Beware of fraudulent messages imitating LuxTrust!

Be more vigilant than ever. In recent months, Luxembourg has suffered numerous phishing attacks by text message or email. The fraudsters’ goal is always the same: to obtain information about your bank accounts by impersonating an institution, organisation or business with a well-established reputation. After pretending to be Microsoft and streaming platforms like Amazon Prime and Netflix under various pretexts (a virus in your PC, urgent renewal of your subscription under penalty of termination, etc.), hackers are now targeting LuxTrust.

This is not the first time that the digital identity provider has been targeted by a phishing campaign, but this one is far more sophisticated than the previous ones.

How does it work in concrete terms? You receive by email - sometimes by text - a message supposedly from LuxTrust asking you to renew your certificate urgently. In general, the reason given for this is as follows. An update was necessary to make your online accounts more secure and easier to use. However, this could not be implemented owing to a security issue. To reactivate your certificate, you are asked to click on a link and, once redirected to a fake site, share your login details (username, password, one-time code, bank details, etc.). You’ve got it: you absolutely must not click on the link, otherwise your accounts will be quickly emptied.

How can you avoid falling into the trap?

It’s relatively straightforward, provided you adhere to the following recommendations:

  1. Take some time to think when a message asks you to take immediate action. Start by checking the status of your certificate (activated, suspended or revoked) by going to the “Test my certificate” page of the LuxTrust site.
  2. If the “bank’s” message asks for sensitive information, it is probably a scam attempt. Neither LuxTrust nor the local banks will ask you for information related to your LuxTrust product (or other confidential information) via a link sent by email or text message.
  3. If you believe that the email actually comes from LuxTrust, take the usual precautions. Check that the sender of the email ends with @luxtrust.lu and that the link displayed contains luxtrust.lu or luxtrust.com. Check for inconsistencies as well as spelling and grammar mistakes.
  4. Be extra careful if you are using a mobile device. It is more difficult to spot a phishing attempt from your phone or tablet. The lack of a mouse means you can’t hover over a suspicious link, and the smaller screen makes it difficult for you to spot obvious mistakes.
  5. If you don’t see your secret image on the site after entering your username and password, you are most likely dealing with a phishing attempt. Immediately stop the operation.
  6. If you have the slightest doubt or suspicion, contact LuxTrust customer services directly (see contact details below) or your bank.

If you have unfortunately clicked on the link and provided your credit card details as well as your LuxTrust login details, contact your bank and LuxTrust customer services immediately on +352 24 550 550 or by email to questions@luxtrust.lu

And what if you use LuxTrust Mobile instead?

One last tip: if you haven't already done so, switch to the LuxTrust mobile application. This helps you obtain a One Time Password (OTP) required to confirm or finalise your transactions or operations. You no longer need to have your physical device such as a token or scanner at hand. You also benefit from greater security, as the application is fully integrated into your online banking. In other words, when the validity of your certificate is about to expire, your financial institution will ask you, via your online bank's secure messaging system, to renew it for free online. Security is also strengthened by the combination of your LuxTrust security data (username, password, OTP, secret image) with your smartphone’s fingerprint reader or facial recognition software.

01/2022

My Money