Phishing

Published by:
Digital Trust Center
Digital Trust Center
5 min read

Phishing is a form of Internet fraud in which cybercriminals try to steal personal data or passwords. They use various techniques to extract your data. We would like to inform you about the most common forms of phishing. Make sure you do not fall for it.

Types of phishing

Everyone can fall victim to phishing. Phishing attacks come in all shapes and sizes. Sometimes it is a request for personal and login details sent in bulk. Some examples:

  • Spearphishing is a variant where a specific target is targeted via a well thought-out attack to penetrate your organisation. It is often difficult to recognise phishing, especially targeted phishing attacks. These attacks often appear to come from well-known individuals or organisations, or explicitly mention names and information tailored to the recipient.
  • An example of ‘whalephishing’ is CEO fraud (in Dutch). Here, phishing emails that appear to come from, for example, an executive are sent to specific key positions within a business.
  • In consent phishing (in Dutch), cybercriminals try to gain access to your account via a permission slip from a (often well-known) application.
  • Phishing also occurs via text messages, SMS (‘smishing’), or social applications such as WhatsApp. Phony phone calls can also be used to fish for your data. Through social engineering, they extract data that can help them scam you or your business.
  • Sometimes cybercriminals pose as bank or helpdesk employees and trick you into revealing login details. Or they try to convince you to install remote desktop software so they can get into your computer. This is also called help desk fraud (in Dutch).

How do I recognise a phishing email?

How do you know whether you can safely open an email? It is often very difficult to spot fake emails, especially when it comes to targeted attacks. Below you find advice to help you identify possible fake emails.

  • Check the sender's address. Even if the sender's name is exactly the same as that of your bank or online store, the email address is often vague or derived from a real company name or organisation.
  • Look closely at the domain name from which you received the email. The domain name is everything after the @ sign in the e-mail address.
  • Double-check that the email address exactly matches the website address. A common way to spread fake emails is to replace certain letters in the domain name with numbers.
  • The difference between a legitimate and a fake email address can sometimes be difficult to spot. In the following example, 1 (number) has been replaced by an I (letter). Compare mail@31008mailers.nl and mail@3I008mailers.nl.

If you do business with a company or organisation, they will use your last name in an email, or know whether you are a man or a woman. Pay attention if you are addressed with very general terms, such as 'Dear Sir/Madam' or 'Dear customer'.

Many fake emails ask you to 'check', 'update' or 'complete' your personal information. To do so, you must click a link. Never do this, unless you are certain it is safe. Your bank, insurance company and government authorities will never ask for personal data via email. Call the company or organisation to make sure they sent the email themselves. Never use the contact details in the email for this, but look them up yourself.

The current generation of fake emails is no longer full of language and spelling errors. The logos and photos used are also becoming more and more professional and official-looking. Read and check the email carefully to make sure you do not encounter any irregularities. You can also compare a previous (real) email from the company or organisation.

Many fake emails try to pressure you by claiming this is a final warning or an emergency notification. An example of such a message is, for example, "Your hosting package is about to expire, if you do not transfer an x amount today, your website will be blocked". Do not respond to this via email. If in doubt, contact the hosting party by telephone.

Links in fake emails can cause malicious software to be installed on your computer or lead you to a fake website. So, never just click on the links in an email that you do not trust. Check the address of the link by hovering your cursor over the link without clicking on it, and see which address appears in the small frame.

Often, long links are shortened using services such as T.co, bit.ly and Goo.gl. Useful as these shortened links are, it is very important that you as the recipient remain vigilant. It is difficult to find out exactly what you are clicking on and to which website you are led.

An attachment in a fake email can cause malicious software to be installed on your computer. Never just open an attachment to an email you do not trust. A zip or rar file is always suspicious, because invoices and reminders, for example, are never sent like that. Are you expecting a file? Please contact the sender to find out what they have sent and how. Never use the contact details in the email, but look them up yourself (for example via the website).

How do I respond to phishing?

Each form of phishing has different risks. Sometimes it is about stealing money, by capturing bank details, for example. Or it is about obtaining sensitive information, personal data, or trade secrets. A phishing attack can also be a first step in a more complex hacking attempt in which malicious people want to gain access to your network. Here is what you need to do when dealing with phishing:

Actions after phishing

First determine what kind of phishing incident has taken place. Were passwords captured? Has malware been installed? Were unwanted payments authorised? Once you know that, you can take follow-up steps. Maybe you already have an incident response plan that describes how to deal with such an incident. If you do not have one, a good next step is to delete the phishing email in question, so no one can accidentally cause the same incident again.

  • Passwords: If passwords or other login details have been captured, it is important to change them. If you have used this password in other places as well then the password should be changed everywhere.
  • Malware: Malware can sometimes be removed but it is better not to take a risk and reinstall the system. Also take stock of whether the malware has spread further.
  • Payments: Payments can be reversed or stopped in some cases. Above all, report such incidents quickly to your bank so they can keep watch for suspicious payments.
  • Data breach: If personal data has been captured, changed or deleted, then you have a data breach and may need to report it to the Data Protection Authority.

Questions relating to this article?

Please contact Digital Trust Center