In the wake of a sophisticated phishing scheme that led to major financial losses for dozens of BIL customers, The Luxembourg Banker’s Association (ABBL) is defending the security of the country’s banking system and the LuxTrust certificate. According to ABBL, both remain technically secure, but user awareness remains a weak link.
At least 45 victims have now come forward, many of whom feel let down by their bank after falling for a convincing fake BIL website. The scam tricked users into unknowingly handing over login credentials, which criminals then used to access real accounts and carry out transactions.
The trick was,according to ABBL director Jerry Grbic, was fraudsters created a false error message during login to pressure users into trying again, this time handing over their LuxTrust credentials. The attackers then swiftly used those codes on the real BIL website to gain access to accounts and make transfers.
The association underlined that these scams are carried out by highly organised cybercriminals who carefully exploit users’ behaviour and trust in official-looking websites.
Both ABBL and BIL argue that the problem lies less in system vulnerabilities and more in human error. LuxTrust, which only responded to RTL’s questions by email, echoed the same point: when users are tricked into entering credentials on a fraudulent site, the backend systems remain uncompromised.
“At this stage, we’ve seen no breaches in the banks’ or LuxTrust’s systems” Grbic confirmed, adding that all parties concerned are actively reviewing their platforms.
The association praised victims like Juliana Mondot and Claude Melchior, who recently spoke out on RTL, for helping raise awareness. Shame and silence, they warned, only make prevention harder.
ABBL is urging clients to remain cautious and double-check unusual requests. Banks will never ask for credentials by phone, or contact clients late at night, on weekends, or during public holidays. Instead of clicking on links, users should always enter their bank’s URL manually or use the official banking app.
In case of a suspected breach, clients are advised to immediately call 49 10 10 – the emergency line available 24/7 – to block their LuxTrust access and limit further damage. The next steps: alert your bank and file a formal complaint with the police.
According to Tim Pauly from the Police’s prevention unit, filing a complaint not only helps investigators trace fraud patterns, but may also be essential for insurance coverage in case of losses.
Cybercrime is on the rise, with Luxembourg reporting a 75% increase in attacks in the first quarter of 2025 alone. Authorities are preparing a new phase of the cyberfraud.lu awareness campaign for October, which will offer practical tips for protecting yourself online.
