In May 2025, a victim named Rita was targeted by a highly coordinated attack that combined ‘smishing’ (fraudulent SMS) with ‘spoofing’ (impersonating a trusted phone number). The scam began when Rita received a text message on her mobile phone that appeared in the exact same message thread as her previous, legitimate bank notifications. This gave her the immediate impression that the alert, which claimed there was ‘unusual and suspicious activity’ on her account, was an official warning from her bank.
Minutes after receiving the text, Rita’s phone rang. The caller ID displayed the bank’s official customer service number, and the person on the other end spoke fluent Maltese. This individual, posing as a bank representative, demonstrated a deep knowledge of banking procedures and even referenced specific account types to gain Rita’s confidence. He informed her that the bank’s system was flagging several large scheduled payments that were about to be processed. To ‘save’ her money, he insisted that Rita had to take urgent action to cancel these unauthorised transactions immediately.
While keeping Rita on the phone, the scammer sent another SMS containing a link to a website. He instructed her to click the link, enter her User ID, and follow the prompts for a ‘new authentication process.’ To keep her from questioning the process, the caller provided a fake incident reference number and kept her on hold for several minutes, pretending to be working on her behalf to stop the fraudulent payments. Despite general public warnings never to click links in SMS messages, the combination of the spoofed caller ID and the professional tone of the caller convinced Rita to comply.
Once Rita entered her credentials, the fraudsters gained full access to her account. Throughout the day, they moved nearly €4,000 out of her balance by making a series of consecutive payments, each kept just under €1,000 to avoid triggering certain automatic security thresholds. The theft was only halted when Rita contacted her actual bank to follow up. The bank’s security team managed to intercept and block one of the final payments, but the majority of the funds had already been transferred into accounts controlled by the scammers.
Warning signs and red flags:
- Official bank notifications will never include a clickable link that directs you to a login or authentication page.
- Scammers have the technical ability to make their text messages and phone calls appear in the same thread or under the same number as your real bank.
- A request for immediate and urgent action to stop a payment is a psychological tactic used to prevent you from thinking clearly.
- Authentic bank representatives will never ask you to divulge your password or User ID during an unsolicited phone call.
- Fraudsters often use technical terminology to create a false sense of legitimacy and professional authority.
- Any request to re-authenticate or re-validate your account via a link received in a message is a sign of a phishing attempt.
Disclaimer: This account is based on a real-life case investigated by the authorities. While the events and figures described are factual, names have been changed to protect the privacy of the individuals involved.