Why phishing is a shared responsibility problem: insights from Cybernova

Supernova - 2026032413,13,40 - Copyright Jules Juten

Phishing operations are run like businesses. Norwegian security researchers who infiltrated one such network found it processing around 100,000 stolen card details every month. At Cybernova in March 2026, Olaf Jonkers, Head of Risk & Compliance at itsme^®, joined a panel with Johannes Vermeire (Co-Founder of POM) and Gert-Jan Ceyssens (Information Security Officer at Bancontact). Together, they discussed three statements on fraud, shared responsibility, and how to stay ahead of organised scammers. (Picture above by Jules Juten, taken at Supernova 2026)

Statement 1: "The victim is to blame"

The panel immediately disagreed with the first statement on the table. And not just on moral grounds.

“On one side of a phishing call, you have a professional whose entire working day is dedicated to scamming people”, Gert-Jan explains. “On the other you have someone who may only rarely interact with government apps, financial services, or digital identity infrastructure. They don’t know what normal looks like. So when a convincing voice on the phone tells them their account is at risk and they need to act now, it’s no surprise that so many people comply.”

“When you build an ecosystem like itsme^®, you take on a responsibility to society”, Olaf adds. “That means designing against fraud, not just for convenience. It also means recognising that a phishing attack doesn’t always require a click.”  The conclusion: It’s a shared responsibility. Every link in the transaction chain has to own its part.  

Statement 2: "The banks and payment providers are to blame"

According to the panel, the problem with this statement is that banks are often the last party in a sequence of actions. Gert-Jan: “By the time a payment reaches the bank for approval, it has passed through four or five intermediaries. Each one holds a piece of information: the retailer knows what was bought, itsme^® knows who the user is, the payment processor knows the method. But that knowledge doesn’t travel with the transaction. So the bank needs to make a decision with incomplete information.”

What’s missing is end-to-end data sharing. Not personal data for its own sake, but the context needed to identify anomalies: does this transaction fit this user’s pattern? Was it initiated through a verified identity? Has this device been flagged before?

“itsme^® collects indicators of compromise and can see fraud signals within the part of the ecosystem it manages”, adds Olaf. “But without the ability to share that signal across the chain, to banks, payment institutions, and beyond, the ecosystem can’t properly defend itself. The infrastructure for that kind of sharing isn’t standard yet, and the legal frameworks are still insufficient.

Statement 3: "This is a societal problem that requires regulation"

Finally, a statement our three panelists agreed on – with some nuance. Belgium has moved fast on mobile payments and digital identity, with itsme^® being one of the few European examples of mobile identity working at scale. And while that’s something to be proud of, it also made Belgium a more attractive target for fraud operations. Especially because digital payment rails are so well established here.

Regulation is starting to catch up, however. The Centre for Cybersecurity Belgium (CCB) launched a new protocol to scan websites and flagged fraud reports. Political pressure is increasing as well.

Olaf points to a gap in the eIDAS 2.0 framework for digital wallets: it regulates portability and assurance levels, but it doesn’t specify how wallet-based identity solutions should handle fraud context sharing. The kind of collaboration that currently exists between itsme^®, Bancontact, and partners like POM isn’t guaranteed to carry over as wallets become the standard. 

AI phishing agents

As a natural endpoint to the conversation, the panel closed on AI. Because if phishing operations are running like professional businesses, they’re also experimenting with AI. At DEF CON, a new competition category appeared this year: AI bots, developed by participants, competing to social-engineer companies live on stage. And while it didn’t always work, the direction of travel is clear to all.

Scale a bank of phones to a bank of AI agents and you have a completely different problem. In this context, the data sharing, cross-chain visibility and regulatory infrastructure the panel called for become the preconditions for staying ahead.