PAYMENT SCAMS

Tikkie AI-voice payment request scam: the Netherlands trick that fools even careful people

A WhatsApp voice note that sounds exactly like your friend asks you to "complete a Tikkie." The voice is cloned, the link is fake, and the page is built to empty your bank account.

SafeBrowz Threat Research Security ResearchJune 18, 20269 min read

Is the Tikkie voice-note request a scam?

Verdict: scam. If a WhatsApp voice note from a "friend" or "family member" asks you to complete a Tikkie by tapping a link, it is fraud. A real Tikkie lives only at tikkie.me in the form https://tikkie.me/pay/<code>, and a Tikkie is always a request to pay money, never a way to receive it. The voice can be AI-cloned from a few seconds of audio. The link leads to a fake Tikkie page that funnels you into a fake bank login and drains the account. Never trust a voice or a chat message about money. Call the person back on their known number first.

What Tikkie and iDEAL are, for readers outside the Netherlands

If you do not live in the Netherlands, two names in this story need a quick translation. Tikkie is the most popular payment-request app in the Dutch market, built by the bank ABN AMRO. It works like a Venmo or Zelle "request money" link: you create a Tikkie, send the link to a friend over WhatsApp, and they tap it to pay you back for the dinner or the concert ticket. It is woven into daily Dutch life. Splitting a bill is literally called "sending a Tikkie."

iDEAL is the Dutch online-banking payment standard. When you pay a Tikkie, you are handed to iDEAL, which redirects you to your own bank's app or login to approve the transfer. That redirect is the exact moment the scam targets, because a fake page can imitate it and capture your real banking credentials.

The crucial fact, the one this whole article turns on: a Tikkie is a request to pay. You never "complete a Tikkie" to receive money. Anyone telling you otherwise has the direction backwards, and that reversal is the tell.

Why this scam is spreading now

On May 16, 2026, the Dutch outlet Welingelichte Kringen published a warning describing this exact attack as "the new trick that even digitally-savvy people fall for." That framing matters. This is not a scam that only catches the careless. It catches people who know about phishing, because it does not feel like phishing. It feels like a friend in trouble.

The reason it lands is a new ingredient: AI voice cloning. A scammer only needs a few seconds of someone's voice, scraped from a public Instagram story, a TikTok, a voicemail greeting, or a leaked recording, to generate a convincing clone that says anything they type. They send it as a WhatsApp voice note from a number that resembles your contact, and your brain hears a familiar voice and stops checking. The Dutch Fraudehelpdesk (the national fraud reporting desk) and victim-support organisation Slachtofferhulp Nederland have run active alerts through 2026 about WhatsApp impersonation and payment-request fraud as among the most reported categories in the country.

How the attack actually unfolds

The sequence is short and engineered for speed. Walk through it once and you will recognise it instantly.

The hook is a voice note, not text. "Hey, it's me, I'm a bit stuck right now. Can you quickly complete this Tikkie for me? I'll explain later." The voice sounds like your friend, your sibling, your son. It is cloned.
The number looks close, not exact. It may be a new number with a story attached ("I lost my phone, this is my temporary number"), or a spoofed display name. The familiarity comes from the voice, not the number.
A link follows the voice note. It is styled to look like a Tikkie payment page, with the Tikkie green, the logo, and a friendly amount. It is not on tikkie.me.
The fake Tikkie page funnels to a fake bank login. You tap "pay," and instead of the real iDEAL handoff to your bank, you land on a counterfeit bank login that captures your username, password, and any one-time code you type. ABN AMRO, ING, Rabobank, and the others are all imitated.
The account is drained. With your credentials and a code, the attacker authorises transfers in real time, or registers your account on a device they control. The "I'll explain later" was the whole plan.

What the fake links look like (illustrative)

The link is built to pass a one-second glance on a phone. It puts "tikkie" or "tikkie-pay" into the address and hosts it on a free platform that anyone can sign up for in minutes, so the page looks polished but the domain is not the real one. The real Tikkie is only ever at tikkie.me. The examples below are illustrative lookalikes. Tap any of them to run a live scan in the checker below.

tikkie-betaal.vercel.app
tikkiepay-nl.pages.dev
tikkie-incasso.netlify.app

Notice what they share: the word "tikkie" appears, but the real registrable domain is vercel.app, pages.dev, or netlify.app, all free hosting platforms that host arbitrary user content. The true domain is the part immediately before the first single slash after https://. A genuine Tikkie is tikkie.me and nothing else, and a genuine bank login is your own bank's official address, such as abnamro.nl. Anything with "tikkie" glued to a free-hosting suffix is a different site that merely contains the word.

