islegit.email

ING phishing email example: how to tell a fake bank email from the real thing

A message about your bank account makes your heart beat a little faster. Blocked? New device? Updated terms? That is precisely why scammers impersonate ING and other banks. The good news: a real bank operates in a consistent, predictable way — and phishing always deviates from that pattern.

Here is a realistic example, followed by the signals to look for.

ING phishing example

A made-up example (fictional — not a real email):

From: ING Bank service@ing-veilig.com Subject: Important: your bank card is expiring soon

Dear customer,

Your current bank card expires in 3 days. To ensure you can continue making payments, please activate your new card and confirm your details.

[Activate your new bank card]

If you do not do this within 72 hours, your account will be temporarily blocked.

That button leads to a fake login page designed to look like ING's. Whatever you type there — login credentials, codes, card number — goes directly to the scammer.

The warning signs

  1. The sender address is wrong. Real ING emails come from @ing.nl. Addresses like ing-veilig.com, ing-service.net, or mijn-ing.com are fake.
  2. You are asked to "confirm", "activate", or "verify" via a link. ING never asks this by email or text. Genuine notifications point you to the app or to ing.nl, which you open yourself.
  3. A request for your PIN, security codes, full card number, or scan codes. A bank will never ask for these.
  4. Threats of a block or urgency. "Within 72 hours", "or your account will be suspended".
  5. A generic greeting or a look-alike domain in the link.

What to do

  • Don't click anything. Want to check something? Open the ING app yourself or type ing.nl into your browser.
  • Call ING on the number printed on your bank card if you're unsure — never use a number from the email.
  • Remember the golden rule: "Hang up, click away, call your bank."
  • Still unsure? Forward the email to check@islegit.email for a free verdict within a minute.

What NOT to do

  • Do not log in through a link from an email or text.
  • Do not enter or share your PIN, security codes, or card number.
  • Do not call "the bank" on a number from the message, and do not install a screen-sharing app at the request of a "bank employee".

If you've already clicked or shared your details

Call ING immediately on the number on your card, block your card or account, and change your login credentials. Report it to your country's fraud service (in the Netherlands, the Fraudehelpdesk on 0800-2117) and file a police report. The sooner you call, the better the chance of limiting the damage.

Still not sure about an email? Forward it to check@islegit.email and get a clear verdict in under a minute.

Check an email

This is a safety aid, not a guarantee. We don't store your emails, and personal details are stripped before anything looks at them.

Read next:

Frequently asked

What does a genuine ING email address look like?

Real ING emails come from an address ending in @ing.nl. Always check the full address — not just the display name — and watch out for look-alike domains.

Would ING ever ask for my PIN or security codes by email?

Never. No bank will ever ask for your PIN, security codes, or full card number by email, text, or phone.

My card is actually expiring soon. Could the email be real?

Even so: open the ING app yourself or go to ing.nl rather than clicking any link. You never activate a new card through a link in an email.

How do I report a fake ING email?

Forward it to ING's phishing address (valse-email@ing.nl) and report it to the Fraudehelpdesk. You can also forward it to us for a quick check.