In an increasingly digital world, cybercriminals are constantly evolving their tactics and developing sophisticated methods to deceive individuals and businesses. They target everyone, including small and medium-sized businesses (SMEs), professionals, and suppliers. No one is safe from their attacks.
Cybersecurity is one of Bank of Valletta’ s top priorities and as part of its efforts to strengthen cybersecurity awareness among businesses, the Bank recently hosted its first-ever event for the business community, focusing on cyber threats and related security measures. The event aimed to inform business leaders of prevalent cyber risks, providing insight into the latest trends in cybercrime and offering practical strategies to safeguard sensitive information.
One major concern for modern businesses is Business Email Compromise (BEC) fraud – a silent threat which is affecting many firms resulting in significant financial losses. According to the BOV’s data, BEC fraud, also known as a man-in-the-middle attack, led to €1.5 million being defrauded from victims in 2024 only, with 23 incidents reported to the Bank. Fraudsters in these cases are becoming increasingly sophisticated, making it harder for banks to intercept and return money to clients. Moreover, taking the first quarter for the year these attacks are becoming even more frequently and also with an increase in value being defrauded.
Businesses must remain vigilant when communicating by email, as BEC is a growing threat. It occurs when cybercriminals intercept communication between two parties and manipulate payment information. These attackers monitor email traffic for weeks and often strike just before significant payments are due, sometimes hiding their activities by forwarding emails to themselves. In many cases, banks have observed that cybercriminals intercept emails containing invoices in order to be able to change the payment instructions and IBANs and redirect the payments to their own accounts. This is especially concerning for businesses that might be tricked by scams that mimic their usual practices.
Tips to prevent businesses from falling victim to BEC fraud:
- Confirm and Verify Requests: Always confirm email requests for fund transfers by contacting the requestor directly via phone prior to making the payment. Pay special attention to transfers requested to new or different IBANs previously used with the same supplier and/or business partner
- Verify IBAN Numbers: When dealing with a local business, always verify the legitimacy of any foreign IBAN provided and/or if the IBAN is indeed making sense with the business partner one is working with
- Protect Sensitive Information: Never provide sensitive information such as login credentials, card numbers, two-factor authentication codes, and PINs.
- Email Address verification – do check that email addresses are the same ones that you usually communicate with and look for any minor changes such as added symbols in same email address.
- Communicate Quickly: Act swiftly when fraud or security incidents occur. Notify the bank and the police immediately if BEC fraud is suspected.
Cyber fraud threats: A growing concern for businesses
Despite the rigorous security measures implemented by banks and financial institutions, fraudsters still find ways to deceive customers. Often, these criminals impersonate legitimate bank representatives and employ various methods to make their impersonation attempts seem credible, communicating through emails, phone calls, or social media. Their objective is to obtain sensitive information to gain access to personal or business accounts.
Common techniques used in bank impersonation scams
In cybersecurity, there are three core principles that serve as the foundation for data protection: confidentiality, integrity, and availability. For cybercriminals, businesses’ digital assets resemble a digital vault filled with valuable treasures, including customer security credentials, technical data, and financial information, among others. Their objective is to breach this vault, which can lead to financial losses, reputational damage, business disruptions, and regulatory fines. These may apply several techniques, such as phishing emails, phoney bank phone calls, and fake accounts. Among many evolving tactics, these are some common bank impersonating scams.
Cybercriminals may also employ malware or phishing techniques to obtain unauthorised access to online banking credentials. Sometimes they also design fake internet banking sites that mimic legitimate ones in appearance. Still, they have a minimal difference in minor details, such as incorrect URLs (b0v.com instead of bov.com).
How to avoid falling into the digital trap
To identify fraudulent communications, business should watch out for the following red flags: urgency of messages, threats, unusual tone or wording, unexpected requests for sensitive information, suspicious links or attachments and phone calls from unrecognised numbers.
There are several strategies that can be implemented to mitigate risks. These include strengthening password security by avoiding the reuse of passwords across multiple accounts and using passphrases instead of short passwords. A longer, memorable phrase is harder to crack. Additionally, enabling two-factor authentication adds an extra layer of security by requiring two forms of verification.
Always verify communications with the bank before responding. For businesses, conducting fraud awareness training for their employees is essential.
Every online interaction leaves a digital footprint that cybercriminals can use to target businesses. To minimise risks, it is advisable to limit the amount of personal information shared online by employees.
It is important for individuals to always verify URLs and confirm the legitimacy of website links before clicking on them. Fraudulent messages often contain subtle misspellings or mimic familiar domain names. Customers should never disclose their account number, card number, user IDs, passwords, CVV number, PIN number, or one-time login passwords. Banks will never ask for personal details over the phone. Businesses are also encouraged to use spam filters, set up transaction alerts, and utilise biometric authentication for further protection.
Cybersecurity is a shared responsibility between financial institutions and their customers. While banks will continue investing in strong security infrastructures, customers must remain cautious, informed and proactive in protecting their digital financial assets. One rule remails unchanged: Prevention is always better than cure.
Bank of Valletta urges anyone who suspects that they may have fallen for a scam to report it by calling +356 2131 2020.
Issued by Bank of Valletta p.l.c., 58, Triq San Żakkarija, Il-Belt Valletta VLT 1130. Bank of Valletta p.l.c. is a public limited company regulated by the MFSA and is licensed to carry out the business of banking in terms of the Banking Act (Cap. 371 of the Laws of Malta).
