Diia App Phishing in Ukraine: How Scammers Exploit Digital Government Services

Diia (Дія) has become one of the most important apps in Ukraine. Launched in 2020, it holds digital versions of passports, driver's licenses, tax IDs, vehicle registrations, and dozens of other government documents for over 20 million Ukrainians. During wartime, it has become essential for receiving aid payments, accessing government services, and proving identity at checkpoints. That critical role has made Diia a high-value target for phishing attacks and identity theft.

Here is how scammers exploit Diia and what you can do to protect yourself.

Why Diia Is a Prime Target

Diia is essentially a digital wallet for your entire identity. Access to someone's Diia account means access to their passport data, tax identification number (ІПН), driver's license, and other government-issued documents. This information can be used for identity theft, fraudulent bank account openings, and unauthorized benefit claims.

The app's deep integration with BankID authentication means that compromising Diia access can also provide a path to banking credentials. Scammers know this and have developed increasingly sophisticated methods to trick users.

Common Diia Phishing Scams

1. Fake Government Notifications

You receive an SMS or Viber message claiming to be from the Ministry of Digital Transformation or the Cabinet of Ministers. The message says you have an unclaimed government payment, your digital documents need re-verification, or there is a problem with your Diia account. The link leads to a fake Diia login page that captures your BankID credentials.

Why it works: Ukrainians regularly receive legitimate government notifications about aid programs, eVorog reports, and document updates. The fake messages blend in with real ones.

2. Fake ePidtrymka (єПідтримка) Payment Claims

Scammers send messages claiming you are eligible for a new round of government assistance payments through Diia. To "claim" the payment, you need to log in through a provided link and verify your bank card details. The phishing page collects both your Diia credentials and your banking information.

3. Fake Document Verification Requests

You receive a message saying your digital passport or driver's license in Diia has expired or needs re-verification. The link takes you to a cloned Diia interface where you are asked to re-enter personal information including your ІПН (tax ID), passport number, and date of birth. This data is then used for identity fraud.

4. Fake Diia App Downloads

Phishing messages include links to download a "new version" of Diia. The downloaded APK (on Android) looks identical to the real app but contains malware that captures everything you type, including bank login credentials and OTP codes.

5. Social Engineering via "Government Support" Calls

You receive a phone call from someone claiming to represent the Diia support center or the Ministry of Digital Transformation. They say there is a security issue with your account and walk you through steps that actually give them access to your digital documents and linked banking services.

Red Flags to Watch For

How to Protect Your Diia Account

1. Only download Diia from the official App Store or Google Play — never through links in messages
2. Always check the URL before entering any credentials — the only legitimate domain is diia.gov.ua
3. Enable biometric login (fingerprint or Face ID) in the Diia app
4. Never share your BankID credentials with anyone, including people claiming to represent the government
5. Remember that Diia never sends SMS links — legitimate notifications appear within the app
6. Set a unique password for your BankID that you do not use anywhere else
7. Regularly check which devices are connected to your Diia account and remove unrecognized ones
8. Enable two-factor authentication on the bank account linked to your BankID

What to Do If Your Diia Account Is Compromised

1. Contact your bank immediately to secure your BankID and block unauthorized access
2. Report the incident through the Diia app using the support chat
3. File a report with the Cyber Police at cyberpolice.gov.ua
4. Check your credit history for unauthorized applications using the Credit Bureau of Ukraine
5. Change your BankID password and enable additional security measures
6. Monitor your bank accounts for unauthorized transactions

The Risk of Digital Document Theft

When scammers access your Diia account, they get far more than just a username and password. They gain access to:

• Your digital passport — usable for identity fraud
• Your ІПН (tax ID) — enabling financial fraud and tax scams
• Your driver's license — sellable on the dark web
• Your vehicle registration — usable in insurance fraud
• Your vaccination certificate — valuable for document forgery

This makes Diia account security not just about protecting an app but about protecting your entire legal identity.

Share Sensitive Documents Safely

When you need to share scans of your passport, ІПН, or other Diia documents with an employer, landlord, or government agency, do not send them through Viber or Telegram where they sit in chat history permanently. Use LOCK.PUB to create a password-protected link that auto-expires. The recipient enters the password to view the document, and it disappears after the set time — no copies floating around in message threads.

The Bottom Line

Diia has transformed how Ukrainians interact with government services, but that convenience comes with risk. Scammers are constantly creating new phishing schemes that exploit the trust people place in digital government platforms. The key rule: Diia never asks you to click links in SMS messages, download updates outside official app stores, or share credentials over the phone.

Protect your digital identity the same way you would protect your physical passport. And when you do need to share sensitive identity documents, use encrypted, self-destructing tools like LOCK.PUB instead of leaving them exposed in messaging apps. Your digital identity is your real identity — guard it accordingly.