Cybercriminals are always looking for ways to steal data and get access to organisations and valuable information such as personal and banking data, with the intention to misuse and possibly monetise them. One of the most common ways they do so is by phishing an organisation’s collaborators. In this article, you will find some tips and tricks to help assess the legitimacy of an email and make sure you do not give valuable information to the wrong person.

What is phishing?

Cybercriminals use fake emails or phone calls in order to collect company information, personal data, or login credentials to be used for gaining unauthorized access to computers or applications. Once they are in, they try to obtain confidential information, sell the login credentials and/or sensitive information, or gain profit – for example via ransomware.

To extract information or to convince the victim to do something in their favour, cybercriminals will play on something the victim believes into or impersonate a trusted person by playing on authority, a sense of urgency, or by leveraging on human instinct to help each other out.

Follow the policy

Always respect your organisation’s password policy, acceptable use policy and data classification policy to ensure a sufficient and consistent level of cybersecurity.

A set of reference documents templates is available to ensure a quick and smooth implementation of cybersecurity policies within your organisation.

Email phishing

The classic type of phishing is through email. Cybercriminals send an email which appears legitimate asking the victim to open an attached file or to click on a link. The attachment usually downloads a malware and installs it on the victim’s computer or mobile phone. The link redirects to a website, which at first time seems unharmful but in reality is trying to steal sensitive information, like credentials and password in order to gain access to an organisation’s accounts or its collaborators’, social, personal and/or banking accounts. Clicking on a link could also trigger an automatic download of a malicious software (a malware) into the device.

Phone phishing (and smishing)

Another type of phishing also used nowadays is the phishing through phone. Either by sending an SMS (which is called smishing) or through a phone call, the ultimate goal remains the same: cybercriminals will try to get access to an organisation’s information and/or to its collaborators’ personal accounts and misuse them. Through text, they can send a link and lure the victim into clicking on it to enter credentials and password. Through call, they can try to manipulate the victim in order to get personal information and use them later to access their professional, social media and bank accounts or other personal information.

How to recognize a phishing email?

Several techniques are used by cybercriminals to make sure their victim opens the wrong attachment or click on the wrong link. A few tips are gathered in this article to help avoid getting scammed by a phishing attempt. The main questions collaborators should ask themselves are the following:

  • Is it unexpected?

You received a message for no reason: you did not buy anything, have not had contact with them for a long time, etc. Investigate further.

  • Is it urgent?

Stay calm: did you really get a first reminder to pay? Do you know that 'friend in need'?

  • Do you know the person who sent the e-mail?

Check the e-mail address, and also check for spelling errors. However, beware: a legitimate e-mail address is no guarantee.

  • Do you find the request strange?

An official body will never ask you for your password, bank details or personal details via e-mail, SMS or over the telephone.

  • Where does the link you need to click on lead to?

Hover over the link with your mouse. Is the domain name, the word before “.be”, “.com”, “.eu”, “.org”, etc. and before the very first slash "/", really the organization’s name?

An example:

If a QR code is shown, check carefully which website it refers to. When you scan the code, you will see the url. Check the domain as described above.

  • Are you being personally addressed?

Be wary of messages using general and vague titles, or your e-mail address to address you.

  • Does the message contain many linguistic errors?

Although seasoned cybercriminals tend to use language correctly, language errors or a foreign language can indicate a suspicious message.

  • Is the message in your Spam / Junk folder?

If so, be extra careful. You can also mark suspicious messages as Spam or Junk to warn others.

  • Is someone trying to make you curious?

Everyone would be curious about messages with a link reading "Look what I read about you ..." or "Are you in this picture?", but do not be tricked.

  • Are you asked to make a payment?

If you are asked to make a payment that you are not expecting, always be careful. Is the account number the same number you usually use to pay that organisation or person? If not, do not make the payment. Often phishing emails use foreign account numbers or ask to make payments through a crypto wallet. This is suspicious.

If you are in doubt about a payment, check with your bank first, or with the organisation claiming the payment. Do not do this through the contact details in the mail, but go directly to the website of the organisation itself.

Identify the hidden URLs by hovering your mouse over the links

On a computer, hover with your mouse over the provided link without clicking on it: the full URL will appear. If it looks suspicious, do not click on it. And if you need to visit that website, go to the official website typing its address yourself or looking for it with a trusted search engine.

How to react to a phishing email?

  1. Do not reply to it, do not open any attachment and do not click on the links
    The most important thing to do when getting a phishing email or text is to not follow-up on it.
  2. Reach out directly to the sender
    If after all the tips given, you still cannot tell if it is a phishing email or not, check directly with the person involved via a different mean. If the email sender seems to be a colleague, a client or a provider, call that person to see if they really need your help on something. If it is from another organisation, check their official website entering their official address yourself in the address bar.
  3. Never share bank information requested via text or email
    Keep in mind that no banks will ever provide a direct link to log into a bank account via text or email, and they will never ask for pin or secret codes, whether in writing, or by phone.
  4. Report the phishing attempt and delete the email/text
    The phishing email or text should be reported to the IT responsible and to the relevant national authority ( (EN); (FR); (NL/DE)) and immediately deleted. When a message is already in the Spam folder, it should definitely not be trusted.

What to do if you get scammed?

  1. Report the incident immediately to your IT responsible
  2. Warn your collaborators, client and providers that they might be getting a message from someone impersonating you but that they should not trust it.  
  3. Change all the passwords that were given (if any) on all the accounts they are being used.  
  4. If the scam was about bank details and you notice that money was stolen from your account, file a complaint with the police.  
  5. Immediately call Card Stop on +32 78 170 170 and make sure to check your account statements. If you identify any suspicious activity, immediately call your bank so they can help you out.

Report every incident. Always.

Always report any incident that might have happened to you, that you witnessed, or that you are aware of to your IT responsible. The sooner the right people can act on it, the smaller the consequences of the incident.

The aim of this content is to share and raise awareness of good cyber security practice. 
Some of this advice may apply differently depending on the context of your organisation.
Always comply with the policy and instructions in force in your organisation.
If in doubt, always ask your IT manager for advice first.