Fraud Alert: Understanding Your Role in Modern Bank Scams

In Case ASF 050/2024, a customer of Bank of Valletta (BOV) lodged a complaint with the Arbiter for Financial Services concerning the payment of €12,345 from the customer’s bank account without authorisation. The customer received emails, allegedly from the bank, to verify her signature through a link in the email, which led to a website similar to that of BOV. By accessing this website, it appeared that a fraudulent payment was made to the fraudster’s bank account in Portugal from the customer’s savings account. To avoid suspicions from the bank’s monitoring practices, the fraudster listed a local address for the beneficiary of the payment.

The Arbiter’s conclusion resulted in allocating 70% of the responsibility for the scamming situation on the customer of the bank for gross negligence. The decision notes that the fraudulent email received by the customer was not received through the regular channels of the bank and the customer continued cooperating with the fraudster by inputting financial details online. The arbiter also considered the customer’s familiarity with online payments and therefore her ability to recognise the unusual scenario of the scam.

The bank was only allocated only 30% of the overall responsibility, considering that the bank could have flagged the anomaly in the payment made on a ‘same day’ basis from a savings account which is not usually used for such payment. The arbiter also noted that the Bank could have notified the customer of the payment made, given the amount withdrawn, particularly since notifications were issued for smaller payments from the same account.

This decision was issued in line with a previously published model for allocating liability in similar cases. In 2024 alone, 10 decisions were issued by the OAFS in very similar bank scam situations involving BOV. The Arbiter has identified common factors between these cases. The similarities include payments below €5,000 to avoid exceeding the daily limits, the use of links for validation or authentication purposes which the customers fall victim to despite warnings issued from banks and regulators. In most cases, a dispute arises between the Bank and the customer concerning responsibility for the unauthorized fraudulent payments.

These decisions shed light on how responsibility for cybersecurity breaches is treated locally. The allocation of liability is evident that customers and users of online services bear most responsibility when carrying out transactions and providing sensitive information, including financial information. From the decisions issued in 2024, the range of percentage liability allocated to banks varies between 20% and 40%, as evidenced from the consistent approach taken by the Arbiter.

However, banks are not excluded from responsibility for such scams and the importance of awareness campaigns by banks, warning customers of scams and fraudulent emails is emphasized. Social media and website postings are not sufficient according to the Arbiter, and businesses must take a step further by reaching out directly to customers through direct communication.

Enabling two-factor authentication, implementing encryption methods and ensuring systems and software are updated are just some practices that businesses can adopt to provide a secure service to their clients. On the other hand, daily practices include checking domain names, email addresses and recipient details before disclosing confidential information or carrying out financial transactions.

The arbiter in this case, in fact, recommended to the Malta Financial Services Authority (MFSA) and the Central Bank of Malta, as regulators, the implementation of systems allowing customers to make payments on savings account to their current accounts only. Ensuring such practices are in place may favour the business by tilting liability further away from the business and towards the user.

Our firm has handled multiple instances of cybersecurity breaches, including assisting clients with complex cross-border cybersecurity incidents on a local and international level in recovering funds transferred during hacking cases.  

Reach out to us to understand how you can protect your business and enhance your cybersecurity capabilities.