Maltese Smishing Ring Busted: What New Bank Security Means for You

The Malta Police Cyber Crime Unit has cracked open a €1 million smishing ring, a development that could reshape how every Maltese resident authenticates online payments.

Why This Matters

• 200 local victims identified – police believe the real figure is higher and are urging fresh reports.

• Stronger bank verification incoming – BOV and APS are accelerating multi-factor roll-outs after the breach.

• Europol now involved – international warrants mean recovery of funds might finally be possible.

• Fraud losses can be shared – under recent Arbiter decisions, customers may still bear up to 70 % of the hit if they clicked the link.

How the Scam Worked

Investigators say the fraudsters combined caller-ID spoofing with polished customer-care patter in fluent Maltese. A victim would receive a text that looked as if it came from Bank of Valletta. Seconds later, a woman using aliases such as Rachel or Sarah rang from a number differing by one digit from the bank’s helpline. She claimed an “urgent” outgoing transfer had been blocked and sent an SMS link to a fake BOV or APS login page. Once the target typed in the first-time and second-time signatures, the criminals drained up to €4,999 per hit—small enough to duck automatic alarms but large enough to hurt.

The Investigation: From Anonymous Email to Europol Raid

An encrypted ProtonMail message landed in police inboxes on 25 August 2025. It listed the suspected caller’s real name—Tammy Caruana, then 24—her love of cryptocurrency, and screenshots of a spoofing app that generated hexcodes mimicking bank security tokens. Digital forensics linked those codes to 213 fraudulent transfers.

Fast-forward six months: armed with Europol intelligence, Maltese officers arrested Caruana in Valletta on 2 February 2026 and seized €8,000 in cash, two BMWs, and nine electronic devices. A simultaneous Garda raid in Ireland collected matching laptops that pointed to a wider UK-Irish syndicate funneling proceeds into Ethereum and Bitcoin wallets.

Banks Under the Microscope

The episode has reignited debate over how far local banks must go to block social-engineering fraud. BOV insists its mobile app already requires biometric confirmation and never embeds links in texts, yet cybersecurity consultants say sender-ID spoofing still lets crooks hijack legitimate SMS threads. APS Bank has begun migrating critical alerts from SMS to its secure in-app mailbox, while Revolut Malta now forces a selfie check before any device change.

According to the Crime Malta Observatory, overall fraud cases jumped 1,396 % between 2004 and 2024, with digital scams now outpacing pick-pocketing on the islands.

What This Means for Residents

Expect new authentication hurdles. Over the coming quarter, BOV and APS customers will see mandatory biometric or device-binding prompts for all transfers above €1,000.

Partial refunds only. The Office of the Arbiter for Financial Services usually splits losses; customers judged “grossly negligent” still lose up to 70 % of stolen funds.

Possible tax angles. Any recovered money counts as restitution, not income, so it is non-taxable under Maltese law—useful for victims filing their 2025 returns.

Community vigilance. Police are circulating the spoof numbers on local councils’ Facebook pages; adding them as blocked contacts can pre-empt fresh calls.

Expert Advice to Stay Safe

Cyber-security lecturer Dr Isabel Fenech at the University of Malta summarizes the defensive playbook:

• Ignore urgency – legitimate banks never give 30-second deadlines.

• Use only the official app – type the URL manually; never tap links.

• Activate push notifications – an unexpected debit alert is often the first red flag.

• Report instantly – early notice lets banks invoke chargeback rules within minutes.Malta’s National Cybersecurity Strategy 2023-2026 also promises a public awareness blitz, including Viber stickers that warn, “Taf min qed jċempel?”.

Next Steps in Court

Magistrate Lara Lanfranco is weighing bail for Caruana, who pleads not guilty to money-laundering, fraud, and membership in an organised crime group. A separate arrest warrant for an 82-year-old associate remains under seal.

If convicted, Caruana faces up to 18 years in prison and confiscation of all crypto gains—funds that authorities hope can be traced on-chain and returned to Maltese victims.