The short answer

What is phishing?

Phishing is a type of social engineering attack, where attackers attempt to get sensitive information - such as a username or password - by disguising themselves as Luno in electronic communications such as SMS or email.

The attacker’s goal is to trick you into believing that the message is something that you want or need, and for you to click a link or download an attachment.

Phishing examples

How to protect yourself against phishing

Reading this guide and familiarising yourself with what phishing is - and how to protect yourself against it - is the first very important step.

The second step is to protect your Luno account. You can do that by setting up two-factor authentication (2FA) in a few easy steps. It’s a very powerful security measure, and it shouldn’t be seen as optional. With enough time, and computer resources, any password can eventually be guessed by attackers.


Not sure how to set up 2FA? No problem. Find out how to here.

Thirdly, if you do get a suspicious message, email or call claiming to be Luno, report it to us immediately.

The more detailed answer

What is phishing?

Receiving an email with the instruction “Click here to confirm your account” is a common way that phishers try to unlawfully gain access to your accounts. The message may seem entirely legit, branded with a company’s identity that you recognise, but if you look a little closer, you are very likely to spot irregularities.

  • Is the website that you’ve been directed to secure? You can verify this by the padlock icon displaying in your browser’s address bar. Clicking on the padlock icon, you’ll also be able to view any website’s SSL/TLS Certificate. Dodgy websites most likely won’t have an SSL/TLS Certificate.

  • While we suggest that you don’t click on any suspicious link, just in case you do, the website URL might be www(dot)luna(dot)com or something like www(dot)lunoserver(dot)com.

  • Check what the sender is asking – are they requesting sensitive information such as your bank account details or your password?


    Luno will never ask you for these, nor will we ever threaten to deactivate your account if you do not comply.

The other types of phishing

  • Vishing (Voice phishing) is a phone scam used by phishers who may impersonate an employee of a business, bank or another financial institution. Victims are fooled into providing valuable account information over the phone.

  • Smishing (SMS phishing) takes place through SMS communication, whereby phishers trick victims into revealing information or transferring money to them.

  • Twishing (phishing through Twitter) is when a phisher tweets or sends a direct message to a Twitter user with a link to a fraudulent website. If the user clicks on the link and signs into that website, the phisher gains access to their private information - such as a name and password, which may be used elsewhere on the internet to access email inboxes, or even cryptocurrency wallets.


You can protect your sensitive information by checking if your email account has previously been compromised at – this website lets you know if there’s ever been a breach of security involving your email address. If it does come up in a search, we strongly recommend that you change your email account password.

Protecting yourself against phishing

It’s extremely important to familiarise yourself with how phishing works and the measures phishers take to attempt to gain access to your Luno wallet. We’ve written a guide on how to keep your account secure, but here we’ll cover it here as well.

From time to time, Luno may get in touch with you via email or by giving you a phone call. Before you respond, make sure that it’s coming from us. When we do, we may ask you:

Security-related questions in order to verify your identity

We may call you with security questions to verify your identity. Some of these questions may include the information you used to sign up for Luno, such as your date of birth and your mobile number.

When you receive an email, be sure to look for the sender address from the sender to verify that it’s legit. Email correspondence from us will always come from the domain.

Here’s what Luno will never do:

  • We will never ask for your password
    Account privacy is yours and yours only. Luno will never ask you for your password or attempt to gain access to your account through social engineering.

  • We will never ask for your banking details
    Banking details should never be shared! There may be a time where we ask you who you bank with, but we’ll never ask you to share all your banking details with us. If you receive any form of correspondence asking you for your banking details, you are being phished.

  • We will never ask you to share your One Time Pin (OTP) pin with us
    Requesting your OTP is one way how phishers gain access to your account. Never reveal this information to anybody because it should strictly be used by you only.

  • We will never ask for your two-factor authentication (2FA) code
    Similar to the OTP code above, your two-factor authentication code exists as an additional layer of security on your account. Be sure to never divulge this code to anybody.

  • We will never ask for your authorisation links or to authorise your transactions
    Authorisation links are generated for customers to authorise transactions. There’s no reason why we will ever need to ask you for these links or to authorise transactions on your behalf.

  • We will never threaten to deactivate your account if you don’t perform an action
    Phishers and fraudsters may threaten to deactivate your account as a way to fake urgency. We will never ask you to click on a link and then threaten to deactivate your account if you don’t. The only time Luno will deactivate your account is when you have been acting in contravention of our Terms of Use or where you submit a request to close your account. In these scenarios, we'll guide you through a defined exit process.

  • We will never require you to upgrade and close your account if you don’t upgrade
    We’ve set different account levels, with deposit and withdrawal limits that apply to each level - the basis for this is that the more you want to transact, the more we need to know about you. When you’re approaching the threshold on one level, we may ask you to upgrade to the next level. If you don’t upgrade, you’ll remain on the same level with the same limits. We won’t deactivate your account if you don’t upgrade.

If you have an existing support query with us, we may contact you to directly communicate about your submitted query.


At any time, if you’re unsure about any suspicious activity, report it to us immediately.