Watch out for phishing

Cybercriminals try to steal your money, personal details, or passwords using false messages. That is called phishing. But what is it exactly and how do you recognise it? And what should you do once you have opened such a fake message?

What is Phishing?

Phishing is a type of digital fraud. Criminals mislead you by using fake emails, QR codes, and text or WhatsApp messages. The messages appear to come from a well-known, and often reliable, organisation. For example, government organisations or banks. Criminals use these messages to steal your login details, credit card information, pin code, or other private information. There are also criminals who send emails on behalf of KVK. So always check if a message really is from KVK.

How can you recognise phishing emails?

It can be difficult to spot the difference between a fake email and a real one. You can recognise a phishing email by focusing on these features:

Sender

Take a close look at the sender's email address. Criminals tend to use an unknown email domain or a made-up version of the existing email domain of an organisation. So be sure to check the domain name: that is everything after the @. Check that the domain name matches that of the real website. Another way of sending fake emails is by replacing domain name letters with digits. For example, criminals use info@ub0.kvk.nl. Or a very subtle one: replacing a lowercase 'l' with an uppercase 'I'.

Note: sometimes you do not see anything strange about the sender. Criminals then use the real e-mail address of a company as the sender. That technique is called spoofing. So, an email address that looks exactly like the email address from a company you know does not always mean that the message is reliable.

Impersonal

Fake emails are usually not addressed to you in person. Pay close attention when an email uses a general greeting, such as 'dear customer' or 'dear Sir, Madam'. Your bank or insurance company will always use your name.

Language errors

You can often recognise phishing messages by the bad spelling. The criminal knows this too. So, they are increasingly sending messages without errors. Still, keep an eye out for sloppy messages with style and language errors. Also know that criminals copy websites and logos well.

Urgent

Con artists who send phishing emails try to put pressure on you. For example, by making the message seem urgent by using words like 'last warning' or 'last chance'. The fraudster will claim that your account is about to expire, or that you risk missing a special discount unless you react straightaway. 

Personal details

Fake emails often ask for your private details. Often, you need to click a link to 'update' or 'check' your private details. Think twice before doing so. Banks, credit card companies, and government organisations never ask for personal details in a message. Contact the organisation that supposedly sent the email by phone. Do not use the contact details provided in the email. Look them up yourself.

Harmful link or attachment

Never click on links or attachments in an email unless you are absolutely sure it is safe. Clicking on a link or opening an attachment may install harmful software on your computer. Or it takes you to a fake website, where you have to provide personal information. Do you want to see where a link leads? Hover the mouse cursor over the link. The website address will appear, either just above the cursor or in the left bottom of your screen. 

Does this message come from KVK?

There is a good chance that you have recently received a fake email from 'KVK'. Criminals use the KVK name to scam entrepreneurs. There are now more than 50 different phishing emails in circulation, pretending to be sent by KVK.

What you need to know:

  • KVK never issues fines and does not threaten to do so.
  • KVK never threatens to terminate your registration in the Business Register.
  • KVK never asks you to provide information in e-mails or text messages.

Read more in Did KVK really send this email?

Other forms of phishing

Fraudsters use other channels besides email. Any social media platform on which entrepreneurs are active is used to send fake messages: for example, text messages, WhatsApp, LinkedIn and QR-codes.

SMS phishing

Criminals also send text messages to try and get your personal details. Never reply to a text message sent by your 'bank' or 'credit card company'. It is probably a fake message. Log into your bank account on the website to see what real messages have been sent to you. And when in doubt, call your bank.

WhatsApp phishing

WhatsApp fraud has become very popular. They often take the form of a personal message. This is also called 'friend-in-need-fraud'. Never react to a WhatsApp message from your 'daughter' asking for a code or password, or a money transfer. Always call the person who supposedly sent you the message, and ask them if they really sent it. 

Do you use WhatsApp for your business, and have you received a strange message? Check a different channel, like phone or email, to see if the sender really did send it.

LinkedIn phishing

Not everyone uses LinkedIn with good intentions: criminals misuse it as a source of information and to send phishing messages. Be aware of what you share on LinkedIn, and with whom. Of course, that applies to all the social media channels you use.

QR code phishing

Another phishing method is QR code phishing. Criminals try use it to rob your bank account. This is how it works: you receive a fake letter or email, claiming to be from your bank. In the fake message, you are asked to apply for a new bank card or to accept a new bank app. To do this, you have to scan the QR code in the message. This QR code leads you to a phishing website, where the fraudsters steal your login details. These give them access to your bank account.

A QR code is a square with black and white blocks. Those blocks contain information, such as a website address, phone number, or payment request. The risk lies in the fact that you do not know which information a QR code contains before you scan it. So be careful and run all the checks on the letter or message before you scan the QR code. Make sure you know who you are dealing with. 

Tip: some barcode scanning apps show you what information the QR code contains, and ask if you want to follow the link or discard it.

New scams on social media platforms

Criminals are forever looking for new ways to get their victims' money or information. That is why they keep coming up with new ways to scam entrepreneurs. The messages they fool you with keep changing. So, stay alert if you receive an unexpected message. Never respond if the sender pressures you to do something right away, asks for personal information, or asks you to click on something.

Are you a victim of phishing?

If you are a victim of phishing, two things are important: find out what kind of phishing it is and always report it.

After a phishing incident

Are you dealing with a phishing incident? Find out what kind of phishing it is. Have passwords or personal details been stolen? Have unwanted payments been made? Did you unwillingly install malware? This is what you can do:

  • Passwords: change your passwords or other login details immediately if they are stolen. If you use the same password in several places, change it everywhere to a new unique password.
  • Payments: sometimes you can reverse unwanted payments.  When you detect an unwanted payment has been made, instantly contact your bank or credit card company.
  • Malware is a container term used for all software that damages computers or other devices. Did you open an attachment you did not trust? Check your computer system for harmful files or programs using protection software.
  • Personal details: if the personal details of customers, suppliers, or personnel have been stolen, for example, which constitutes a data breach. You must report such a breach to the Dutch Data Protection Authority ('Autoriteit Persoonsgegevens') within 72 hours.
  • Have you already sent personal details, for example in response to a phishing email? Then also be alert to helpdesk fraud. A scammer will call you and pretend to be a friendly helpdesk employee of, for example, a bank or software company. The scammer supposedly wants to help you with problems with your bank account or computer. Do not respond. End the call.

  • Have you been hacked or do you think you have been hacked? At Hackhelpdesk.nl (in Dutch) you will find a step-by-step plan and practical solutions to prevent further damage.

Reporting phishing

Are you a phishing victim? Report it to the following organisations:

  • Report it to the Fraud Helpdesk.
  • Report it to the police. You will need to visit a police station. Call 0900 - 8844 to make an appointment.
  • Contact the organisation in whose name you received the phishing messages. Many organisations have dedicated email addresses for reporting fake messages. Did you receive a phishing mail pretending to come from KVK? Let us know by emailing valse-email@kvk.nl.

Has your business fallen victim to phishing? Please get in touch with us. Share your experience via kvk.cyber@kvk.nl.