How to avoid phishing scams

With banks offering more and more online services, fraud and scam attempts are also evolving and going digital. One kind that is becoming increasingly prevalent in Luxembourg is phishing. In this article, myLIFE shows you how to recognise phishing and protect yourself from these attacks.

What is phishing?

The term “phishing” is a neologism that was created by combining “fishing” and “phreaking” (telephone hacking). It’s a form of fraud that aims to collect personal and confidential data to use for personal gain. The fraudster poses as a trusted organisation or person, prompting you to respond in such a way as to allow them to steal your personal data. And, unfortunately, bank clients are all too often the victims of these attacks.

Phishing exploits human weaknesses such as empathy, fear, enthusiasm or simply a lack of attention. It often comes in the form of an email, but can also be conducted through SMS (“smishing”) or a phone call (“vishing”).

Messages may contain a link to a website that looks identical to that of the organisation the fraudster claims to represent. These are mostly banking websites, social networks or online payment platforms. By clicking on the link, the user is invited to enter their login details, fill in a form or sign up to a service. Meanwhile, the attacker retrieves the information entered to use for their own purposes.

In other cases, the message claims to be urgent and the attacker tries to get you to send confidential documents or information. Phishing attempts are often very convincing, and can consist of several messages sent over several weeks.

One of the most common assumptions is that phishing is easy to recognise. In reality it can be extremely sophisticated and conducted through multiple different channels.

How to recognise phishing

One of the most common assumptions is that phishing is easy to recognise. In reality it can be extremely sophisticated and conducted through multiple different channels. However, if you pay attention, there are a few red flags you can watch out for.

• • When you receive a message, whether an email or otherwise, it’s important to look at how the message is written and its layout, as well as identify any spelling mistakes. Beware: the advent of artificial intelligence means that fraudsters can write increasingly high-quality messages in any language. If you feel that something is off, trust your gut.
  • They may also try to scam you by insisting on the urgency of the matter or offering a reward or prize. Don’t let your guard down!
  • The email address or website they provide is often tweaked slightly, e.g www.luxtrast.lu instead of www.luxtrust.lu.
  • Always check the origin of incoming emails by looking at the domain. If in doubt, compare the address against old emails received from your bank – if you are a BIL client, make sure that the email address ends with “@bil.com”.

Lastly, note that no reputable bank or organisation will ever ask you for your personal information or credit card details. Be especially careful when asked to share sensitive information. If in doubt, contact your bank!

Example

Luxembourg was targeted by a wave of SMS phishing attacks at the end of 2018.

1. First, clients received an SMS that appeared to be from LuxTrust containing nothing but a link.
2. After clicking on the link, they were redirected to a website that looked very much like the LuxTrust login page.
3. Thinking they needed to update their details, they then entered their personal information.
4. This information was then used for fraudulent purposes.

Do not reply to suspicious emails – send them back to your bank by entering the email address manually.

What to do and how to protect yourself

In an ideal world, you would obviously never be the victim of phishing or other attacks. While you can never be totally risk-free, a good first step is to make sure you update your software, browser, operating system and antivirus software regularly. However, this may not always be enough.

If you do ever receive a suspicious message, contact your bank or the organisation in question directly to make sure it came from them. Do not reply to suspicious emails – send them back to your bank by entering the email address manually. The same goes for your bank’s web address: type it out yourself rather than clicking any links. This way, you’ll avoid being redirected to a fraudulent website that may be posing as your online banking platform. In the end the safest thing to do is obviously to never click any links or download any documents attached to a questionable email.

If you have the slightest suspicion that your details have been compromised, immediately change your password and check your bank accounts. Then contact your bank to report the attempted fraud so they can take appropriate action.