Thousands of Dutch People Are Receiving Fake Traffic Fine Emails
Scammers are impersonating the government's fine collection agency at large scale, likely using personal data stolen in the Odido data breach. The agency stresses it never contacts people by email about fines.
The Centraal Justitieel Incassobureau (CJIB), the Dutch government body responsible for collecting traffic fines and other financial penalties, is being inundated with calls and messages from people who have received suspicious emails purportedly sent by the agency.
Rentals in the Netherlands
Signaal tracks the Dutch rental market and notifies you the moment something matches your search. Be first to apply.
What the CJIB is
The CJIB is the government agency that sends out and collects fines for minor traffic violations and criminal orders in the Netherlands. It is a well-known name to most Dutch people, which makes it a useful cover for scammers.
What the fake emails look like
In one version of the phishing email circulating, recipients are told that an unpaid traffic fine remains outstanding and must be paid within 24 hours via a link in the message. The email threatens that if payment is not made in time, the original amount will be increased. Some versions threaten the deduction of three points from the recipient's driving licence.
The emails address recipients using their email address rather than their name, which is an unusual feature. The tone is threatening and designed to create urgency, a common tactic used by online scammers to pressure people into paying quickly without thinking. The emails contain a button labelled "raadpleeg dossier" (consult file) that leads to a fraudulent website.
Clicking the link takes the recipient to a page asking for their full name and address, credit card details, online banking password and mobile number.
The scale of the problem
Last week the CJIB received around 5,200 phone calls about the phishing emails, compared to a few dozen in a normal week. The Fraudehelpdesk, a national reporting centre for fraud, described the situation as "extreme overload" and received between 400 and 500 calls on the subject in a single week.
A possible link to the Odido data breach
The CJIB is investigating whether the phishing campaign is connected to the Odido data breach that occurred roughly six weeks ago. In that breach, personal data from 6.5 million people and 600,000 businesses was stolen, including names, dates of birth, email addresses, IBANs and home addresses. Security researcher and ethical hacker Sijmen Ruwhof said it is plausible that the stolen Odido data is being actively misused to send these phishing emails. He noted that one person who uses a unique email address for each company they sign up with received the fake CJIB email on the address they used for Odido, confirming the link.
The inclusion of personal details such as name, address and potentially IBAN numbers gives the emails added credibility, Ruwhof warned, but this does not mean the message is genuine.
What the CJIB says to do
A CJIB spokesperson stressed that the agency never communicates by email, text or WhatsApp about fines, reminders or payment arrears. Traffic fines and reminders are always sent by post in an official letter. The email address is never used as a salutation, which it is in the phishing emails.
Anyone who wants to check whether they have a genuine outstanding fine with the CJIB can do so by logging in with their DigiD on the official CJIB website. People who have already paid money to the scammers are advised to file a report with the police.
