Phishing attempts under the name of LuxTrust

07.12.2023

Press releases

For several months now, Luxembourg has been facing increasingly sophisticated phishing attacks via email, SMS and/or phone. The fraudsters pretend to be LuxTrust agents, claiming that a fraudulent transaction has been carried out on the bank account of the person concerned, in order to obtain confidential information relating to LuxTrust authentication. LuxTrust's teams, with the security of its customers and users at heart, are warning of these fraudulent actions and advise on the best practices to follow.

Phishing: how it works

Generally speaking, the users receive an email/SMS and are invited to click on a link to perform an urgent operation (updating their data to continue to have access to a service…). They are then redirected to a fake site, asking them to enter their credit card details and/or validate their personal information by entering their LuxTrust User ID, password and one-time password (OTP) (in some cases several times).

How do you spot a phishing attempt?

These hackers also impersonate LuxTrust agents over the phone, displaying LuxTrust's phone number. They claim that fraudulent transactions are in progress on the victim's bank account. They ask for the victim's validation to avoid the fraud. The aim of these “hackers” is to put people in a stressful situation where they will have to react as quickly as possible without thinking about the necessary protective measures.

If in doubt, hang up!

If a user has gone all the way to the end of the scam and has given their secret information, s/he should immediately contact their bank and/or LuxTrust customer service on +352 24 550 550 or by email to questions@luxtrust.lu in order to take the necessary measures.

What are the best practices for protecting your digital identity and secret information?

Users should be reminded that it is essential to protect their secret information (password, one-time password - OTP). These elements guarantee them secure access to their web banking and administrative procedures, and under any circumstances, must not be communicated orally or otherwise to another person.

For this reason, it is important to know that LuxTrust, as a trusted digital partner, never asks its users to update their personal and secret information via an email or SMS link. This type of communication is only made upon the user’s initiative by contacting LuxTrust. To renew their LuxTrust certificates, users should go to the “My LuxTrust” space on www.luxtrust.com.

With this in mind, LuxTrust:

never asks its users for their secret codes or passwords,
never asks its users to intervene in banking transactions,
does not have access to its users' bank accounts/banking information,
never calls its users directly,
and never physically visits one of its users.

How do you detect a malicious email or SMS?

Check the sender's address and the consistency between the function or organisation of the sender and its content. The malicious person's email address may be very close to a legitimate one.
Read the message carefully. It may contain typographical errors, spelling mistakes or unusual turns of phrase (although this is increasingly rare).
Do not reply to an email requesting personal or confidential information, even if the email appears to come from a LuxTrust employee.
Do not open attachments if the sender of the email or the title is unknown. A virus can hide in a document (PDF, Office Suite or Google …), an image or else.
Hover your mouse over links (without clicking), make sure they are consistent and point to a legitimate site.
In all cases, ask yourself whether the request expressed in the email or SMS received is legitimate.