SIDN survey: More than half of Dutch businesses targeted in phishing scams

Exactly half of the business respondents had received between 1 and 50 phishing e-mails in the previous 12 months, while 19 per cent had received 50 to 200. Unsurprisingly, therefore, nearly half (45 per cent) of surveyed businesses now see phishing as a serious or very serious threat. Yet protective measures aren’t always regarded as a priority.

Protective measures

For example, only 61 per cent of the surveyed Dutch businesses have spam filters and security software installed. Fewer than half (45 per cent) provide security awareness training for their staff, and just 30 per cent run simulations or phishing tests. There is even a significant minority (17 per cent) with no protective measures at all in place.

E-mail security standards

A further concern is that many businesses remain unaware of e-mail security standards that can help to prevent phishing, such as SPF, DKIM, DMARC and BIMI. The best-known standard in that group is SPF, a protocol for establishing whether an e-mail’s sending host is actually authorised to send mail for the claimed sender. Of the surveyed organisations, 58 per cent were familiar SPF. However, less than half knew about DKIM, DMARC or BIMI.

As SIDN Labs Research Engineer Marco Davids explains, “The e-mail protocol is one of the internet’s oldest protocols, dating from a time when security wasn’t at the front of people’s minds. So the original protocol doesn’t include anything to stop a hacker claiming to be sending from any address they like. The recipient then gets a message that seems to come from the spoofed address. Spam filters don’t offer much protection against address spoofing, but open e-mail security standards do. One reason why businesses often don’t make use of such standards is that they think they’re complicated or that they involve a lot of work. However, there’s no lack of expertise in the market nowadays, and you can draw on the experience of the countless organisations that have already adopted the standards.”

Abuse of legitimate businesses’ names

In a phishing scam, it isn’t only your own organisation that’s at risk. Your name may be used to scam others by sending e-mail that seems to come from you. Of the surveyed Dutch businesses, 37 per cent said that their names had been abused that way in the last 12 months. The names of financial service providers and health care providers were the most widely abused, with 58 per cent and 52 per cent, respectively, of organisations in those sectors reporting incidents.

With such high percentages affected, you might expect that organisations would have policies in place for responding to successful phishing scams. Yet 28 per cent of all surveyed businesses had nothing like that. And a further 18 per cent did have policies, but hadn’t updated them for more than a year. In the care sector, where phishing is a particularly common problem, the corresponding percentages are even higher: 39 per cent have no policy, and 29 per cent have policies that are overdue for review.

Knock-on effects

All too often, phishing is seen as an isolated risk, when in fact a targeted organisation’s customers and other business relations are also endangered. Strikingly, more than half (54 per cent) of the businesses in our survey did nothing to manage the danger of phishing to their external relations. That’s despite the fact that raising awareness of a problem – within a targeted organisation and amongst its outside contacts – is the first precaution that should be taken.

Want to know more? SIDN will be at the Chamber of Commerce Enterprise Days on 14 and 15 November to share advice on phishing prevention.

Research methodology

The survey was carried out for SIDN by Markteffect. From 15 to 27 July 2025, input was received from 412 respondents working in managerial or IT roles at Dutch SMEs.