Digital hygiene guide

Everyday protection against phishing, booby-trapped messages and phone scams. Belgium / European Union edition.

Download the PDF Updated: June 2026 · PDF · A4 · French

01 —The 3 universal warning signs

Almost every scam — by phone, e-mail, SMS or messaging app — combines at least one of these three psychological levers.

Urgency

“You have 10 minutes!”

“Account blocked”, “final reminder”, “parcel returned today”: urgency is designed to short-circuit your thinking.

Authority

“Police, bank, Card Stop…”

The caller claims to be your bank, the police or technical support. The number displayed can be spoofed.

The secret code

“Give us the code you received by SMS”

You are asked for a code, a password, your card details or to install an app. No legitimate party asks for that.

Two levers at once = hang up or delete immediately. A confirmation code is never shared: giving it is signing.

02 —The 7 golden rules

  1. 01

    A confirmation code is never shared. Not by phone, not by SMS, not “with support”. A code authorises an operation: giving it is signing.

  2. 02

    Hang up and call back yourself. Using the official number: the back of your bank card or the official website typed by hand.

  3. 03

    Never click a link in an unsolicited message. Open the app or the official website yourself.

  4. 04

    Fear + pressure = scam. A Belgian authority or bank never threatens over the phone and always leaves time to verify.

  5. 05

    Neither the bank, nor Card Stop, nor the police. Nobody asks for codes, passwords or transfers to a “safe account” — it does not exist.

  6. 06

    Unique password + two-factor authentication. On every important account: e-mail first, then bank, itsme, messaging apps.

  7. 07

    Verify through another channel. A relative’s “new number”? Call the old one. Agree on a secret family password.

03 —Daily digital hygiene

Passwords & access

  • At least 12 characters, unique per account — use a password manager.
  • Two-factor authentication everywhere: e-mail, bank, itsme, CSAM, messaging apps, social networks.
  • Review active sessions regularly and sign out unknown devices.
  • Your main e-mail account is the key to everything else: protect it first.

Devices & software

  • Install system, browser and app updates immediately.
  • Apps only from official stores — an .apk file received in a chat is not a photo.
  • Regular backups: your insurance against ransomware.
  • Screen lock and encryption enabled; separate PIN codes for phone and SIM card.

Personal data

  • Minimise your footprint: no documents, home address or real-time location on social networks.
  • Create a secondary e-mail address for shops and sign-ups.
  • The GDPR gives you the right to request deletion of your data from any European site.

Networks & browsing

  • Public Wi-Fi: never for banking.
  • Reach your bank through your bookmarks or its official app — never through a received link.
  • Check the spelling of the domain: one character changes everything.
  • Install the Safeonweb app: official Belgian alerts about ongoing campaigns.

04 —E-mails: spotting phishing

Anatomy of a booby-trapped e-mail

  1. 01
    Exotic domain

    .top, .xyz… The “bpost” display name proves nothing: only the real domain counts.

  2. 02
    Urgency + threat

    “Final notice”, “within 24 hours”: a panic lever.

  3. 03
    Small credible amount

    €2.99: the target is your card, not the amount.

  4. 04
    Real link ≠ displayed link

    Hover or long-press: the real domain appears.

  5. 05
    Booby-trapped attachment

    .html, .zip, .iso, Office macros: do not open.

AI has changed the game: no more crude spelling mistakes. Perfect English, a correct logo and your own name no longer prove anything — only the real domain, the real link and the nature of the request matter.

The right reflexes

  • Do not click: open the official site or app yourself to check whether the request really exists.
  • A legitimate organisation never asks for a password, PIN or one-time code by e-mail or phone.
  • Doubts about a “colleague” or “supplier” changing bank account? Verify by phone on the known number.
  • Forward the message to suspect@safeonweb.be then delete it: your report helps block fraudulent sites.
  • On a smartphone links are hidden: when in doubt, check again on a computer.

If you clicked or replied

  • Card details given → Card Stop 078 170 170 immediately, then notify your bank.
  • Password entered → change it everywhere it is reused, e-mail first; close all sessions; enable two-factor authentication.
  • Attachment opened → full antivirus scan; when in doubt, stop using the device for banking.
  • Money debited → bank + complaint to the local police: unauthorised payments must in principle be refunded (excess capped at €50).

05 —Messaging apps & phone scams

Essential settings (5 minutes)

  • Two-step verification on WhatsApp and Telegram: THE protection against account theft.
  • Hide your number, profile photo and “last seen” from strangers.
  • Block automatic addition to groups by strangers.
  • Review the list of linked devices and close unknown sessions.

Classic traps

  • “My SMS code ended up on your phone by mistake, send it back” → instant account theft. A code is never forwarded.
  • “Mum/Dad, this is my new number” + an urgent request for money: call the old number.
  • QR codes (“quishing”): scan only with the messenger’s built-in feature and read the warning displayed.
  • A “Photo” or “Invitation” file ending in .apk: a takeover program, not an image.
  • Voice deepfakes: a few seconds of audio are enough to imitate a voice. Agree on a secret family code word.

Common phone scam scripts

N°1

The fake bank / Card Stop call

“Suspicious transaction, confirm your codes”, then a transfer to a “safe account”… which belongs to the thief.

N°2

The fake police officer

“Cooperate with the investigation, tell no one.” The police never conduct financial investigations by phone.

N°3

The parcel / delivery

Customs fees, a code for the “courier”: the code requested actually opens your account.

N°4

The fake technical support

“A virus was detected”, then installation of a remote-access tool. Never install software at a caller’s request.

N°5

The relative in distress

“I had an accident” — sometimes with a genuinely cloned voice. Hang up and call the usual number.

N°6

The fake investment

Guaranteed returns, a dedicated “adviser”; endless taxes to “withdraw”. Check any platform against the FSMA warning lists.

N°7

The staged scenario

Several successive calls that “confirm” one another. Real authorities do not work that way.

N°8

SIM swap and others

Sudden loss of mobile network for no reason? Contact your operator: your SIM card may have been duplicated.

An unexpected call comes in

01

Money, codes, urgency?

Or an app to install? Every minute of conversation provides information and a sample of your voice.

02

Hang up

No excuse, no debate. Hanging up is not rude: it is the response recommended by the Federal Police and Safeonweb.

03

Verify yourself

Using the official number: the back of your card, the site typed by hand. Never call back the number given by the caller.

With vulnerable relatives, set the rule: “any call about money → hang up and call me first”. That single rule defeats most scripts.

06 —Victim or attempt? Action plan

  1. 01

    Block. Cards → Card Stop 078 170 170 (24/7); online banking via your bank; identity document lost or misused → Doc Stop 00800 2123 2123.

  2. 02

    Document. Screenshots, numbers, e-mails, account statements, times of the calls.

  3. 03

    Dispute. Every unauthorised operation with your bank, in writing and without delay; unresolved dispute → the Ombudsfin mediator.

  4. 04

    File a complaint. With the local police — essential for reimbursement and investigation. Some offences can be reported online via Police-on-web.

  5. 05

    Report. Fraudulent message → suspect@safeonweb.be; misleading commercial practice → FPS Economy; investment fraud → FSMA.

  6. 06

    Clean up. Passwords changed (e-mail first), sessions closed, two-factor authentication enabled, device scanned, operator notified if the SIM is compromised.

Sources: Safeonweb / Centre for Cybersecurity Belgium, FPS Economy, Federal Police, FSMA — 2026.