The Gaza surgeon, a teddy bear and the millions lost to online fraud

After meeting a man on Facebook who told her he was a surgeon in Gaza, 70-year-old Maria* thought she was having a mature conversation about life’s troubles.

The exchange soon shifted to email and quickly to Messenger, where the discussion became more intimate. Winning Maria’s confidence, the man asked for financial support to exit Gaza.

Given his story of resilience and suffering, Maria did not think twice. Over a six-month period, she made 39 bank transfers to accounts in Italy and Belgium. She withdrew cash from ATMs to send it over as instructed to addresses outside of Malta.

On one occasion, she was told by the man to stuff €8,000 in cash inside a teddy bear and post the parcel to Germany. It was stopped by German customs officials, who discovered the cash.

Maria ended up transferring in various forms a whopping €568,000 to the ‘Gaza surgeon’ in a typical case of romance fraud.

But the more than half a million-euro Maria was deceived into handing over is just a fraction of the €5.3 million lost to fraud this year, reported by clients of Bank of Valletta alone.

The figure, correct up to end of September, is almost double the total amount of money lost to fraud by BOV clients in 2024.

A fraction of reality

Ryan Caruana, BOV chief anti-financial crime officer and money laundering reporting officer, says that reported fraud is probably just a fraction of reality.

“Apart from the €5.3 million lost to fraud, BOV managed to stop an additional €2.2 million from being lost to fraudsters, but a lot of these crimes remain unreported because victims are either ashamed or fearful of what their partners or relatives would say,” Caruana says.

He sits down across a boardroom table at BOV’s head office in Santa Venera, for a briefing with journalists.

Next to Caruana is Mark Falzon, head of the bank’s Anti-Financial Crime Investigations, and Inspector Clive Brimmer who heads the police’s Online Fraud Financial Crime Investigations Department. The briefing is part of BOV’s continuous efforts to raise awareness about online investment scams, romance fraud, compromised business emails and other fraudulent activity that preys on human vulnerability.

“Fraudsters play on human psychology and there is no particular profile for victims; anyone is vulnerable to fraud—we have seen victims of all ages, with differing educational and social backgrounds,” Caruana says. He adds: “Fraudsters exploit human emotions, such as loneliness, a yearning to be loved, or a moment of vulnerability or a state of anxiety, to coax victims into unwittingly opening their wallets.”

Caruana says that €200 million a day are lost in online fraud alone across the EU and UK. The Nasdaq Global Financial Crime Report puts the overall yearly defrauded amount at an eyewatering €85 billion.

Fraud victims in denial

Inspector Brimmer says that defrauded amounts in cases filed with the police force between January and June totalled €8.3 million (150 cases).

“We’ve seen it all,” Brimmer says, emphasising that some victims of fraud remain in denial. In some cases, he adds, they even fall victim for a second time.

“We investigated a case where the victim had cut off communication with the fraudster on police instructions, only to be contacted three months later by the same person using a false email and this time mimicking an Interpol officer willing to help in the recovery of lost funds against a payment,” Brimmer says. The victim complied with the fake request despite having reported their case to the Maltese police.

The picture is bleak as more of our lives go online, giving fraudsters the pretext to exploit vulnerabilities, situations and lifestyles. Fraudsters also exploit seasonality—fake SMSs purporting to be from Maltapost requesting fees for parcels are normally popular around Christmastime when it is very likely recipients are anxiously waiting for a parcel to arrive. They also exploit current affairs—prepare to start seeing deep fake videos of Finance Minister Clyde Caruana in the coming weeks as the budget looms, in which he encourages people to invest money in a bogus scheme that promises lucrative returns.

‘A war we cannot win’

Brimmer says online fraud investigations are complex because they deal with cross-border crime, often perpetrated by organised criminal groups. Money is siphoned off into foreign bank accounts or crypto wallets, moving fast from one jurisdiction to another and not all jurisdictions are cooperative.

“This is a war we cannot win but by raising awareness, people can take simple steps to mitigate the risks and avoid falling victim by not sending money to people whom they have never met; by ignoring messages purporting to be from banks with links to bogus websites that ask for personal details and request money transfers; by not rushing to adhere to instructions received through SMS suggesting that their card has been blocked; by not giving personal details, pin numbers and passwords over the phone,” Ryan Caruana says.

Mark Falzon recounts one case of a woman who received an SMS informing her that her bank card was blocked and requested her to click on a link.

“Her solution to determine whether her card was truly blocked or not was to head down to a convenience outlet and buy a packet of water and pay with her card. The transaction went through seamlessly, giving the lie to the fraudulent SMS,” Falzon recounts.

It was a simple way of verifying whether the message was real without running the risk of being defrauded.

But Falzon is concerned about the instant payments system that kicked in across the EU on 6 October, which mandates that any transaction needs to be processed within 10 seconds.

“It is convenient for customers but it is an additional headache because it allows fraudsters to quickly transfer funds, making it even harder to track them down,” he says.

As for Maria, she rues the day she was taken in by the kind words of a surgeon from Gaza as she struggles to understand the betrayal. Like her, many more victims of online fraud will follow.

The appeal from bank officials and law enforcement officers is to constantly remain vigilant. Denying faceless predators, the keys to our online lives, they insist, will always remain the first line of defence.

Fraud reported by BOV clients 2025

• Business email compromise (BEC): €1,128,460
• Bank scams: €951,110
• Cards: €760,524
• Other: €380,046
• Investment: €1,675,890
• Romance: €441,590
• TOTAL: €5,337,620

Figures valid until end September

BOV also stopped €2.2 million in client funds from being lost to fraud

Online fraud reported to police

• 150 cases
• TOTAL: €8.3 million

Figure valid until end June