What is phishing and how do I protect myself against it?

illustration of a safe next to a shield on top of some crypto coins

It’s extremely important to familiarise yourself with how phishing works and the measures phishers take to attempt to gain access to your Luno wallet. We’ve written a guide on how to keep your account secure, but we’ll cover it here as well.

What is phishing?

Phishing is a type of social engineering attack, where phishers attempt to get sensitive information such as your username or password. They do this by disguising themselves as Luno in electronic communications such as SMS or email.

The attacker’s goal is to trick you into clicking on a phishing link or downloading an attachment. Once you’ve clicked on the link or attachment, spyware will be downloaded onto your device, which will enable an attacker to see all your activities.

What a phishing attempt looks like

Receiving a message with the instruction “Click here to confirm your account” or “Your account is outdated, click here to update your details and avoid deactivation” are common ways that phishers try to unlawfully gain access to your account. The message may seem entirely legitimate, branded with a company’s identity that you recognise, but if you look a little closer, you are very likely to spot irregularities.

Phishing examples

examples of phishing SMSs where customers are directed to click on links to update their accounts or avoid their account being blocked

Other types of phishing

Vishing (voice phishing) is a phone scam used by phishers who may impersonate an employee of a business, bank or another financial institution. Victims are fooled into providing valuable account information over the phone.

Smishing (SMS phishing) takes place through SMS communication, whereby phishers trick victims into revealing information or transferring money to them.

Twishing (phishing through Twitter) is when a phisher tweets or sends a direct message to a Twitter user with a link to a fraudulent website. If the user clicks on the link and signs into that website, the phisher gains access to their private information - such as a name and password, which may be used elsewhere on the internet to access email inboxes, or even cryptocurrency wallets.

Spearphishing (phishing through impersonation) is when a spearfisher attempts to get financial information about you via phone or email. If they know you have cryptocurrency, they might try to impersonate cryptocurrency company employees to gain your trust.

How to determine whether an email is legitimate or not

  1. Identify the sender

    • Always check the “from:” address in emails

    • Ask yourself if you’re expecting an email from the sender

  2. Check the website links

    • Hover over any links to see the real website address they go to before you click on them

    • Images or buttons can also contain links to potentially malicious websites

  3. Don’t trust attachments

    • If the email seems suspicious do not open any attachments

    • Attachments with malicious software can be disguised as documents, PDFs or zip files

How to protect yourself against phishing

  1. Familiarise yourself with what phishing is. Understanding the scam tactic and how to protect yourself against it - is a very important first step.

  2. Protect your Luno account. You can do this by setting up a security measure called two-factor authentication (2FA) to make it harder for phishers to attack your account.

  3. If you get a suspicious message, email or call claiming to be Luno, report it to us immediately.

Note

Luno will never ask you for sensitive details, nor will we ever threaten to deactivate, delete or lock your account if you do not comply.

Questions to ask yourself before clicking on a link

We generally won’t send you an SMS or an email with a link for you to follow, unless you were going through a specific process in your Luno app already. For example, we may send you an authorisation SMS if you’re attempting to send cryptocurrency, or a verification email if you’re signing up for an account. In all these cases, Luno will prompt you directly in-app to check your SMS or your email. Be suspicious of any unexpected, random messages you receive.

lock icon

Luno’s website will always have a padlock icon displayed in your browser’s address bar. If it does not have the padlock, you are not on Luno’s website. If it does have the padlock, still make sure that you are on www.luno.com

Luno doesn’t hide or shorten the links we send you using third-party URL shorteners like Bitly or TinyURL. You should be able to tell exactly where the link will take you before you open it.

We strongly advise that you never click on any suspicious links but in the event that you do, check that the website URL is www(dot)luno(dot)com and not something like www(dot)luna(dot)com, www(dot)lunoserver(dot)com or www(dot)lunotrader(dot)com. If you have clicked on a phishing link, immediately disconnect your device from the internet, back up your files, scan your device for malware, delete the attachments and change your usernames and passwords across all your accounts.

Phishing messages will often scare you into thinking that you’ll lose all your funds, your account will be deactivated, or your account will be compromised if you don’t follow the link. These messages are designed to make you stressed, which may lead you to think less critically about what you’re doing. We love our customers and we’d never threaten you like this.

This could include your bank account details, one-time PIN, 2FA code, or password. Luno will never request these details from you. Don’t ever sign in to your account without first checking you’re really on www.luno.com.

How do I know if it really is Luno contacting me?

From time to time, Luno may contact you via email or by giving you a call. To be sure that it’s coming from us, here is a list of the types of information we may ask:

We may call you with security questions to verify your identity. Some of these questions may include the information you used to sign up for Luno, such as your date of birth and your mobile number but we will never request your password, 2FA code, or any one-time PINs.

If you receive an email, be sure to look for the sender's address to verify that it’s legitimate. All email correspondence from us will always come from a @luno.com domain, and never from @gmail.com or any other domains.

Here are some of the email addresses Luno uses:

  • noreply@mailer.luno.com

  • no-reply@luno.com

  • support@luno.com

  • @engage.luno.com

  • @announcement.luno.com

Tip

You can protect your sensitive information by checking if your email account has previously been compromised at haveibeenpwned.com – this website lets you know if there’s ever been a breach of security involving your email address. If it does come up in a search, we strongly recommend that you change your email account password.

Warning icon

Luno will never...

Account privacy is yours and yours only. Luno will never ask you for your password or attempt to gain access to your account through social engineering.

Banking details should never be shared! There may be a time when we ask you who you bank with, but we’ll never ask you to share all your banking details with us. If you receive any form of correspondence asking you for your banking details, you are being phished.

Fake websites may request your OTP to gain access to your account. Never reveal this information because it should strictly be used by you only.

Similar to the OTP code above, your two-factor authentication code exists as an additional layer of security on your account. Be sure to never divulge this code to anybody.

Authorisation links are generated for customers to authorise transactions. There’s no reason why we will ever need to ask you for these links or to authorise transactions on your behalf.

Phishers and fraudsters may threaten to deactivate your account as a way to fake urgency. We will never ask you to click on a link and then threaten to deactivate your account if you don’t. The only time Luno will deactivate your account is when you have been acting in contravention of our Terms of Use or when you submit a request to close your account. In these scenarios, we'll guide you through a defined exit process.

We’ve set different account levels, with deposit and withdrawal limits that apply to each level - the basis for this is that the more you want to transact, the more we need to know about you. When you’re approaching the threshold on one level, we may ask you to upgrade to the next level. If you don’t upgrade, you’ll remain on the same level with the same limits. We won’t deactivate your account if you don’t upgrade.

 

If you have an existing support query with us, we may contact you to directly communicate about your submitted query.

Tip

At any time, if you’re unsure about any suspicious activity, report it to us immediately.

Share this article

Did this article help?

Thank you!

We value your feedback