Three victims of scam messages that led to fraudulent payments amounting to over €4,200 were found to have been negligent in their actions by clicking links and following instructions from criminals posing as BOV.

However, the Office of the Arbiter for Financial Services of Malta did not let the bank entirely off the hook, making it clear that it should “do more” to make its customers aware of the pervasive scam and pay closer attention to suspicious transactions.

It therefore ordered the bank to pay 20 per cent of the amounts stolen in each case as partial compensation.

The three cases occurred between October 2023 and January 2024.

One case (ASF-033-2024) bears recounting for the implication of the decision on banking institutions that may face similar circumstances, and may adopt a more cautious approach whenever a transaction requires manual intervention

In this case, the victim received a fraudulent message asking him to access a link from the same number usually used by the bank for legitimate communication.

The link led him to a fake clone of the BOV website, where after being invited to submit his user ID, he was given step-by-step instructions to input a code into his mobile app to generate a digital signature, which he then submitted to the fake website.

A message informing him that a payment of £1,990 (€2,382.66) had been authorised from his account was only received around seven hours later, at which point he contacted the bank and the police to report the case.

The victim complained that BOV had never informed him that scammers were able to use the same mobile number used by the bank – a number he felt could be trusted. He also argued that had the message informing him of the transaction been sent in a more timely fashion, he could have reported the scam immediately.

BOV strongly rebutted the argument about its failure to inform clients about scam messages using its number, and pointed to a series of public information campaigns and direct messages that warned of this danger.

Regarding the delay in sending an SMS confirming the transaction, BOV testified that the scammer made a mistake in inputting the BIC code. It was only after this issue was sorted that the payment went through and the message sent.

The Arbiter questioned whether the bank, when reviewing this mistake, should have picked up on suspicious circumstances: a transaction of a significant amount being sent to a foreign account on same day priority basis with the accompanying text: “Please make sure that help goes towards mother”

However, BOV stated that such texts often only make sense to the parties involved, and in any case, “once you have signed [off on the transaction], it is like signing a cheque – our obligation is to process the payment.”

The Arbiter was not convinced, pointing out that once the mistake in the BIC code required manual intervention on the part of the bank, it should have recognised the suspicious nature of the transaction outlined above.

“These indications are not conclusive [evidence of fraud] but were similar to other fraudulent payments that the bank had seen,” it said, arguing that they should have made the bank realise [xegħlu bozza] that the payment should be referred back to the complainant.

For this reason, it ordered the bank to pay 20 per cent of the sum as partial compensation.

The decision is one of a pair that led the Arbiter to the same conclusion, with an identical justification for the order to pay 20 per cent as partial justification. The other (ASF-039-2024) was similar in that it required manual intervention, which the Arbiter felt should have resulted in the realisation that a same day priority payment of €1,300 to a French account with the text ‘HAPPY BIRTH DAY’ may be suspicious.

However, in this case, the recall by BOV proved largely successful, resulting in a total of €1,000.04 being returned to the victim’s account.