My finances, my projects, my life
September 23, 2019

How to avoid phishing scams

With banks offering more and more online services, fraud and scam attempts are also evolving and going digital. One kind that is becoming increasingly prevalent in Luxembourg is phishing. In this article, myLIFE shows you how to recognise phishing and protect yourself from these attacks.

What is phishing?

The term “phishing” is a neologism that was created by combining “fishing” and “phreaking” (telephone hacking). It’s a form of fraud that aims to collect personal and confidential data to use for personal gain. The fraudster poses as a trusted organisation or person, prompting you to respond in such a way as to allow them to steal your personal data. And, unfortunately, bank clients are all too often the victims of these attacks.

Phishing exploits human weaknesses such as empathy, fear, enthusiasm or simply a lack of attention. It often comes in the form of an email, but can also be conducted through SMS (“smishing”) or a phone call (“vishing”).

Messages may contain a link to a website that looks identical to that of the organisation the fraudster claims to represent. These are mostly banking websites, social networks or online payment platforms. By clicking on the link, the user is invited to enter their login details, fill in a form or sign up to a service. Meanwhile, the attacker retrieves the information entered to use for their own purposes.

In other cases, the message claims to be urgent and the attacker tries to get you to send confidential documents or information. Phishing attempts are often very convincing, and can consist of several messages sent over several weeks.

One of the most common assumptions is that phishing is easy to recognise. In reality it can be extremely sophisticated and conducted through multiple different channels.

How to recognise phishing

One of the most common assumptions is that phishing is easy to recognise. In reality it can be extremely sophisticated and conducted through multiple different channels. However, if you pay attention, there are a few red flags you can watch out for.

When you receive a message, whether an email or otherwise, it’s important to look at how the message is written and its layout, as well as identify any spelling mistakes. If you feel that something is off, trust your gut.

  • They may also try to scam you by insisting on the urgency of the matter or offering a reward or prize. Don’t let your guard down!
  • The email address or website they provide is often tweaked slightly, e.g www.luxtrast.lu instead of www.luxtrust.lu.
  • Always check the origin of incoming emails by looking at the domain. If in doubt, compare the address against old emails received from your bank – if you are a BIL client, make sure that the email address ends with “@bil.com”.

Lastly, note that no reputable bank or organisation will ever ask you for your personal information or credit card details. Be especially careful when asked to share sensitive information. If in doubt, contact your bank!

Example

Luxembourg was targeted by a wave of SMS phishing attacks at the end of 2018.

  1. First, clients received an SMS that appeared to be from LuxTrust containing nothing but a link.
  2. After clicking on the link, they were redirected to a website that looked very much like the LuxTrust login page.
  3. Thinking they needed to update their details, they then entered their personal information.
  4. This information was then used for fraudulent purposes.

Do not reply to suspicious emails – send them back to your bank by entering the email address manually.

What to do and how to protect yourself

In an ideal world, you would obviously never be the victim of phishing or other attacks. While you can never be totally risk-free, a good first step is to make sure you update your software, browser, operating system and antivirus software regularly. However, this may not always be enough.

If you do ever receive a suspicious message, contact your bank or the organisation in question directly to make sure it came from them. Do not reply to suspicious emails – send them back to your bank by entering the email address manually. The same goes for your bank’s web address: type it out yourself rather than clicking any links. This way, you’ll avoid being redirected to a fraudulent website that may be posing as your online banking platform. In the end the safest thing to do is obviously to never click any links or download any documents attached to a questionable email.

If you have the slightest suspicion that your details have been compromised, immediately change your password and check your bank accounts. Then contact your bank to report the attempted fraud so they can take appropriate action.

New LuxTrust feature

To further protect your personal data, LuxTrust – Luxembourg’s specialist electronic identity manager – has recently implemented extra measures to help you avoid getting caught out by phishing attempts.

LuxTrust users were asked to choose and remember a secret image as an additional security step for online operations.

Your chosen image will appear each time you enter your OTP or your PIN to log in to your online banking space or sign a transaction.

However, you will not be asked for your secret image in the following situations:

  • You are using LuxTrust Mobile, which does not require this additional security step.
  • The website used does not require a secret image. If in doubt, contact the organisation in question, bearing in mind that MyGuichet.lu and most major banks will ask for your secret image.
  • You are using your Token to pay on a website that uses 3D Secure.

Outside of these situations, if your secret image is not displayed or if it’s not the one you chose, you are most likely facing a phishing attempt. So there you have it! Now you know how to avoid getting sucked in by phishing attempts you can rest easy when doing your daily banking.