Dutch government sites easy to spoof because they don't end in .gov or .overheid

The fact that the Dutch government's websites don’t end in .gov or .overheid makes it easy for cybercriminals to spoof. It also makes it very challenging for Netherlands residents to be sure they are indeed on a government site or whether it is a trap. The government needs to change its domain names to stem the further advance of cybercrime, experts told AD.

Unlike most countries, the Netherlands does not have its important websites like DigiD or the central government site on a special domain name. Cybercriminals take advantage of that to defraud people, tech experts told the newspaper. Making these types of websites instantly recognizable as .gov or .overheid [Dutch for government] would be “a big step” in tackling spoofing and phishing, they said.

“The whole world already uses .gov as an extension. In the Netherlands, you have to guess whether a website really belongs to the government. That is really scandalous,” Dave Maasland, CEO of security company Eset, told AD.

“There is now a jumble of names. Dutch and English and combinations thereof, which make it very opaque,” agreed tech lawyer Jan Gerrit Kroon.

A study by Interpolis published on Monday showed that only 41 percent of Dutch children and 57 percent of parents think they can recognize cybercrime when they come across it. And only 47 percent of children said they know what to do if they become a victim of cybercrime. “Both groups are groping in the dark. While millions of Dutch people fall victim to cybercrime every year, and that number threatens to increase with increasing digitalization,” Mireille van den Boom of Interpolis said. According to Interpolis, half of Netherlands residents are insufficiently protected against cybercrime, including technically skilled people.

Other countries do much more to protect their citizens against cybercrime, VVD MEP and cybersecurity rapporteur Bart Groothuis told AD. For example, Internet providers in Belgium and the United Kingdom warn users when they’re about to click on a false or malicious domain. “I am tried and tested in cybersecurity, but even I sometimes click on a fake email or website,” Groothuis said. “Providing active protection when citizens or the market cannot solve the problem is a classic security task.”