further complaints have shown this was not a unique case.

The arbiter said that these types of social engineering scams do not allow the bank to take precautions other than effectively warning customers to be on the alert.  BOV was ordered by the arbiter to repay its client €2,291.47.

The arbiter applied a liability apportionment model, finding the customer 60% liable but reducing this by 40% for special circumstances, including the sophisticated nature of the scam.

This ruling included recommendations that when a new software token is registered, banks should implement a serious reconfirmation process with the customer, and payments should be suspended temporarily until direct contact with the customer is made via telephone.

Earlier this month, 25-year-old Tammy Caruana was charged as part of a €1 million fraud scheme in which she is alleged to have impersonated local banks to successfully prey on some 200 victims.