Scams: Don't stay silent!

Have you been a victim of a text message scam? Here’s what you need to know

A typical text message scam involves fraudsters sending an SMS to your phone, pretending to be from your bank or another trusted organisation. These messages often contain a link that, when clicked, takes you to a fake website designed to steal your personal and financial information. If you think you have fallen victim to such a scam, acting and complaining to your bank is essential.  Your bank is required to investigate your complaint. If you do not receive a response or you are not satisfied with the bank’s reply, you may then complain to the Office of the Arbiter for Financial Services.

The Office of the Arbiter for Financial Services has released a model for allocating responsibility between Payment Service Providers (PSPs, such as banks or payment institutions) and Payment Services Users (PSUs, or customers) in cases of text message scams, or smishing. The aim is to ensure fairness, consistency, transparency, and objectivity in the complaints process for all parties involved.


Understanding the model

The model outlines a number of considerations that help determine if a customer has been grossly negligent. This is important because if a bank can prove gross negligence on the part of the customer, they can refuse to fully reimburse the customer under the Payment Services Directive (PSD2). PSD2 is a law in the European Union that protects consumers when they make payments through their bank or online

The allocation of responsibility between the bank and the customer depends on various factors, such as the level of negligence, the involvement of the customer in the scam, and any direct warnings received from the bank.

It is important to note that the model does not guarantee full compensation for the customer, as each case is evaluated on its own merits.  The model is not rigid and allows for flexibility in specific cases that require particular appreciation.

For example, if the customer is found to be grossly negligent, it could be held 100% responsible. However, this could be reduced if the fraudster used normal channels of communication used by the bank, giving the impression of a genuine communication. Other factors that could affect the allocation of responsibility include whether the customer actively participated in the fraud beyond disclosure of credentials, whether the bank had notified the customer to beware of such scams, and whether there were special circumstances or unusual payment patterns.


Applying the model

The Arbiter has used the model to make decisions in several cases. You can find these decisions on our website under “Arbiter's Decisions”. To help you understand how the model is applied and how each complaint’s unique circumstances are taken into account, we have provided summaries of two decisions below. We will be adding more case summaries in the future.

Case summary 1 – Careful which links to click

The complaint (ASF 036/2023) involves a fraudulent payment made from the complainant’s account with a bank. The complainant alleged that a fraudulent party penetrated the bank’s communication channel, typically used for SMS or email communication, and sent a link for account validation or re-authentication. The complainant clicked the link leading to a fraudulent transfer of funds to a bank account in a Baltic country, making it nearly impossible to recall the funds.

The complainant argued that the bank failed to protect him when the communication channel was penetrated by the fraudster and that the bank should have been aware that the payment was fraudulent as the complainant had no history of such payments. The bank, on the other hand, maintained that the complainant is entirely at fault for negligently providing the fraudster with access to his account credentials, thereby facilitating the fraud.

In this particular case, the complainant received a fraudulent message on his mobile via SMS, where he usually receives notifications from the bank. Believing the message to be genuine, he clicked the link and entered a website that he thought was the bank’s as it appeared identical. The bank insists that the payment could only have been made using the app, which was only on the complainant’s mobile, and therefore, he must have followed all the fraudster’s instructions, entering the details for a payment of €3,259.

During the hearings, both parties maintained their positions as explained in the complaint and the bank’s response. The bank argued that it was fully compliant with the Payment Services Directive 2 (PSD 2) and the Banking Directive 1, issued by the Central Bank of Malta, and had a robust system fully compliant with the two-factor authentication provisions of the PSD 2

The Arbiter examined the details of the case, including the fraudulent message received by the complainant, the actions taken by the complainant upon receiving the message, and the bank’s response. The Arbiter then applied a model to determine the responsibility between the complainant and the bank. The model considered factors such as the complainant’s gross negligence, the bank’s communication channel, and the circumstances of the case.

