www.belgium.be Logo of the federal government
stats safeonweb

10 million suspicious messages sent to Safeonweb in 2023


Last year, alert citizens sent us almost 10 million messages to [email protected]. By 2022, that figure had already risen to 6 million. On average, we received 27,000 messages a day. February 2 2023, was a record day, with 65,645 messages!

Thanks to this information, we have been able to detect more than 1,200,000 suspicious links. Less attentive Internet users who click on such a link are redirected by us to a warning page and are therefore not victims of a scam (see box below for more information on the Belgian Anti-Phishing Shield).

A study we carried out (Safeonweb, 12/2023) revealed that 28% of Belgians have already sent a message to [email protected] at least once. Thanks to all these e-mails, we can publish weekly alerts on Safeonweb.be, our Facebook page and our X account. We also distribute these messages via the Safeonweb application. In 2023, we published more than 75 alerts on the most common phishing messages.

We would like to thank all these dedicated citizens and encourage them to continue sending messages. The information sent by citizens helps us to detect suspicious messages quickly. From our point of view, people who forward messages are careful Internet users. They have not clicked thoughtlessly but have acted much more intelligently. We are convinced that people who forward messages are more critical than average and that it is highly unlikely that they will fall into the trap themselves. - Miguel De Bruycker, Director General of the Centre for Cybersecurity Belgium.

On average, we find that people start sending messages from 6am onwards, with a peak between 9am and 10am. 

The Belgian Anti-Phishing Shield (BAPS) How does it work?

  1. The Centre for Cyber Security Belgium (CCB) receives information about potentially malicious websites when Internet users send suspicious messages to suspicious @ safeonweb.be
  2. Attachments and other links are then extracted from suspicious messages. URLs are also extracted from screenshots and QR codes. 
  3. The system analyses the URL/link/attachment. If it is found to be a malicious site, it is flagged and sent to our partners (ISP, Google Safe Browsing and Microsoft SmartScreen).
  4. When an Internet user clicks on a link leading to a malicious site, the ISP in question compares the DNS request with the list of malicious sites. 
  5. The user is then redirected to a warning page and can no longer visit the malicious site.

New: beware of Quishing (QR-code phishing)

The year 2023 saw the breakthrough of phishing via QR codes. This phenomenon has been dubbed "Quishing". Quishing first appeared in 2022, but since last year it has no longer been an exception. The difference with phishing is that the link in the suspect message is replaced by a QR code. However, the result is the same: you are directed to a suspicious website where you are asked to enter your details. This is particularly dangerous for inattentive users. When you scan a QR code, you cannot immediately detect which website it will take you to. This makes it more difficult to check the URL.

Little originality and many 'returnees' in improved form

Last year, a striking new message surfaced with the subject line "Meet a Ukrainian girl today". This message was massively sent to us.

What's particularly striking is that the same messages keep coming back year after year. The messages that appear to come from government departments are the most common. Scammers pose as the Public Finance Service, the Federal Pensions Service, the National Office for Annual Holidays, etc. Banks, Internet service providers and the Itsme® authentication platform are constantly imitated by criminals, as are all well-known postal services and online shops. Messages appearing to come from the Federal Police or Europol, which intimidate victims by pretending to appear in a vice investigation, also score highly. These messages have been circulating for years but continue to frighten people.

Scammers often look for a link with current events to attract attention. In the first few days following a disaster, phishing messages start to appear in the form of appeals for donations, or during the sales period, fake bargains start to circulate. At the beginning of the year, it's more likely to be subscriptions up for renewal.

Phishing messages also spread viruses

A lesser known but very dangerous phenomenon, phishing messages sometimes contain attachments containing viruses (malware). If you open these attachments, your device is infected with the virus in question. The Tesla agent was the most active malware in 2023. We were able to detect it in 545 messages. The Tesla agent is an advanced Trojan horse specialising in stealing sensitive information from infected devices (in the jargon an "Infostealer").

What does 2024 hold in store?

It is to be feared that with the progress of the various applications linked to AI, phishing messages will become increasingly credible. Deepfakes can already be used to imitate voices and video sequences. It will become increasingly difficult to distinguish fake messages from genuine ones. The fight against phishing scams is certainly not over

Top 20 messages sent to [email protected]

Subject line     #



Meet a Ukrainian girl today


You have (1) parcel awaiting delivery. Use your code to track it and receive it


General Inspectorate of the Federal Police


Final reminder




Attention: You have a parcel that has not been received


We've tried to reach you; your parcel is waiting for you!


Order confirmation


[SPAM] Meet a Ukrainian girl today


General Inspectorate


STATUS: Your parcel is ready for dispatch!


Parcel delivery




STATUS: Your parcel is ready for dispatch!


Reminder: Tax form


A new eBox document


RE: Customs clearance for parcel no. FH45878ZX1


This is your last chance to check your account



How can I protect myself against phishing?

Last year, Safeonweb launched a browser extension to help Internet users detect fake websites. The Safeonweb extension indicates for each website, by means of a colour code in the browser, whether the owner of the site has been certified or not. 

For more information about the browser extension and how to install it, visit Safeonweb.be.

Want to find out more about phishing?

Find out more about phishing.

Learn how to spot suspicious messages in 10 minutes: visit surfwithoutworries.safeonweb.be