NIS2: Sind Sie im Anwendungsbereich?
Das neue belgische Cybersicherheitsgesetz tritt in Kraft. Konsultieren Sie es jetzt.
What is it, how to protect from it and how to react to it.
What is a spam?
A spam is an unsolicited message received for advertisement, marketing or malicious purposes. It can be of two types:
- Electronic: sent via email, instant messaging or social media, usually for marketing purposes that didn’t ask for customers’ consent. It can also take malicious forms such as a request for a wire transfer or sending a phishing attempt or a malware.
- Phone: sent via SMS, MMS or through a phone call, usually for marketing purposes. It can also take malicious forms such as sending messages to a chargeable number or a phishing attempt.
How to protect from phone and electronic spam?
1. Watch out for unexpected messages.
Scams can happen through SMS, email or social media. As it is impossible to predict the time of a potential cyber-attack, all unexpected messages should be paid enough attention to. The most known cyber-attack using unexpected messages is phishing. To help assess the legitimacy of a message, the following questions can serve as a first indication of a scam:
To help assess the legitimacy of a message, the following questions can serve as a first indication of a scam:
- Is the sender someone I know?
- Was I expecting a message on the topic mentioned?
- Is the message asking for information such as a username, a password or bank account information?
- Is it urgent?
- Where does the link lead to? (only hover on it with your mouse, do not click)
- Is there a QR code in the message?
- Am I being addressed personally?
- Does the message contain linguistic errors?
- Is the message in the Spam / Junk folder?
- Is someone trying to make me curious?
- Is a payment requested?
2. Use a filtering or anti-spam software
Filtering or anti-spam software can help limit the number of spam received. Some antivirus allow you to configure that option.
Use filtering rules in your mailbox
Most email service providers offer the possibility to create filtering rules to filter and/or delete junk messages.
Use the filtering options from your phone operator
Some operators offer the possibility to filter phone numbers and identify those that can potentially be a spam.
3. Pay attention when filling in an enrolment form, making orders or participating in contests
Email addresses can figure in the wrong database, used for spamming purposes, without the user’s consent. Before accepting any kind of communication or subscription, check the legitimacy of the website by:
- Checking the address of the website and watch out for the ones that look legitimate but aren’t (for example myorganisation [.]be instead of my[.]organisation [.]be);
- Check the reputation of the website;
- Check how unbelievable and amazing offers and promotions are; and
- Check how the payment is requested (e.g., through a parcel or transport organisation).
Look for https in a website address
The beginning of a web address should be displaying https, not only http. This indicates that the information the visitors are providing can only be read by the website itself. The ‘S’ should always be there when surfing online, however, despite https the website might still be malicious.
4. Unsubscribe from or delete unused accounts
As soon as an account is not used anymore, it is better to delete it completely to make sure the information it contains cannot be accessed without the owner’s knowledge.
5. Create different email addresses based on your needs
A good practice to adopt is to use separate accounts for different purposes, e.g., social media, personal, professional, commercial sites, etc.
The difference between professional and personal life is becoming more and more difficult to make. You can find best practices for separating professional and personal usage on our dedicated article, such as:
- Differentiating professional and personal chat services;
- Differentiating professional and personal backup services; or
- Using different passwords for professional and personal accounts.
6. Adopt the best practices to secure your social media accounts
Social media have become an important asset for organisations to use for communication and information. Despite the benefits those publicly available platforms might bring, they can also become a huge attack surface and be used for spam. Every organisation needs to make sure that all its social media are secured correctly by applying for example, the following best practices:
- Securing the access to the accounts with strong passwords;
- Reviewing the confidentiality parameters and restricting the visibility on personal information;
- Paying attention to what the organisation and others post;
- Controlling third-party applications; or
- Avoiding using a public Wi-Fi and a public computer.
All information on how to secure social media can be found on our dedicated article.
How to react to a spam?
1. Do not reply to it, do not open any attachment and do not click on the links
The most important thing to do when getting a spam message is to not follow-up on it.
2. Never share bank information requested via text or email
Keep in mind that no banks will ever provide a direct link to log into a bank account via text or email, and they will never ask for pin or secret codes, whether in writing, or by phone.
3. Report the spam message and delete it
The spam message should be reported to the IT responsible and to the relevant national authority (suspicious@safeonweb.be (EN); suspect@safeonweb.be (FR); verdacht@safeonweb.be (NL/DE)) and immediately deleted. When a message is already in the Spam folder, it should definitely not be trusted.
What to do if you get scammed?
- Report the incident immediately to your IT responsible
- Warn your collaborators that they might be getting the same spam message and that they should not trust it.
- Change all the passwords that were given (if any) on all the accounts they are being used.
- If the scam was about bank details and you notice that money was stolen from your account, file a complaint with the police.
- Immediately call Card Stop on +32 78 170 170 and make sure to check your account statements. If you identify any suspicious activity, immediately call your bank so they can help you out.
Report every incident. Always.
Always report any incident that might have happened to you, that you witnessed, or that you are aware of to your IT responsible. The sooner the right people can act on it, the smaller the consequences of the incident.
The aim of this content is to share and raise awareness of good cyber security practice.
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.