Scammed in Malta: move first, think clearly, get your money back

From fake bank texts to courier links and “guaranteed” crypto, online scams have gone mainstream in Malta. If you’ve clicked, paid or shared details, don’t spiral. Act with intent. This is MONEY’s playbook for your first hour, who to call, and how to build a case banks and investigators take seriously.

You notice the first red flag only after the second. The link in the message wasn’t your bank’s domain. The tone—shrill, officious—was unlike anything you’ve had from a real branch. Yet the page looked convincing, and your thumbs were faster than your scepticism. If money has moved, you’ll feel an urge to tidy up—delete the text, close the tab, bury the mistake. Resist it. This is the moment to act like an investigator, not a victim.

Your first hour—do this, in order:

• Freeze the payment path: lock the card in-app; if it’s a transfer, call your bank and say “suspected fraud—payment recall.”

• Secure the front door: change your email password first (from a clean device), then your banking passwords and anything that reuses the same password; switch on 2FA (Two-Factor Authentication).

• Capture everything: screenshots (SMS, sender ID, fake page, URL), IBAN or wallet, receipts, caller notes—don’t delete.

• Start the paper trail: log times, names, and case/reference numbers for bank, police, and regulator.

Now shift from damage control to due process. Online fraud is a crime in Malta; report it to the Police Cyber Crime Unit. If what snared you was a “platform” or anything that claimed to offer financial services—investments, trading signals, “account verification”—notify the MFSA’s consumer channels as well. This does two things at once: it strengthens your bank’s internal case file and it helps regulators flag patterns that catch the next victim before the hook lands. Where a trader is involved—goods that never arrive, a marketplace seller who evaporates—the MCCAA’s conciliation route is worth the effort; it’s more effective than arguing in a chat thread. And if you shared identity documents or customer data—yours or, if you run a business, anyone else’s—review the IDPC guidance on what happens next. For organisations with compromised mailboxes or systems, loop in CSIRTMalta/MITA early; they’re built for precisely this.

Refunds aren’t binary. Card fraud (unauthorised) is handled differently from an “authorised push payment” where you were manipulated into sending money. The line can be thin; your timeline and evidence make it thicker. Banks triage fast; a crisp file saves days of back-and-forth.

Make your case hard to refuse:

• One-page timeline: what happened, when you acted, amounts, where funds went, who you called.

• Evidence pack: statements (PDF), transaction IDs, URLs, email headers (.eml), wallet/IBAN, chat transcripts.

• Clear ask: card → chargeback (misrepresentation/non-delivery); transfer → recall (immediately).

Some scams in Malta keep the same rhythm. The smishing text threatens account closure unless you “verify now.” The remote-access call from a “support agent” who needs you to install a screen-sharing tool to fix a payment block. The marketplace buyer who “overpays” and begs for a partial refund to a new IBAN, saying the balance will clear “any moment.” The copycat platform is promising effortless returns and sprinkling EU-sounding acronyms like confetti. In each case, the counter-move is prosaic: slow down; use a channel you control. Type your bank’s URL yourself; call the number printed on your card, not the one texted to you; keep marketplace payments on-platform; verify licences on official registers before a single euro moves. When your stomach tells you it’s urgent, treat that feeling as a siren—not a green light.

Counter-moves that work:

• Type your bank’s URL yourself; never tap links in messages.

• Call numbers on your card/app, not in texts or emails.

• Keep marketplace payments on-platform; wait for cleared funds.

• Verify firms on official registers before a euro moves.

If you run a business, treat a successful scam as an incident, not an embarrassment. Quarantine the device used to click the link or install the tool; don’t keep working from a tainted mailbox. Rotate passwords for email, banking, cloud and admin consoles. If client data might be at risk—such as invoice threads or ID scans—document your assessment and notify the IDPC if required. Tell affected clients early and plainly; transparency protects them and your brand. If your domain or systems were used to phish others, CSIRTMalta/MITA can help coordinate the response and harden the weak points you’ve just discovered.

Later—after the calls and the paperwork—you’ll want to future-proof. The unglamorous basics work.

Two-hour hardening (today, not someday):

• Password manager + Two-factor Authentication on email, banking, socials, and cloud.

• Transaction alerts for every card and transfer.

• SIM-swap PIN/porting lock with your mobile provider.

• A low-limit “online card” for subscriptions and riskier buys.

• Update devices; remove saved cards from browsers; review who has access to shared drives.

• Monthly “pause & verify” drill at home or work.

Keep this to hand

The emotional sting fades. The lesson stays. You clicked because you’re human; you recovered because you acted. In Malta, the system can work for you—banks, police, regulators, consumer champions—if you give it clean facts, prompt calls and a paper trail. That’s how you stop the damage, tilt the odds of a refund, and make sure the same script misses the next person.

Scammed in Malta? Who to contact—now

Emergency (immediate danger): 112 • Textphone (hearing/speech impairment): 7977 0112

Police – Cyber Crime Unit (online fraud/scams): +356 2294 2231 • computer.crime@gov.mt

Police – General (non-emergency): +356 2122 4001 • pulizija@gov.mt

MFSA – Consumer Helpline (financial-services scams): +356 2144 1155

MCCAA – Consumer Helpline (refunds/conciliation with traders): 8007 4400 • Office: +356 2395 2000

IDPC – Data Protection (personal-data/GDPR issues): +356 2328 7100 • idpc.info@idpc.org.mt

CSIRTMalta / MITA (24/7 cyber-incident support): +356 2599 2777 • callcentre.mita@gov.mt

Your bank’s fraud line: Use the number in your banking app or on your card (ignore numbers in texts/links).