The government’s debt collection agency CJIB has been flooded with calls and inquiries from people asking about emails claiming the recipients must pay a traffic fine.
The number of inquiries rose to around 5,200 last week, compared with a few dozen in a normal week, a spokesman told broadcaster NOS.
The CJIB says the surge in phishing may be linked to the recent data breach at telecoms company Odido, in which the personal details of 6.2 million people were stolen, including names, addresses, email details and bank account numbers.
The CJIB is responsible for collecting traffic fines and penalty payments in the Netherlands. One of the fake emails currently circulating tells recipients they have an outstanding fine which must be paid within 24 hours using a link in the message, or the amount will be increased.
The CJIB said it never contacts people by email, text message or WhatsApp about fines or payment reminders and that official notices are always sent by post.
The agency advises people not to pay, not to click on links and not to open attachments in suspicious messages. Anyone who wants to check whether a payment is due should log in to the CJIB website using DigiD and verify the case number shown on an official letter.
Security researcher and ethical hacker Sijmen Ruwhof told NOS it is likely that stolen data from the Odido leak is being used to send convincing phishing emails.
He said he received the fake CJIB message at an email address used only for one account, indicating that the address was part of the leaked dataset.
The CJIB says it is investigating a possible connection between the Odido hack and the surge in phishing attempts.
