Police and financial institutions are warning about a new wave of sophisticated phishing attacks that exploit topics related to the National e-Invoicing System (KSeF) and mobile banking. Criminals are mass-sending SMS and email messages impersonating banks such as Revolut and Pekao, as well as entities related to road tolls and electronic invoices. The goal is to steal login credentials or infect devices with malware, which can lead to the loss of funds from accounts. Experts point out that scammers are exploiting fear of legal consequences and potential loss of access to financial services to pressure users into hasty actions.

Two main attack vectors

The first vector is fake notifications about the need to settle a road toll, allegedly from motorway operators. The second is messages impersonating banks, particularly Revolut and Pekao, concerning account verification, unusual activity, or alleged errors in the KSeF system. In both cases, clicking a link redirects to fake websites or triggers a malicious attachment.

Scammers' method of operation

Criminals send SMS and emails with links leading to pages deceptively similar to official payment or banking portals. On these pages, victims are asked to provide logins, passwords, SMS codes, or payment card data. In some attack variants, clicking the link leads to the automatic download of malware that can capture data entered on the device.

Appeal from police and institutions

The police and the Polish Financial Supervision Authority (KNF) remind users in special communications that no bank or state institution ever asks for confidential data via email or SMS. They recommend that in case of doubt, contact the institution directly using phone numbers and email addresses listed on their official websites. If an attack is suspected, it should be reported immediately to the police.

Technological context

The attacks have intensified during a period when awareness of the obligation for electronic invoicing via the National e-Invoicing System (KSeF) is growing among Poles. Scammers are exploiting this social anxiety. Furthermore, the prevalence of mobile banking and apps like Revolut means many people react swiftly to notifications about account problems, which facilitates the criminals' actions.

In the final days of February 2026, Poland became the target of an organized phishing campaign where scammers are exploiting two current and anxiety-inducing topics: the mandatory KSeF and widespread mobile banking. Criminals are mass-distributing SMS and email messages that mimic official communication from banks, motorway operators, or tax authorities. Their aim is to steal confidential data or infect victims' devices with malicious software. The main attack vector has become fake notifications about the need to settle an alleged road toll or a surcharge for a journey. These messages contain links leading to pages deceptively similar to the payment portals of motorway operators. Clicking on them can result in the loss of funds from bank accounts. The second, equally dangerous trend directly affects users of popular financial institutions. Scammers are impersonating Pekao S.A. bank and – as media particularly emphasize – Revolut, one of the most popular neobank financial platforms in Poland. Messages supposedly from Revolut contain attachments in PDF format or links, with their pretext being „account verification,” „data update,” or warnings about „unusual activity” or problems with KSeF integration. Cybersecurity experts warn that clicking such an attachment can lead to the installation of malicious software like keylogger or redirection to a fake login page. Phishing, i.e., the fraudulent acquisition of information by impersonating a trustworthy person or institution, is one of the oldest and most common forms of cybercrime. Its first documented cases date back to the mid-1990s, and the technique has evolved from primitive emails to today's sophisticated campaigns using social engineering and personalization.„„Klienci powinni pamiętać, że żaden bank, w tym Revolut, nie wysyła załączników z prośbą o kliknięcie w celu potwierdzenia danych. To zawsze jest próba wyłudzenia. Oficjalna komunikacja ogranicza się najczęściej do informacji w aplikacji.”” — Rafał Gębura, cybersecurity expert Similar appeals are made by the police and the KNF. These institutions remind users of a basic security principle: banks and state institutions never ask customers to provide full login credentials, one-time passwords (SMS), authorization codes, or card PINs via email or SMS messages. The period of intensification of these attacks coincides with growing tension surrounding the National e-Invoicing System, which, according to specialists, is being consciously exploited by criminals. Fear of legal consequences related to incorrect invoice settlement or system errors makes users more susceptible to manipulation. To avoid losses, vigilance is recommended. Do not click on links or open attachments from unknown or suspicious sources. All information should be verified by logging in directly through the official banking application or contacting the institution using the phone number known from its website. In case of loss of money or data, the incident should be reported immediately to the police and the bank to block unauthorized transactions.

Mentioned People

  • Rafał Gębura — Cybersecurity expert, quoted in the context of phishing warnings.