Unsolicited SMSs, emails or WhatsApp messages requesting sensitive information such as logins and passwords for online banking platforms should never be answered, even if they seem 100% genuine. The warning was sounded in the wake of the fact that in the last two years in Malta, over 1,000 fells victims of such scams, losing a combined €20.8 million.  However, some of the victims managed to recoup their funds after seeking redress through the Office of the Arbiter for Financial Services.

Details on the proliferation of fraudulent practices focusing on online platforms were divulged in the Arbiter’s 2023 annual report. It transpires that the sharp increase in this criminal activity prompted the Office to devise a model for allocating responsibility between the victims (Payment Service Users) and the financial institutions such as banks (Payment Service Providers).

Under this model victims who were defrauded due to 100% “unquestionable gross negligence on their part” had their request for refund turned down, but if the case was not clearcut victims would have their request partially upheld or even be refunded the full amount.

In his report the arbiter cited a case whereby the complainant was defrauded €19,150 following two fraudulent transactions. Despite the provider offering a refund of 66% of the amount, the complainant was not satisfied. The service provider insisted that the victim was partly to blame as the login and password should have never been disclosed.

In this case the fraudster managed to withdraw the money by installing the application on another device. Ther provider only contacted the victim after five transactions were carried out, of which three were reversed. Subsequently, tighter controls were introduced on the procedure for installing the application on other devices while the daily transfer limit was reduced from €25,000 to €5,000. The arbiter remarked that the service provider “remained indifferent” even when it was aware that several clients suffered fraud attacks and did not do much to protect them.  Moreover, the action taken subsequently indicated that it had acknowledged that its systems had failed.

Though the arbiter acknowledged that the victim’s decision to disclose the login and password constituted gross negligence, other factors were also considered. The fact that the fraudster used the same SMS channel used by the provider resulted in the blame being split 50% on each side. Furthermore, given that the victim at the time of the fraud was abroad but in regular contact with the provider regarding a home loan application, made the SMS look even more genuine. This shifted the responsibility to 70% on the bank.

Another consideration which played in favour of the victim was that in the previous 12 months, no such transactions were made. According to the arbiter this should have sounded the alarm bells immediately, following the first payment as such transaction looked suspicious. The arbiter found sufficient grounds for a full 100% as he also considered the bank’s systems being deficient.  The decision has been appealed. 

In his recommendation the arbiter called for banks to limit the apps meant to generate authentication codes to just one device and adopt stricter verification procedures for registering new devices.