EN
EN
Book an introduction
Blog

7 types of phishing every Flemish employee should recognize by 2026

Discover the 7 phishing types affecting Flemish companies in 2026, from AI-spear phishing to quishing. Learn how your employees recognize them and protect your SME.
Drie kantoormedewerkers bekijken aandachtig een computerscherm tijdens een phishing-simulatie om verdachte e-mailkenmerken en AI-gegenereerde fraude te leren herkennen.

In 2025, Belgians forwarded nearly 10 million suspicious messages to Safeonweb. That’s more than 27,000 per day. According to Febelfin, in 2024 alone, 49 million euros were captured through phishing in our country, and nowhere in the EU is the likelihood of real financial damage as high as in Belgium.

Yet the biggest risk to your business is not the quantity of attacks. It’s their quality. AI tools now render phishing messages error-free, perfectly tailored to your industry and even individual employees. The misspellings and odd sentence structure that used to alert your team? Those are a thing of the past.

In this article, you will learn which 7 phishing types your employees should recognize in 2026, how these attacks work psychologically and what you can do specifically as a company.

1. AI-driven spear phishing: personal, error-free and dangerous

Classic phishing sends one generic message to thousands of recipients. Spear phishing does the opposite: one carefully crafted message specifically targeting one person within your organization.

By 2026, AI automates that entire process. Algorithms gather information in seconds from LinkedIn profiles, company websites and previous data breaches. Then a language model generates an email that looks exactly like a message from a known colleague, vendor or HR tool. The language is spot-on, the context is correct and the formatting is identical to what your employee receives every day.

When this type of attack targets senior management (CEO, CFO, executives), it is referred to as whaling. The attacker then poses as a lawyer, supervisor or business partner and creates a scenario that requires strict confidentiality and immediate action. Consider an urgent request to approve payment for a “confidential acquisition.”

How to recognize:

  • Unexpected requests to transfer money or share sensitive data, even if the sender seems familiar
  • Emphasis on confidentiality (“don’t discuss this with anyone”)
  • Time pressure that prevents you from taking a moment to think or verify

2. Quishing: the QR code as a trap in disguise

QR codes are everywhere. From parking meters and menus to invoices and manuals. We are so used to scanning them that we barely even think when we open them. That reflex is exactly what cybercriminals are exploiting through quishing, a combination of QR code and phishing.

The principle is simple but effective. Instead of a clickable link in an email, the attacker inserts a QR code. Because email security software cannot read the pixels of an image as a URL, the message simply slips through your spam filters.

The risk is increased by your employee scanning the QR code with a smartphone. That smartphone is often outside the control of the IT department, especially with Bring Your Own Device policies. The code then leads to a fake website that steals login credentials, or initiates the download of malware.

Quishing is not limited to e-mail. Local Police regularly warn of fraudulent QR codes pasted over real codes on parking meters, posters and paper bills.

How to recognize:

  • Unexpected QR codes in emails, especially with an urgent request
  • QR codes in physical locations that look “over pasted”
  • After scanning: always check URL before entering login information

3. Browser-in-the-Browser: the fake login window that looks perfect

For years we taught employees to check two things when logging in: is the URL correct in the address bar, and do you see the padlock (HTTPS)? The Browser-in-the-Browser (BitB) attack renders both checks worthless.

In a BitB attack, your employee lands on a website that asks to log in via Microsoft 365, Google Workspace or another trusted service. A pop-up window appears that looks identical to a real login screen. The URL in that window neatly displays login.microsoftonline.com, complete with padlock.

But that pop-up window is fake. It is built with HTML and CSS, as a layer on top of the rogue Web page. The attacker controls what is in the address bar of that fake window. Your employee sees exactly what he expects to see, enters his password, and that goes directly to the attacker.

How to recognize:

  • Try dragging the login window outside the browser window. A real pop-up window can do that, a fake window cannot
  • Note: Did you come to this page through an unexpected link or advertisement?
  • When in doubt, use a password manager. That will not automatically enter anything on a fake domain

4. MFA fatigue: the attack that depletes your security

Multi-factor authentication (MFA) is one of the best security measures available. Yet only 46% of Belgian organizations have fully implemented MFA on all their remote connections, according to research by the CCB. And even those who use MFA are not automatically secure.

In an MFA fatigue attack, the criminal already has an employee’s password, such as through a previous data breach or phishing attack. He tries to log in, and the system correctly sends a push notification to the employee’s smartphone. The employee refuses. But the attacker doesn’t give up. Using automated scripts, he fires off dozens or hundreds of login attempts. The smartphone is bombarded with notifications, often late at night, on weekends or in the middle of a meeting.

The strategy leans entirely on attrition. At some point, the employee clicks “Approve,” out of frustration, fatigue, or assuming IT is doing an update. That one moment of weakness gives the attacker full access.

How to recognize and prevent:

  • Never approve an MFA request that you did not initiate yourself
  • Are you receiving repeated MFA notifications? Report this to your IT department immediately
  • Consider phishing-resistant MFA, such as number matching or FIDO2 hardware keys

5. Supply chain phishing: the attack through your supplier

Your own security may be foolproof, but what if the attack comes in through a trusted supplier? In supply chain phishing, also known as Vendor Email Compromise (VEC), criminals first target the weakest link in your supply chain.

Once they have access to a vendor’s e-mail system, they behave remarkably patiently. They observe communication patterns, billing cycles and ongoing projects for weeks or months. They learn who is responsible for what and when large payments are made.

Then they strike. An e-mail from your vendor’s real, legitimate e-mail address. The message fits perfectly into an ongoing conversation. The request? Often something innocuous: “Our bank details have changed due to an internal restructuring, please transfer the invoice to this new account number.” Because the message comes from the partner’s authentic email infrastructure, all the technical checks (SPF, DKIM, DMARC) pass without a problem.

