A client of Post Luxembourg recently contacted RTL after having fallen victim to a phishing attempt, while still waiting for their funds to be reimbursed.
Although Post Luxembourg confirmed that a number of their clients recently fell victim to phishing attacks, they did not convey how many people were affected, citing reasons of security and confidentiality.
The attacks in question were fraudsters trying to gain access to clients' data by impersonating either Post or LuxTrust. Links redirecting people to websites designed to reflect the look of the sites in question spurred users to provide personal information and carry out fraudulent transactions via Payconiq.
Post Luxembourg has now issued a renewed reminder that they would never send email requests to their clients to log into their accounts. Recipients of these fraudulent messages should always delete them and only use the 'eboo' app or the eboo.lu website to access their personal pages.
Trojan remotely installed
If a client fails to identify one of these links as fraudulent and clicks on it, they should alert the 'Post Finance' contact centre (8002 8004), which can be reached from 7am to 8pm. Operators will help look for unauthorised activities and block the account in question if they find one. Clients will then be advised to file a complaint with the police, change their LuxTrust password, and provide a copy of the complaint to Post Finance.
Unfortunately, not everyone fooled by the scam has been left unscathed. RTL was contacted by one person who clicked on a false LuxTrust link, but they then refrained from providing their security code out of precaution. Although their account remained unchanged for a few days, fraudsters had in fact installed a Trojan and eventually removed €6,000.
Still no money returned
After contacting LuxTrust and their local Post office, the victim was advised to block their bank cards. The client later realised this did not make any sense, as the cards had not been stolen. Post then referred the victim to the police, who in return said they could not process the complaint due to lack of documentation for the fraudulent transactions. During another visit to the local Post branch, accompanied by a police officer, the client was told that they themselves would not have to cover the losses.
In the days that followed, the client wanted to fully block their account, but this did not happen. They also complained that they had never received an email warning about the phishing attempts. Furthermore, they were surprised to find that Payconiq had been used for the scam despite the victim never having activated the necessary access.
While another Post client recently told RTL that their stolen funds had been returned, something even the bank itself was unable to explain, this latest victim is still waiting for their money.
