Fake InPost SMS Scams: How to Spot Phishing Paczkomat Notifications in Poland
Fake InPost and Paczkomat SMS messages are the most common phishing attack in Poland. Learn how to identify fake delivery notifications and protect your money.
Fake InPost SMS Scams: How to Spot Phishing Paczkomat Notifications in Poland
If you live in Poland, you use InPost. With over 20,000 Paczkomat parcel lockers across the country and millions of packages delivered daily, InPost is deeply woven into Polish daily life. And that is exactly why fake InPost SMS messages have become the single most common phishing attack in Poland.
CERT Polska consistently ranks InPost impersonation as the number one reported phishing campaign in the country. Here is how to protect yourself.
How the Fake InPost SMS Scam Works
The Basic Pattern
- You receive an SMS that appears to come from InPost
- The message says something like:
- "Twoja paczka czeka w Paczkomacie. Dopłać 1,49 zł za przedłużenie" (Your package is waiting. Pay 1.49 PLN for extension)
- "Paczka nie mogła zostać dostarczona. Zaktualizuj adres" (Package could not be delivered. Update your address)
- "Opłata celna do uregulowania. Kliknij tutaj" (Customs fee to be paid. Click here)
- The SMS contains a link to a fake payment page
- The page mimics InPost or a Polish bank and asks for your card details or banking credentials
- You enter your details, and the scammer empties your account
Why It Is So Effective
- Timing: Scammers send these during peak shopping periods when most people are expecting packages
- Small amounts: The requested "fee" is tiny (1-5 PLN), making it seem harmless
- Urgency: The message implies your package will be returned if you do not act quickly
- Familiarity: Everyone in Poland uses InPost, so the message feels relevant
Real vs. Fake InPost Communications
| Feature | Real InPost | Fake SMS Scam |
|---|---|---|
| Sender name | InPost (from official system) | Random phone number or spoofed "InPost" |
| Content | Pickup code, locker location | Request for payment, fee, address update |
| Links | app.inpost.pl or inpost.pl only | inpost-delivery.com, paczkomat-pay.pl, etc. |
| Payment requests | Never asks for payment via SMS link | Always asks for small payment |
| Pickup code | Contains 6-digit code for Paczkomat | No pickup code |
| App notification | Always matched by notification in InPost app | No corresponding app notification |
How to Verify Legitimate InPost Messages
- Open the InPost Mobile app — All real deliveries appear in your app
- Check the tracking number — Enter it at inpost.pl, not through SMS links
- Look for the pickup code — Real InPost SMS includes a Paczkomat pickup code
- Verify the sender — Real InPost messages come through their official system
- Never click links in SMS — Go directly to the InPost app or website
Common Fake InPost SMS Variations
- "Dopłata za paczkę" — Additional payment for your package (InPost never charges extra after purchase)
- "Paczka zwrócona do nadawcy" — Package returned (check in the app, not via link)
- "Zmień adres dostawy" — Change delivery address (always do this in the app)
- "Opłata celna" — Customs fee (legitimate customs fees are handled by the courier at delivery or through official customs portal)
- "Twoja paczka jest za duża" — Your package is too large (this is not how InPost communicates)
What to Do If You Clicked a Fake Link
- Do not enter any information — Close the page immediately
- If you entered card details, call your bank NOW to block the card
- If you entered banking credentials, change your password immediately
- Check your bank account for unauthorized transactions
- Report the SMS to CERT Polska by forwarding it to 8080
- File a report at incydent.cert.pl
- Install or update antivirus on your phone
Protecting Yourself Long-Term
- Use the InPost Mobile app as your primary tracking tool — Not SMS
- Enable push notifications in the InPost app for real delivery updates
- Report fake SMS to 8080 — CERT Polska's dedicated phishing number
- Keep your phone OS updated — Security patches help prevent malware
- Consider using a spam filter app to catch suspicious SMS messages
- Educate family members — Elderly relatives are especially vulnerable
Share Delivery and Address Information Safely
When you need to share your delivery address, Paczkomat pickup code, or other logistics details with someone, use LOCK.PUB to create a password-protected link that auto-expires. It is a safer alternative to sending personal details through SMS or Messenger, where they can be intercepted or exposed in a data breach.
The Bottom Line
InPost will never ask you to pay an additional fee via SMS link. If you receive a suspicious SMS claiming to be from InPost, do not click the link. Open the InPost app directly to check your deliveries. Forward the suspicious message to 8080 to help CERT Polska fight phishing in Poland.
For sharing sensitive personal details like addresses or account information, use LOCK.PUB — free, encrypted, and auto-expiring. Stay alert and keep your money safe.
Keywords
You might also like
Allegro Scams: How to Shop Safely on Poland's Largest Marketplace
Protect yourself from Allegro phishing emails, fake sellers, and fake Allegro Protect pages. Learn how to verify legitimate Allegro communications and avoid marketplace fraud.
BLIK Fraud in Poland: How Scammers Steal Money Through Fake BLIK Codes
Learn how BLIK payment fraud works in Poland, from fake BLIK code requests to the 'friend in need' scam on Messenger. Complete security checklist to protect your money.
e-Devlet Phishing Prevention: How to Protect Your Turkish Government Account
Learn how to identify and avoid phishing scams targeting e-Devlet (Turkish government portal) users. Protect your credentials from fake account suspension notices and credential harvesting attacks.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free