The tactics of phishing have evolved into various forms like smishing, vishing, and QRishing, each with the same underlying goal - to illicitly obtain sensitive data such as passwords, bank account numbers, or other valuable information.
Criminals continuously innovate new and creative methods to entice unsuspecting victims. Perhaps you too have received a text message claiming your National Health Fund (CNS) card has expired or notifying you of a parcel awaiting collection at the post office, often prompting you to click on a link.
Marie-Paule Wegener's unfortunate experience illustrates the consequences of falling prey to such schemes. By entering her bank details on a fake website, she lost €2,000 within minutes, transferred to an account in Bordeaux. Despite promptly blocking her credit card and Luxtrust certificate, she was unable to reach her bank until the following morning, since it was already after 6pm, rendering the transfer irretrievable.
Wegener is unable to understand why she cannot get her money back: "Because I entered all my details, the bank won't give me anything back. I just don't understand this system, that there's really nothing that can be done. That people are simply left to their fate."
This sentiment is echoed by the Luxembourg Consumer Protection Association (ULC), which underscores the need for banks to assume greater responsibility in safeguarding clients, particularly in light of the growing reliance on online banking. Nico Hoffmann, President of the ULC, emphasises the increasing complexity of phishing attacks, making it challenging for ordinary consumers to discern genuine communications from fraudulent ones.
Does a phishing victim get their money back?
The prospect of compensation for phishing victims hinges largely on the discretion of individual banks. According to the Luxembourg Bankers' Association (ABBL), banks are not obligated to reimburse clients who have been negligent with their data.
But why is it so difficult to trace stolen funds? Especially when, as in the case of Marie-Paule Wegener, you can see where it went? Ananda Kautz from ABBL sheds light on this challenge, explaining that criminals typically avoid using their own accounts for illicit activities. Instead, they enlist "money mules" to facilitate transactions. Funds are first transferred from the victim's account to the mule's account, who then proceeds to transfer them through various channels until they ultimately reach the hacker.
Enhancing security in online banking
Alongside Luxtrust Mobile, which is much more secure than the traditional token, the introduction of "IBAN Name Check" is imminent. The implementation of this tool is seen as significant, particularly in the realm of "instant payments," where transfers occur within a mere 10 seconds. With such rapid transactions, clients no longer have the option to stop transfers.
Ananda Kautz explains the underlying principle of the IBAN Name Check: "Currently, money can be transferred based solely on the IBAN account number, disregarding the name of the beneficiary. However, in the future, across Europe, there will be checks aligning the name of the beneficiary with the IBAN. This measure aims to instil greater confidence."
This system has already proven effective in the Netherlands, where it resulted in an 80% reduction in phishing incidents at the largest Dutch bank.
What should you watch out for?
In 2023, approximately 1,300 phishing attacks were officially reported in Luxembourg, although the true number of unreported cases remains unknown. The sophistication of fake emails and text messages continues to evolve, posing challenges in detection. To navigate this landscape, Jimmy Diallo, a cybersecurity expert, offers valuable advice:
1. Time pressure: Be wary of messages that exert time pressure. Hackers often exploit urgency and anxiety to prompt hasty actions. If you feel rushed, it's a red flag.
2. Check links: Before clicking on any provided links, hover your cursor over them. Genuine links typically reveal their destination in the bottom left-hand corner of the screen. Any discrepancies, such as misspelled names or unfamiliar URLs, should raise suspicions.
3. Verify the URL: Even if you have already clicked on a link, all hope is not lost, provided you have not divulged any personal information. Take a closer look at the website address (URL). Fake websites often contain subtle errors that may not be immediately apparent but warrant scrutiny.
In essence, exercise vigilance. Even seemingly authentic email addresses can be spoofed, so keep an eye out for irregularities.
"I've completely lost trust, it's shattered beyond repair"
Following her ordeal, Marie-Paule Wegener now deletes all text messages and emails upon receipt, and, depending on the situation, calls the people concerned to check whether it is a genuine message.
Reflecting on her experience, Wegener admits to grappling with the aftermath, particularly the loss of €2,000, a significant sum by any measure. She recounts the emotional toll, acknowledging feelings of frustration and self-reproach for failing to recognise the deception sooner: "I don't know why I did it, I can't tell."
After Wegener diligently adhered to prescribed protocols with her bank and the police, she never heard anything about the case ever again. Her €2,000 are likely lost forever.
Below, you will find a compilation of useful resources that will help you better defend yourself against phishing attacks:
A list of current phishing attacks and how you can recognise them
Has your e-mail address already been leaked? Find out here.