🛡 LIVE CHECK

Paste the link from a suspicious Tikkie request here

Got a WhatsApp link asking you to "complete a Tikkie"? Paste it below. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup.

Full scan with deep AI analysis → · No URL is logged to your identity.

Red flags that give it away every time

You do not need to identify the cloned voice to catch this. The structure betrays it.

You are asked to "complete" a Tikkie to help someone. This is the single biggest tell. A Tikkie is a request to pay. There is no version where completing one sends money to you or rescues a friend. If the direction of money makes no sense, it is fraud.
The request arrives by voice note with urgency. "I'm stuck," "do it quickly," "I'll explain later." Urgency plus a money ask plus no chance to think is the classic pressure pattern.
The link is not on tikkie.me. A real Tikkie is always https://tikkie.me/pay/<code>. Any other domain claiming to be Tikkie, including one hosted on a free platform, is fake no matter how it looks.
It is a new or slightly-off number. "I lost my phone, this is my new number" is a standard opener for WhatsApp impersonation fraud. The familiarity is manufactured by the cloned voice, not proven by the number.
The page asks for full bank login or a one-time code. Paying a real Tikkie hands you to iDEAL, which opens your own bank's app. A page that itself collects your banking username, password, and code is a credential harvester.
The voice resists a callback. If you say "let me call you back," a scammer makes an excuse ("my phone is broken, just do the Tikkie"). A real friend is fine with you calling their known number.

The one rule that defeats it: call back on the known number

Every layer of this scam, the cloned voice, the urgency, the polished page, exists to stop you doing one simple thing: verifying through a separate, trusted channel. So do exactly that. If anyone, by voice note, text, or chat, asks you for money or to complete a payment, call them back on the number you already have saved, not the number that messaged you. Speak to the real person. Ten seconds of "hey, did you just ask me to pay a Tikkie?" collapses the entire attack.

This is the same defence that beats AI voice cloning across the board, which we cover in depth in our guide to AI voice-cloning and vishing scams. A cloned voice cannot survive a callback to the genuine person.

What SafeBrowz sees on the network

When the SafeBrowz engine inspects a fake Tikkie page, the attack reads consistently across all three detection layers. A few patterns stand out.

First, the hosting is free and disposable. The destination is almost always a subdomain on vercel.app, pages.dev, netlify.app, web.app, or a similar free platform, or a brand-new cheap domain registered days earlier. The real Tikkie runs on its own established domain. A "tikkie" brand keyword living on free hosting is itself the signal.

Second, the structure is a brand keyword on the wrong domain. The page carries "tikkie," the Tikkie green, and the logo, but resolves anywhere except tikkie.me. Brand impersonation on a non-official registrable domain is a textbook detection profile, independent of how good the visual copy is.

Third, the page chains to a fake bank login. A counterfeit Tikkie that immediately requests a full ABN AMRO, ING, or Rabobank login plus a one-time code, served from a non-bank host, is a credential-harvesting profile. Content-level analysis catches the impersonation even when the domain is brand new and absent from every blocklist.

Why browser-side detection beats message filtering alone

WhatsApp and your phone do real work flagging suspicious links, but they are fighting the message, and the message is the cheap part. Attackers rotate numbers and burner accounts daily, keep the voice note short, and spin up a fresh free-hosting subdomain for each wave. A filter that misses one in a thousand still lets plenty through across a large campaign.

The thing that does not change is the destination. To steal anything, the scam has to land you on a page that impersonates Tikkie and then your bank. That page is where the theft is committed, and that page is what a browser-layer scanner inspects directly. When you tap the link, a browser extension can recognise the page is impersonating Tikkie on a non-tikkie.me domain and block it before the form loads, regardless of which number or voice note delivered it.

