Luxembourg physiotherapist victim of €30,000 scam: fraudsters staged a call from a bank

Hassan OUAJBIR, Unsplash
In early March, a Luxembourg physiotherapist, identified in the media as Jérôme (name changed), received a call purporting to be from his bank's fraud department. Clear speech, no accent, confidence in his voice - the man on the other end of the line reported "suspicious transfers" of between €4,000 and €5,000 and gave the name of the alleged perpetrator, his phone model and location in Spain. It all looked too realistic not to believe.
When he claimed that he had not made the transfers, the "employee" offered to help him get his money back. The scammer even returned some funds to Jerome's account - temporarily, to inspire trust - and then convinced him to create a "safe" account and send him the current login and password via SMS, ostensibly to gain temporary access.
The attacker later demanded verification via Secur'Pass - the French equivalent of LuxTrust - to "confirm the transfer". As Jerome followed the instructions, his real bank accounts were emptied.
In fact, the hackers initially only had access to the internal movement of funds between accounts, but could not transfer money outside the bank. Once Jerome provided the login and password, he removed the protection himself, allowing the scammers to withdraw the money.
Three days later, without waiting for the refund, he called the bank - and heard: no security service had called him. Jérôme then filed a complaint with the police, but has yet to receive a response. In the meantime, he managed to recover €17,000 after lengthy negotiations with the bank, but was refused the remaining €10,000, claiming that he had "contributed to the fraud".
Such schemes involve entire criminal networks: so-called "allotiers" (from the French allô) - fraudsters imitating bank employees - work in conjunction with hackers who collect the victim's personal data in advance.
According to the French Payment Security Observatory, such schemes brought fraudsters €1.3 billion in 2023. Such offences in France carry up to 5 years in prison and fines of up to €375,000.
Jerome believes that banks have a responsibility to educate customers - at least through seminars or online courses - on how to deal with such situations and recognise the signs of social engineering.