Back to blog
    Phishing

    How to Solve Phishing Structurally: Identity, Telecom and Payments

    Sectricity Security TeamMarch 11, 2026

    Phishing keeps working because the underlying systems still allow impersonation. This article looks at identity, telecom and payment-side controls in the EU and shows which interventions actually reduce damage structurally.

    PhishingVishingEUDI WalleteIDAS 2STIR/SHAKENVerification of PayeeInstant PaymentsNIS2Burden of ProofSecurity First

    Why awareness alone will not stop phishing, and which structural changes actually move the needle

    Phishing keeps working because the underlying systems still leave room for impersonation. A spoofed phone number, a credible email, a payment to a tweaked IBAN. The victim then has to prove they were not negligent. That is upside down. As long as the burden of proof and the cost of fraud sit with the citizen and the customer, every awareness campaign is mopping up while the tap stays open.

    This article looks at phishing as a structural problem. Where does the EU stand on identity, telecom and payment-side controls? Which interventions actually reduce volume? And what can your company already do today, ahead of the rollout of EUDI Wallet, mandatory IBAN-name verification and stricter caller ID rules?

    TL;DR

    Phishing and vishing thrive on weak identity, weak caller ID and weak payment verification. The EU is closing those gaps with eIDAS 2 and the EUDI Wallet, the Instant Payments Regulation with IBAN-name verification, and national caller ID authentication regimes inspired by STIR/SHAKEN. Three measures alone would remove most of the consumer damage: mandatory Verification of Payee with a cooling-off for new beneficiaries, caller ID authentication with a do-not-originate list for banks and government numbers, and a reversed burden of proof in fraud cases. Companies that build their defence on this layered model are ahead of both regulators and attackers.

    Why generic awareness alone is not enough

    AI-generated phishing reads like a colleague's email. Deepfake voice cloning makes vishing convincing in seconds. The classic advice (watch for spelling errors, check the logo) is essentially obsolete. Defence has to shift to controls that work even when the lure is technically perfect.

    That is why the most interesting developments are not in awareness training alone, but also in the underlying systems: who can prove who they are, which numbers can call you, and which payments require which verification. Three EU files matter most:

    • Identity: eIDAS 2 and the EU Digital Identity Wallet.
    • Telecom: national caller ID authentication and CLI spoofing rules.
    • Payments: the Instant Payments Regulation with mandatory IBAN-name verification.

    Identity layer: eIDAS 2 and the EUDI Wallet

    The eIDAS 2 regulation requires every EU member state to make at least one EU Digital Identity Wallet available to citizens and businesses by 21 November 2026. From 21 November 2027, regulated relying parties such as banks, telecom operators and large platforms must accept the wallet for authentication.

    What this means for phishing:

    • Wallet authentication is phishing-resistant. The credential is bound to the device and origin, similar to passkeys. A fake login page cannot replay it.
    • Selective disclosure replaces document uploads. Citizens share verified attributes (over 18, employed at company X) without sharing full ID documents, which reduces the value of phished personal data.
    • QWACs prove who is on the other end. Qualified Web Authentication Certificates allow companies to prove their real identity to visitors, making invisible mimicry harder.
    • Direction of trust can flip. Today the citizen has to prove who they are to the bank. With wallet credentials, the bank can also prove to the citizen that they are really the bank, not a fake call centre.

    What the wallet does not solve: it does not stop phishing emails from arriving, and it does not protect users who voluntarily share data with a fake relying party. The biggest gain is in high-impact transactions where wallet authentication can replace passwords and SMS codes: banking, government, contracts, healthcare.

    Telecom layer: caller ID authentication and a do-not-originate list

    Vishing scaled because spoofing a phone number costs almost nothing. Several EU countries are now closing that gap, partly inspired by the US STIR/SHAKEN framework that signs calls cryptographically and lets receiving carriers verify the origin.

    • France implemented STIR/SHAKEN for fixed national numbers in October 2024.
    • Spain introduced rules in February 2025 requiring operators to block calls and messages with a Spanish caller ID coming from abroad with unauthorised CLI.
    • Italy (AGCOM) approved a regulation in May 2025 requiring foreign-origin calls with an Italian caller ID to be blocked.
    • Poland obliged operators in October 2024 to add traffic monitoring and block foreign-origin calls showing a Polish CLI.
    • Romania, Finland, the Netherlands and others have similar measures in force or in preparation, driven among others by ECC Recommendation (23)03.

    What is missing in many countries, including Belgium, is a national do-not-originate list. Numbers of banks, the tax authority, the police and digital identity providers should never be allowed to appear as outgoing caller IDs from foreign or unauthorised routes. That single measure makes most bank vishing technically impossible. The technology exists. The political will is starting to follow.

    Payment layer: IBAN-name verification and a cooling-off window

    The EU Instant Payments Regulation requires payment service providers in the eurozone to process euro transfers in seconds, 24/7, at the same cost as a regular SEPA transfer. The same regulation makes Verification of Payee mandatory: before a payment is sent, the bank checks whether the IBAN actually belongs to the person or company in the beneficiary field. A mismatch produces a clear warning.

    This intervention works against the most painful form of phishing fraud: a citizen who, after a vishing call or fake email, transfers money to a manipulated IBAN. The mismatch warning forces a moment of reflection at the most critical step in the chain.

    What still needs to be added in practice:

    • A real cooling-off for new beneficiaries. Twenty-four hours between the first transfer to a new IBAN and the actual execution removes the urgency that fraud thrives on, without affecting day-to-day payments.
    • A recall window for instant transfers. A short window during which a transfer can be reversed, comparable to credit card chargeback flows.
    • Push-only payment models. Schemes like Payconiq, Bancontact and the upcoming wero never share an account number with the merchant; the customer pushes a payment from their app, with no IBAN to manipulate.