How SafeBrowz blocks this threat

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

Layer 1 - Local detection: 60+ URL patterns + 550+ brand-specific signatures (including Cyrillic and Punycode homograph variants) + community whitelist/blacklist, all running directly in the extension before the page renders. It catches Tikkie and bank brand keywords on non-official hosts, free-hosting abuse, and payment-page redirect families instantly.
Layer 2 - API checks: aggregates Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, plus domain-age lookup (most fake-Tikkie destinations are days old) and 30+ scam TLDs and free-hosting suffixes.
Layer 3 - AI deep scan: content-aware brand-impersonation analysis in 100+ languages catches a brand-new lookalike that no blocklist has seen yet, including the fake-Tikkie-into-fake-bank-login chain in Dutch.

Detection signatures are derived from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

For people who do not want to install anything, the same engine powers the free public URL checker. Paste any link from a suspicious Tikkie request and get a verdict in seconds. Our broader guide on how to tell if a website is a scam walks through the manual checks too.

What to do right now

If a Tikkie voice note or link just landed, here is the whole correct response.

Do not tap the link. The link is the entire attack surface.
Call the person back on their saved number. Not the number that messaged you. Confirm with the real human whether they actually asked for anything.
Remember a Tikkie only requests payment. If you are being asked to "complete" one to help someone, the request is fraudulent by definition.
Verify any genuine Tikkie yourself. A real Tikkie link is https://tikkie.me/pay/<code> on tikkie.me. For banking, open your bank's own app directly, never a link.
Report it. File with the Fraudehelpdesk at fraudehelpdesk.nl, contact your bank, and report to the police at politie.nl. Keep the number, the link, and a screenshot.

If you already tapped the link but entered nothing, close the tab and clear cookies for that site. If you typed in your banking login or a one-time code, call your bank immediately using the number on your card or in the official app, have the account blocked, and watch for unauthorised transfers. Then report to the Fraudehelpdesk and the police, and reach out to Slachtofferhulp Nederland for support. Our full "I got scammed, what do I do now" walkthrough covers the first-hour playbook in detail.

How this connects to WhatsApp account takeover

The Tikkie scam often travels alongside a second attack: hijacking the friend's WhatsApp account in the first place, so the message genuinely comes from their real number. That is done with the WhatsApp 6-digit code takeover scam, where an attacker tricks someone into reading out a verification code and steals the whole account. Once they own a victim's WhatsApp, every contact in it can receive a "stuck, complete this Tikkie" message from a name they trust. Protect your own account, never share a 6-digit verification code, and the chain breaks one link earlier.

Frequently asked questions

Is the Tikkie voice-note payment request a scam?

Yes. If a WhatsApp voice note from a friend or family member asks you to complete a Tikkie by tapping a link, it is fraud. The voice is often AI-cloned from a few seconds of public audio, and the link leads to a fake Tikkie page that funnels into a fake bank login. The Fraudehelpdesk and Welingelichte Kringen (May 16, 2026) have warned that even digitally-savvy people are falling for it.

What does a real Tikkie link look like?

A genuine Tikkie is always on tikkie.me, in the form https://tikkie.me/pay/<code>. Any other domain that claims to be Tikkie, including a page hosted on a free platform like vercel.app, pages.dev, or netlify.app, is fake, even if the word "tikkie" appears in the link and the page looks polished.

Can I receive money by completing a Tikkie?

No. A Tikkie is always a request to pay money, never a way to receive it. If anyone asks you to complete a Tikkie so that you or they can get money, the direction is backwards and the request is a scam.

The voice note really sounds like my friend. How can it be fake?

AI voice cloning needs only a few seconds of someone's voice, scraped from a public video, a voicemail, or a leaked recording, to generate a clone that says anything the scammer types. A familiar voice is no longer proof of identity. Always verify by calling the person back on the number you already have saved.

How do I check whether a money request is really from my friend?

Call them back on their known, saved number, not the number that messaged you. Ask directly whether they sent the request. A cloned voice and a hijacked chat cannot survive a callback to the genuine person. If the caller resists you calling back, that is itself a red flag.

How do I report a Tikkie scam in the Netherlands?

Report it to the Fraudehelpdesk at fraudehelpdesk.nl, contact your bank to block the account if you shared any details, and file with the police at politie.nl. For emotional and practical support, Slachtofferhulp Nederland can help. Keep the sender number, the link, and a screenshot.

Install SafeBrowz free

Add the browser extension that runs every check in this article automatically, on every page, before it renders. Free forever.

Add to Chrome Add to Firefox Add to Edge