A Luxembourg resident recently lost €30,000 in a sophisticated phone scam where criminals spoofed local numbers to impersonate banking and security officials, highlighting the growing threat of such frauds.
It sounds almost unbelievable, but it is likely not an isolated case: A victim of "spoofing" recounted his ordeal to our colleagues from RTL Télé.
In this scam, criminals use Luxembourgish phone numbers to impersonate banks or Luxtrust. In this particular case, the victim lost €30,000 and has little hope of recovering his money. Pit*, a middle-aged man who describes himself as generally cautious, never thought he would fall victim to such a scam.
A month ago, he received a fraudulent message from Payconiq, claiming his certificate had expired and he needed to re-enter his bank details. Initially, he complied but soon remembered that many fake messages are circulating and blocked his Visa card. Later that evening, he received a call from someone posing as a Luxtrust employee.
The 'employee' immediately pressured Pit, claiming that two payments had already been made abroad on a Spanish site using his Visa card. The scammer then instructed Pit to check his private emails and click on a link, purportedly leading to a Luxtrust page where he needed to enter his codes to order two new cards.
No way to prevent spoofing
Pit fell victim to a scam known as spoofing, where perpetrators, likely based abroad, generate Luxembourgish phone numbers through software and use special phones to display these numbers on victims' screens. Steve Muller from Bee Secure explains that within Luxembourg, operators can detect and block fake numbers because they do not match the SIM card. However, this protection does not necessarily exist in other countries.
Sometimes, the spoofed numbers randomly belong to actual people in Luxembourg, who are then naturally surprised to receive return calls.
Simply answering the phone is not enough to be scammed, but vigilance is essential. Some providers are developing filters to detect such calls, but currently, only common sense offers protection.
Slim chance of catching the perpetrators, say police
The police have issued a warning that no Luxembourgish company, police, or bank will contact individuals to request data over the phone. Marc Ragnacci from the Prevention Service noted that the chances of catching the perpetrators are "very, very slim." Specialised investigators from the criminal police, cybercrime, and anti-money laundering departments work on these cases, but since the criminals usually operate from abroad, it is challenging for the Luxembourg police to take effective action through the public prosecutor's office.
The police expect such scams to increase, noting a 30% rise in fraud offences in 2023, though there are no specific figures for spoofing.
I allowed myself to be 'distracted, like an amateur': victim
The scammers talked to Pit for almost two hours, maintaining a friendly demeanour throughout. He did not realise that Luxtrust and Payconiq are unrelated entities and that Luxtrust does not block or issue new bank cards. Additionally, Payconiq does not have a certificate that could expire.
The fake employee persuaded Pit to hand over his second bank card and token to an alleged second employee later that evening. To reassure him, the criminals sent an additional code via text message, instructing Pit to only hand over the card when the other person mentioned the correct code.
"Then I just handed it over to him, and from that evening, my bank app stopped working. They also told me that they would block it so that the criminals no longer had access. But he himself was the criminal," Pit recalls.
That same evening, €10,000 were withdrawn from an ATM, and €20,000 were transferred to accounts in Belgium and France. The bank managed to stop another transfer of almost €10,000 to Spain. Unfortunately, there is no insurance for this type of fraud, and Pit is personally responsible. Although he filed a complaint, there is little hope as the accounts abroad are likely under false names, making the recovery of the money unlikely.
Pit cannot fully explain why he fell for the scam. Despite having doubts, the fake employee had a plausible answer to every question in the moment: "I allowed myself to be distracted, like an amateur!"
*Name changed by the editorial team.