    The legal layer: the burden of proof

    PSD2 already obliges banks to refund unauthorised transactions, except in cases of gross negligence. In practice, the bank decides whether negligence applies, and the customer often has to prove the opposite. That dynamic explains why so many phishing victims do not get reimbursed even when the attack chain runs partly through telecom and hosting infrastructure they have no control over.

    A more honest model would shift the system in three ways:

    • Reverse the burden of proof. Statutory presumption of non-negligence on the customer's side, unless the bank can demonstrate negligence with technical evidence (logs, device fingerprint, behavioural analysis).
    • Independent dispute board with a fixed turnaround, binding for the bank, with a decision within thirty days.
    • Joint liability across the chain. When a telecom operator passes a spoofed call, or a hosting provider keeps a phishing domain online for 48 hours after a notice, they share part of the damage. That is the only way to align incentives across the whole ecosystem, not only with the bank.

    If we had to pick three measures

    If we could decide tomorrow which interventions to enforce first, we would pick the ones that together remove most of the consumer damage:

    1. Mandatory Verification of Payee with a 24-hour cooling-off for new beneficiaries. Stops manipulated IBAN fraud at the last and most critical step.
    2. Caller ID authentication with a do-not-originate list for banks and government. Makes vishing from spoofed national numbers technically impossible.
    3. Reversed burden of proof in fraud cases. Gives the financial sector a clear interest in actually rolling out the previous two measures.

    The rest, passkeys, EUDI Wallet, fraud graphs, follows naturally because the cost of inaction shifts from the citizen to the institutions that can actually intervene.

    What companies can do today

    Waiting for European regulation to land is not a strategy. The good news is that companies can already build the layered defence today, in line with the direction of travel.

    Technical baseline

    • Email authentication: SPF, DKIM and DMARC with a quarantine or reject policy.
    • Phishing-resistant MFA: passkeys or FIDO2 hardware tokens, no SMS codes for sensitive accounts.
    • External-sender banners and time-of-click URL scanning in the mail filter.
    • Verification of Payee in your finance flows for new beneficiaries, even where it is not yet legally mandatory.

    Organisational baseline

    • Mandatory call-back via a known number for any payment instruction received by email.
    • A reporting culture without friction. Employees should be able to report a suspicious call or email in seconds, with positive feedback even when the report is a false alarm.
    • Realistic phishing and vishing simulations on relevant scenarios, with direct feedback and short retrains.
    • One simple rule for every employee and customer-facing process: never share a code, link or IBAN after a phone call or email. Period.

    Where Sectricity fits

    We position the human and procedural side within this ecosystem. Our phishing simulations, vishing simulations and smishing simulations test exactly the moments where technology cannot decide for the user. The Swishing phishing game makes the same training principles consumer-friendly through a bank or HR app, the model that scales the moment a national pause-button or simulation programme arrives.

    Frequently asked questions

    Will the EUDI Wallet eliminate phishing?

    No, but it removes a large part of the attack surface for high-impact actions. Wallet authentication is phishing-resistant, selective disclosure reduces the value of phished personal data, and QWACs make it harder for fake websites to mimic legitimate parties invisibly. Phishing emails will still arrive; they just lose their effectiveness against properly secured services.

    When does mandatory IBAN-name verification take effect?

    Verification of Payee is part of the EU Instant Payments Regulation that came into force in 2024 and is being rolled out in stages by payment service providers. By 2026 the majority of eurozone banks will have to apply the check on every euro transfer, not only on instant transfers. Concrete dates depend on the type of provider and the type of payment.

    Why does Belgium not have STIR/SHAKEN yet?

    There is no European obligation to implement STIR/SHAKEN; the framework comes from the US. Several EU member states (France, Spain, Italy, Poland) have introduced their own variants over the past two years, mostly aimed at blocking spoofing on national numbers from foreign routes. Belgium is following this debate, partly through ECC and BEREC, but does not yet have a binding national framework. A do-not-originate list for bank and government numbers can be deployed without full STIR/SHAKEN and would already remove a large part of bank vishing.

    Why are so few phishing victims reimbursed?

    PSD2 obliges banks to reimburse unauthorised transactions, except in cases of gross negligence. The bank decides whether negligence applies, and the victim then has to prove the opposite, often without access to the technical logs. As long as the burden of proof works in this direction, the financial cost stays with the customer rather than with the actors who can fix the system. A reversed burden of proof would create the right incentives across the whole chain.

    Can phishing simulations replace technical controls?

    No. Simulations train reflexes for the cases that get past technical controls. Without DMARC, MFA and IBAN-name verification underneath, every simulation is a band-aid on a bigger problem. The combination of technology, processes and exercise is what works. Sectricity's approach pairs simulation with concrete recommendations on which technical and procedural controls are missing.

    What does NIS2 say about phishing and supply chain risk?

    Under NIS2 Article 21 essential and important entities have to apply cybersecurity risk management, including supply chain security, awareness, and access control. Phishing falls squarely within that scope. Companies that document their layered defence, supplemented with reporting and exercise, demonstrate compliance and reduce the chance of an incident becoming a notifiable event.

    Related services and resources

    Strengthen your defence against phishing and vishing through Sectricity's phishing simulation and testing, vishing simulations and security awareness training. Learn the basics in our background articles What is Phishing? and What is Smishing?, or scale awareness consumer-side via the Swishing phishing game. Start with a free security scan.