Phishing is a frequent threat within digital business, where users are tricked into revealing private data via fake e-mails, SMS messages, or websites. Legal persons can bear serious consequences – from compromising business e-mail accounts and financial transactions, to losing client trust and damaging their reputation. Per the Criminal Code of the Republic of Serbia (“Official Gazette of the Republic of Serbia” no. 85/2005 and further amendments), phishing encompasses:

• computer fraud (Article 301),
• unauthorized collection of personal data (Article 301a),
• unauthorized access to computer systems (Article 302),
• as well as interference with computer systems and destruction of computer databases (Article 298).

In addition, the Law on Personal Data Protection (“Official Gazette of the Republic of Serbia” no. 87/2018) sets out the obligations of data controllers regarding the protection of personal data, including the duty to report data breaches to the competent supervisory authority – the Commissioner for Information of Public Importance and Personal Data Protection. In practice, phishing often begins with Business Email Compromise (BEC), which can precipitate unauthorized access to confidential information, sending of fake payment requests, disruption of client relationships, and potential legal consequences for the company. Thus, it is essential that businesses implement both preventive and reactive security measures in order to reduce material damage and legal risks.

Effective protection includes:

• establishing internal information security policies,
• regular employee training on recognizing suspicious messages,
• implementation of multi-factor authentication,
• regular software solutions and antivirus protection updates,
• and implementation of legal review of procedures for responding to security incidents.

Additionally, in accordance with the Law on Personal Data Protection, data processing risk assessments represent an additional measure to enhance data security and reduce the consequences of potential breaches. A swift response in the event of an attack, including incident documentation, notifying the competent authorities, and consulting legal professionals, is essential for minimizing damage and preserving business integrity.

Phishing presents a serious challenge for all participants in the digital space. However, by ensuring timely compliance with relevant regulations and consistently applying preventive and protective measures, it is possible to significantly reduce risks, protect data, and maintain the trust of partners and clients.