Phishing is an online scam that uses fake emails, text messages or websites to trick you into clicking a link or handing over confidential information. It is now the main entry point for cyberattacks: according to ENISA, the EU cybersecurity agency, phishing accounts for around 60% of initial intrusions. At the office, a single click can compromise an entire organisation.
Spotting a suspicious message
Before you click, ask yourself:
- Is it unexpected or urgent? A false sense of urgency (act now) is a classic trick.
- Do you know the sender? Check the email address and look for spelling mistakes or a mismatched domain — like micros0ft.com with a zero. A legitimate-looking address is still no guarantee.
- Is the request strange? An official body will never ask for your password or bank details by email, text or phone.
- Where does the link lead? Hover over it without clicking and check the domain name, just before the first slash. Be wary of QR codes ('quishing') too.
- Are you asked to pay? An unusual or foreign account number, or a crypto wallet, should raise a red flag.
Phishing comes in many forms: besides email, there is SMS phishing ('smishing'), voice phishing ('vishing') and QR-code phishing ('quishing'). Criminals increasingly use artificial intelligence to write very convincing messages, so vigilance remains your best defence.
How to react
Don't click any link or open any attachment in a doubtful message. If you receive an unexpected attachment, confirm with the sender through another channel before opening it. In Belgium, forward suspicious messages to suspicious@safeonweb.be, where links are analysed and then blocked in browsers; in Outlook you can also use Report and then Report phishing. If you already clicked, enter no data, never share a personal code, and change any reused password immediately. Confirm that multi-factor authentication is on, notify your IT team, and don't forward the suspicious link to anyone else.
Reduce the risk up front
Keep browser protection such as Microsoft Edge SmartScreen switched on to block known phishing sites, and install the Safeonweb browser extension, which warns you when a website is unsafe. When in doubt, don't click — think before you click.