What exactly is phishing? Phishing is a type of online scam where fraudsters try to obtain sensitive information by pretending to be from a trustworthy organisation, such as a bank or a government department. For example, a professional-looking e-mail, text or WhatsApp message will be sent, saying that the recipient's bank card has been blocked and explaining how to get it unblocked. The idea being to trick the recipient into visiting an insecure site and entering their login details. Similar tactics are used to get businesses to transfer money.
How can you spot a phishing scam?
Recognising and preventing phishing1. Pressure to act quickly
A message that uses words such as 'essential', 'urgent', 'important', 'immediate' and 'payment' should always ring alarm bells. Scammers often try to create a sense of urgency, so that victims act quickly without taking the usual precautions or following the correct procedures.
2. Unknown sender
If you're unsure about an incoming e-mail, check the sender's full e-mail address, e.g. by going to the 'From' name and hovering your mouse over it. It's especially important to do that if the 'From' name is the name of a colleague, manager or well-known organisation, but something doesn't feel quite right.
3. Sensitive information request
Reputable brands and professionals won't ever e-mail you asking for sensitive information. If you do get asked, contact the company or person in question some other way to make sure the request is genuine.
4. Unexpected attachments
Never open an e-mail attachment you haven't asked for, or one that comes with a message you're unsure about. Attachments sometimes include harmful software.
5. Misleading links
Always be careful with links in e-mails and text messages. The linked words are often misleading, so hover over an e-mail link to see what the linked URL is, and whether it matches the words. Never click a link you're ensure about.
6. Insecure websites
A reliable URL will always start 'https://', and a padlock symbol will appear in the address bar when you navigate there. Click the padlock to see whether the security certificate is valid. Even if it is, stay alert, because phishing websites do sometimes have valid certificates.
7. Odd URLs
Scammers are very good at creating fake websites that look genuine. So always check a site's URL. And check out our advice on recognising scam sites from their URLs.
8. No business registration details
A reliable website or webshop will always provide the owner's business registration details, e.g. their Trade Register number or VAT number. Dutch Trade Register numbers can be looked up on the Chamber of Commerce website and VAT numbers on the European Commission's site.
See also: What is invoice fraud, and how can you avoid it?
Train your staff
Most cyber-attackers (96 per cent) use e-mail, while a few (3 per cent) use phishing websites, and a handful approach their targets by phone. So it's important that your staff are on the lookout for phishing mail. Regular awareness training for staff can therefore improve your organisation's resilience.
It's best to have your readiness tested by external service providers, so that no one, not even the management, knows when the tests are coming. A security audit will often involve sending simulated phishing e-mails that ask for payment of fictitious invoices or say that the recipient needs to reset their password. The way your staff respond tells you how ready they are for real electronic security threats, and discussing the findings together raises awareness of the dangers.
See also: How can you prevent BEC fraud?
SIDN BrandGuard
You can reduce the phishing threat by monitoring use of your domain name and brand on the internet. SIDN BrandGuard promptly alerts you whenever a domain name is registered that's like your brand name, including mis-spelled versions of your name. Then you're able to respond quickly to prevent your domain name being abused for phishing or other scams, such as cybersquatting, CEO fraud or domain name fraud.