How to recognize:

  • Always verify changes in payment information by phone, using a number you already know (not the number from the email)
  • Be extra alert to unexpected changes in contracts, invoices or account numbers
  • The fact that an e-mail comes from a known address is no guarantee that the sender can be trusted

6. Smishing and CEO fraud via WhatsApp and text messaging

The lines between work and home have blurred. Instructions are given just as easily via WhatsApp as via e-mail. Cybercriminals are eagerly capitalizing on this with smishing (SMS phishing) and CEO fraud through alternative channels.

The scenario is recognizable. A finance department employee receives a WhatsApp message from an unknown number. The profile picture shows the CEO. “My company phone is broken, I’ll use another device for a while.” This is followed by a compelling request: approve an urgent payment, buy gift cards or share confidential data.

The power of this attack is in the channel. WhatsApp is informal, fast and direct. There are no spam filters, no warning banners for external senders. And the hierarchical pressure is great: who dares refuse the CEO?

The CCB specifically warns of the continuing rise in targeted fraud via WhatsApp, Telegram and text messaging. Recent figures from the CCB confirm that vishing (telephone scams) are also rising sharply, with increasingly clever AI-driven techniques.

How to recognize:

  • Your CEO or board will never ask for urgent payments via WhatsApp (and if that is still the company culture: change that arrangement)
  • Always verify through another channel: call the person back at the official number
  • Be extra suspicious of requests requiring confidentiality

7. Authority spoofing: fake messages from governments and banks

In Belgium, authority spoofing is one of the most common types of phishing. Criminals send messages that appear to come from trusted authorities: the Christian Mutual, the RIZIV, The Water Group, the Federal Police, FPS Finance or your bank.

The messages play on two emotions: desire (an unexpected refund) or fear (an impending disconnection, fine or even subpoena). Recent campaigns include fake identity verifications through CSAM, fake messages from social secretariats such as Liantis and Acerta, and fraudulent refunds from health insurance companies.

These campaigns are not random actions. They are synchronized with tax period, law changes or current events. The scale is enormous: Safeonweb published more than 36 alerts about specific phishing campaigns in the first half of 2025 alone.

The danger to your company? When employees open such messages in the workplace, using a private account on the corporate network, one click is all it takes to bring in ransomware or malware that spreads throughout the network.

How to recognize:

  • Government agencies and banks never ask for bank details or passwords via email or text message
  • Always check the sender’s real email address (not just the display name)
  • When in doubt, go to the official website yourself, never click on links in the message

As a business, what can you do against these phishing types?

The common thread through all seven attacks is the same: They target humans, not technology. The best firewalls and e-mail filters stop much of it, but the attacks that slip through are becoming increasingly difficult to distinguish from real communications.

Three measures make the difference:

Ongoing phishing simulations. One-time training sessions are insufficient. Employees must be regularly confronted with realistic test campaigns that tie in with current threats. In this way, they develop a healthy reflex that also holds up to the latest techniques.

Technical reinforcement. Implement phishing-resistant MFA (number matching or FIDO2), tighten your email security, and ensure clear procedures for anomalous payment requests. Combine this with network segmentation so that one compromised account does not expose your entire organization.

A safety culture. Make it normal and approachable to report suspicious messages. Don’t punish employees who click in a simulation; use it as a learning opportunity. Your employees are not the weakest link; they are your first line of defense.

Frequently asked questions about recognizing phishing types

What is the difference between phishing, spear phishing and whaling?

Phishing is the collective term for all forms of digital scams via fake messages. Spear phishing is the targeted variety, where the attacker specifically targets his message to one person or department. Whaling is spear phishing that targets senior management, such as the CEO or CFO.

Can my business be hacked via a QR code?

Yes. In quishing, a fraudulent QR code leads to a fake website that steals login credentials, or initiates the download of malware. Because QR codes are not detected by standard e-mail filters and employees often scan them with their (unattended) smartphones, they pose a real risk to corporate networks.

Is multi-factor authentication (MFA) still secure?

MFA remains an important layer of security, but it is not foolproof. MFA fatigue attacks attempt to overwhelm employees with repeated push notifications until they inadvertently approve. Phishing-resistant variants such as number matching or FIDO2 hardware keys offer significantly more protection.

How do I protect my company from supply chain phishing?

The most important measure is a fixed verification protocol: always confirm changes in payment data through a second channel (by phone, on a number you already know). In addition, an ISO 27001 track helps to structurally manage supplier risks.

How often should I train my employees against phishing?

One-time training sessions have little long-term effect. Ongoing phishing simulations, at least every 4 to 6 weeks, ensure that employees develop active alertness. Ideally, the level of difficulty grows with your team’s knowledge level.

Where can I report suspicious messages in Belgium?

Forward suspicious e-mails and screenshots of suspicious text messages to verdacht@safeonweb.be. This helps the Belgian Anti-Phishing Shield (BAPS) block malicious links faster. By 2025, these notifications redirected users to a warning page 200 million times.

Train your employees with realistic phishing simulations?

The phishing types of 2026 are more sophisticated than ever. Spelling mistakes are gone, AI personalizes every attack and new techniques like quishing and Browser-in-the-Browser bypass traditional security tools.

Cyberplan helps Flemish companies with ongoing phishing simulations specifically tailored to your industry, company size and the knowledge level of your employees. Not a one-time PowerPoint, but an ongoing process that transforms your team step by step into an alert first line of defense.

As a recognized VLAIO service provider, your investment in security awareness is also eligible for the SME portfolio: up to 45% subsidy for small businesses and 35% for medium-sized businesses.

Wondering how your employees score on a realistic phishing test? Book a free consultation and find out where your company stands.