Phishing remains the most consistently reported attack vector in Poland according to annual summaries published by CERT Polska. In 2024, phishing incidents accounted for more than 60 percent of reported cybersecurity events involving private individuals. The word describes a broad category: any attempt to deceive someone into disclosing credentials, transferring money or installing malicious software by impersonating a trusted entity.

Understanding what phishing looks like in practice is more useful than memorising abstract definitions. This article describes the most common formats encountered by Polish users and explains what to look for before acting on any unexpected message.

The main formats in use

Email phishing

An attacker sends a message that appears to come from a bank, courier company, tax authority (Urząd Skarbowy), social insurance institution (ZUS) or a well-known e-commerce platform. The message typically contains a link directing the recipient to a fake site that looks identical to the real one. Once the user enters their credentials on the fake site, those credentials are recorded by the attacker.

The addresses used in these campaigns are constructed to look plausible at a glance. An address like no-reply@pko-bank-pl.com is not affiliated with PKO BP; the real domain is pkobp.pl. The hyphenated addition of "bank" and "pl" is intended to pass a casual reading.

SMS phishing (smishing)

The same technique applied to SMS. Common in Poland are messages claiming to be from InPost about a package held at a collection point, from a mobile carrier about an unpaid invoice, or from a bank about a suspicious transaction. Each message includes a short link. Clicking it leads to a fake site requesting login credentials or card details.

SMS provides less context than email — there is no sender address visible by default, just a number or a sender name that can be spoofed. This makes recipient verification harder, which is part of why smishing campaigns have grown relative to email phishing.

Voice phishing (vishing)

An attacker calls the target directly, impersonating bank fraud departments, police officers or government officials. In Poland, cases involving impersonation of bank security staff have been documented extensively since 2022. The caller claims a suspicious transaction has been detected and instructs the recipient to move funds to a "secure account" — which belongs to the attacker.

Banks in Poland do not ask customers to transfer money over the phone under any circumstances. Any call making this request is fraudulent regardless of how convincing the caller sounds.

Spear phishing

Standard phishing targets large populations with generic messages. Spear phishing targets specific individuals using information gathered from social media, professional directories or prior breaches. The message is personalised — it may reference the target's employer, a recent transaction or a colleague's name — making it significantly harder to dismiss on instinct.

Warning signs in messages

No single indicator is definitive, but the following patterns appear repeatedly in documented phishing campaigns targeting Polish users:

  • Urgency: "Your account will be suspended in 24 hours", "Act immediately to avoid a penalty". Legitimate organisations do not impose arbitrary short deadlines in email communications.
  • Mismatch between display name and actual sender address: The display name may say "PKO BP Security" while the actual address is from a domain unrelated to the bank.
  • Links that do not match the organisation's domain: Hover over any link before clicking. The URL shown in the status bar should match what you would expect from the organisation. Shortened URLs (bit.ly, tiny.cc) in official communications are unusual and warrant extra caution.
  • Generic greetings: "Dear Customer" rather than your actual name suggests a bulk campaign rather than communication from an organisation that knows who you are.
  • Language errors: Machine-translated Polish phishing messages often contain grammatical errors, unusual phrasing or inconsistent formal/informal register. Well-crafted campaigns targeting Polish speakers specifically may not have this weakness.
  • Requests for credentials or card numbers by email or SMS: No legitimate financial institution, courier or government body asks for passwords or card numbers through these channels.

Checking a suspicious link

Before clicking any link in an unexpected message, the following steps reduce risk substantially:

  1. On desktop, hover over the link and read the URL in the browser's status bar. On mobile, press and hold the link to see its destination.
  2. Check the domain name — not the full URL, just the main domain. For example, in secure.pkobp-alert.com/login, the main domain is pkobp-alert.com, not pkobp.pl. They are different domains.
  3. If there is any doubt, navigate to the organisation's site manually by typing the known address into the browser, or call the organisation using a phone number from their official website — not one provided in the message.
  4. Paste the URL into VirusTotal's URL scanner to check it against security databases before opening.

Report phishing in Poland: Suspicious messages can be forwarded to CERT Polska at incydent.cert.pl or by forwarding SMS to the number 8080. Reports contribute to national blocklists and public warnings.

After clicking a suspicious link

If credentials were entered on a page that turns out to be fraudulent, the steps below should be taken in order:

  1. Change the password on the affected account immediately, using a different device if possible.
  2. If the account is a bank account, call the bank's fraud line using the number on the back of your card or from the bank's official website. Report the incident and ask whether any transactions have occurred.
  3. If the same password was used on other accounts, change it on each of those accounts.
  4. Enable two-factor authentication on the affected account if it is available.
  5. Report the incident to CERT Polska and, if financial loss occurred, file a report with the Polish police (Policja.pl).

Technical measures that reduce exposure

Beyond behavioural awareness, several technical settings reduce phishing risk:

  • Email providers including Gmail and Outlook implement DMARC, DKIM and SPF checks that filter some spoofed-sender messages before they reach the inbox. These operate automatically but are not comprehensive.
  • Browser extensions such as HTTPS Everywhere (now integrated into major browsers by default) and uBlock Origin reduce exposure to malicious scripts on compromised pages.
  • DNS-based filtering services such as Quad9 block connections to known malicious domains before a page loads. Quad9 is a nonprofit operating under Swiss law and publishes its blocklist methodology publicly.

External references