In this case, the Arbiter decided that the complainant showed gross negligence, initially allocating 100% of the claim to him. However, the Arbiter reduced this by 50% because the fraudulent message was received on a channel usually used by the bank. The Arbiter increased the complainant’s allocation by 30% because he fully cooperated with the fraudsters in making the payment.

In conclusion, the Arbiter decided that the responsibility for the fraudulent payment was shared between the complainant and the bank, with the bank bearing 20% of the responsibility and the complainant bearing 80% of the responsibility.

As a result, the arbiter ordered the Bank to pay the complainant €651.80, which is 20% of the total amount lost.

Case summary 2 – SMS spoofing fraud

In another case (ASF 040/2023) the complainant received a fraudulent message via SMS, which he believed was from the bank. He clicked on a link in the message, which led him to a website that appeared identical to the bank’s. Following the instructions given, he made a payment of €4,250 to a bank account in Lithuania. The payment was made on a ‘same day’ basis, and the beneficiary was falsely indicated to have an address in Malta. The complainant reported the fraud to the bank more than 24 hours later, and a recall was attempted but was unsuccessful. The complainant sought a refund of the amount lost, €4,250, and an additional €28 in expenses.

During the hearings, the complainant blamed the bank for allowing the fraudster to penetrate the SMS channel and for not noticing that the payment was fraudulent. On the other hand, the bank maintained that it was fully compliant with the law and that the complainant was entirely to blame for the fraud due to gross negligence.

The Arbiter consulted with a security expert from the Malta Communications Authority to understand the technological intricacies of the fraud. It was revealed that this type of fraud, known as spoofing and smishing, does not allow the bank to take any precautions except for issuing adequate warnings to customers.

In the final decision, the Arbiter decided that the responsibility for the fraud should be shared between the bank and the defrauded client.

In this case, the Arbiter found that the client was 60% at fault for the fraud, while the bank was 40% at fault. The complainant’s fault percentage was increased due to his full cooperation in making the fraudulent payment. Still, it was reduced because he had not received a direct warning from the bank about such fraudulent schemes in the months before the case and because he had not made similar online payments in the past.

Therefore, the bank was ordered to pay the complainant 40% of the fraudulent payment, amounting to €1,700, within five working days from the date of the decision.


Click here for detailed technical notes describing the model (opens in another window).


Complaining with your bank

If you believe you have been a victim of a smishing scam, it’s important that you submit a complaint with your bank in writing by following their respective complaints procedure, which can be found on their website. You may also call your bank for further information about their complaint procedure.

When submitting a complaint, you should provide the following information and documents:

  1.  A detailed description of the scam, including the date and time it occurred.
  2. Any text messages, emails, or other communications you received from the fraudsters.
  3. Evidence of any financial losses you have suffered as a result of the scam.
  4. Details of any previous similar incidents or warnings you have received from your bank.

Keep a copy of your complaint and documents, as you may need them if you decide to submit a complaint with the Arbiter for Financial Services at a later stage.


Submitting a complaint with the Arbiter

Before you submit a complaint to the Arbiter, you must allow the bank to look into your complaint. If the bank does not reply within 15 working days of receiving your complaint, or you disagree with its finding, you may then submit a complaint with the Arbiter.  

Please remember that the Office of the Arbiter can only accept complaints against banks and other financial institutions that are authorised by the Malta Financial Services Authority (MFSA), the financial regulator in Malta. We can only provide limited assistance if your bank or financial institution is authorised in another EU country.

Explore our website for further information. We’re also a phonecall or a WhatsApp message away.


Taking action is essential

Doing nothing is not a solution. If you have fallen victim to a smishing scam, it’s important to take action by reporting the incident to your bank and following their advice on how to protect yourself from further fraud. By complaining, you can help improve the security measures in place and contribute to a safer financial environment for all consumers.

Remember, it’s essential to stay vigilant and be cautious when receiving unsolicited messages or requests for personal information. Always verify the authenticity of any communication you receive, and never click on suspicious links or provide sensitive information before confirming that the requests are genuine.