What is phishing?
Phishing is everywhere. Everyone can become a victim. Phishing attacks come in all shapes and sizes. Sometimes it is a simple request for personal and login details. Sometimes it is a very targeted, intelligent and specific attack. The aim of each attack is to penetrate your organisation. It is often difficult to spot phishing, especially when it comes to targeted phishing attacks. Such attacks often seem to come from people you know, or explicitly mention names and information specific to you, the recipient. An example of this is the so-called CEO fraud, where phishing emails appear to come from a manager in your company.
Are you dealing with a phishing attempt? Report it to both the Fraud Helpdesk and the organisation named as the sender of the phishing e-mails. This way you help other people and organisations. Banks have special email addresses (in Dutch) to report phishing. Report fake emails to the Fraud Helpdesk (in Dutch)
How do I recognise a phishing email?
How do you know whether you can safely open an email? It is often very difficult to spot fake emails, especially when it comes to targeted attacks. Below you find advice to help you identify possible fake emails.
- Check the sender's address. Even if the sender's name is exactly the same as that of your bank or online store, the email address is often vague or derived from a real company name or organisation.
- Look closely at the domain name from which you received the email. The domain name is everything after the @ sign in the e-mail address.
- Double-check that the email address exactly matches the website address. A common way to spread fake emails is to replace certain letters in the domain name with numbers.
- The difference between a legitimate and a fake email address can sometimes be difficult to spot. In the following example, 1 (number) has been replaced by an I (letter). Compare email@example.com and mail@3I008mailers.nl.
If you do business with a company or organisation, they will use your last name in an email, or know whether you are a man or a woman. Pay attention if you are addressed with very general terms, such as 'Dear Sir/Madam' or 'Dear customer'.
Many fake emails ask you to 'check', 'update' or 'complete' your personal information. To do so, you must click a link. Never do this, unless you are certain it is safe. Your bank, insurance company and government authorities will never ask for personal data via email. Call the company or organisation to make sure they sent the email themselves. Never use the contact details in the email for this, but look them up yourself.
The current generation of fake emails is no longer full of language and spelling errors. The logos and photos used are also becoming more and more professional and official-looking. Read and check the email carefully to make sure you do not encounter any irregularities. You can also compare a previous (real) email from the company or organisation.
Many fake emails try to pressure you by claiming this is a final warning or an emergency notification. An example of such a message is, for example, "Your hosting package is about to expire, if you do not transfer an x amount today, your website will be blocked". Do not respond to this via email. If in doubt, contact the hosting party by telephone.
Links in fake emails can cause malicious software to be installed on your computer or lead you to a fake website. So, never just click on the links in an email that you do not trust. Check the address of the link by hovering your cursor over the link without clicking on it, and see which address appears in the small frame.
Often, long links are shortened using services such as T.co, bit.ly and Goo.gl. Useful as these shortened links are, it is very important that you as the recipient remain vigilant. It is difficult to find out exactly what you are clicking on and to which website you are led.
An attachment in a fake email can cause malicious software to be installed on your computer. Never just open an attachment to an email you do not trust. A zip or rar file is always suspicious, because invoices and reminders, for example, are never sent like that. Are you expecting a file? Please contact the sender to find out what they have sent and how. Never use the contact details in the email, but look them up yourself (for example via the website).
Another type of phishing is sms-phishing, or 'smishing'. It is phishing via SMS (short message service) or messaging services such as WhatsApp or Telegram. This type of online fraud is on the rise. Criminal activities have moved into the digital domain. Now that smartphones are an important part of our (financial) activities, they are an interesting field of activity for cybercriminals. Read more about smishing (in Dutch).