Polish Bank Phishing: How Scammers Target mBank, PKO BP, ING, and Santander Customers

Poland has one of the most advanced digital banking ecosystems in Europe. Over 80% of adult Poles use online banking, and mobile banking apps from mBank, PKO BP, ING, and Santander are among the most downloaded in the country. Scammers know this, and they have built increasingly sophisticated phishing campaigns targeting every major Polish bank.

Here is how these attacks work and how to protect your money.

The Most Common Banking Phishing Attacks in Poland

1. Fake Bank Login Pages (Strony Phishingowe)

You receive an SMS or email that appears to come from your bank:

• "Twoje konto zostało zablokowane. Zaloguj się, aby odblokować" (Your account has been blocked. Log in to unblock)
• "Wykryto podejrzaną transakcję. Zweryfikuj" (Suspicious transaction detected. Verify)
• "Nowa aktualizacja systemu — wymagane logowanie" (New system update — login required)

The link leads to a page that is a pixel-perfect copy of your bank's login screen. When you enter your login credentials and authorization codes, the scammer gains full access to your account.

2. SMS Phishing (Smishing)

Short, urgent SMS messages designed to trigger panic:

• "PKO BP: Nieautoryzowana transakcja 2 499 PLN. Anuluj: [link]"
• "mBank: Twoja karta została zablokowana. Aktywuj: [link]"
• "ING: Zmiana limitu przelewów wymaga potwierdzenia: [link]"

3. Fake Banking Apps

Scammers distribute modified banking apps through unofficial channels (APK files shared via SMS or social media). These apps look identical to the real ones but send all entered credentials to the attacker.

4. Phone Vishing (Voice Phishing)

You receive a call from someone claiming to be a bank employee. They know your name and sometimes partial account details (from data breaches). They ask you to "verify" transactions by providing authorization codes or installing "security software" on your phone.

5. Fake Bank Customer Support

You Google "mBank kontakt" or "PKO BP pomoc" and call a number from a sponsored ad. It is not your bank — it is a scammer who will ask for your login details.

Bank-Specific Phishing Patterns

Bank	Common Scam	Fake Domain Examples
mBank	Account suspension alerts	mbank-logowanie.pl, mbank24-verify.com
PKO BP (iPKO)	Unauthorized transaction warnings	ipko-bp.com, pko-weryfikacja.pl
ING	Card blocking notifications	ing-online.com, ing-autoryzacja.pl
Santander PL	System update login prompts	santander-bank.com, santander-pl-login.com
Millennium	Security upgrade alerts	bankmillennium-login.pl
BNP Paribas	Transaction verification	bnpparibas-go.pl

How to Verify Legitimate Bank Communications

Real Bank Communication

• Comes through the bank's official app (push notification)
• Uses your full name and references specific account details
• Never includes clickable links in SMS messages
• Never asks for your full password or authorization codes
• Contact numbers match those on the back of your bank card

Fake Bank Communication

• Arrives via SMS with a link or unsolicited email
• Creates urgency and panic ("blocked," "unauthorized," "immediately")
• Asks you to click a link to log in
• Requests authorization codes, PESEL, or full passwords
• Phone number does not match official bank contacts

10 Rules to Protect Your Bank Account

1. Never click links in SMS or email claiming to be from your bank
2. Always access your bank through the official app or by typing the URL directly
3. Verify the website URL — Check for the exact bank domain (mbank.pl, pkobp.pl, ing.pl)
4. Never share authorization codes with anyone, including "bank employees"
5. Set up transaction notifications in your banking app
6. Set low daily transfer limits and increase them only when needed
7. Use biometric login (fingerprint, face) instead of typing passwords
8. Download banking apps only from Google Play or App Store
9. If you receive a suspicious call, hang up and call your bank using the number on your card
10. Report phishing SMS by forwarding to 8080 (CERT Polska)

What to Do If You Enter Credentials on a Fake Page

1. Call your bank immediately — Use the number on your bank card, not from the fake message
2. Block your account and cards through the bank's emergency line
3. Change your banking password from a different, trusted device
4. Check recent transactions for unauthorized transfers
5. File a police report at your local Komisariat
6. Report to CERT Polska at incydent.cert.pl
7. Scan your phone for malware if you installed anything

Share Banking Details Securely

When you need to share your bank account number, IBAN, or other financial details with someone you trust — such as a landlord, employer, or family member — never send them through SMS or Messenger. Use LOCK.PUB to create a password-protected memo that auto-expires after being viewed. The recipient enters the password, sees the information, and it disappears.

The Bottom Line

Polish banks have strong security systems, but they cannot protect you if you hand your credentials to a scammer. The most important rule: your bank will never send you a link via SMS to log in or verify transactions. If you receive such a message, it is a phishing attempt — guaranteed.

For secure sharing of financial information, visit LOCK.PUB to create free, encrypted, auto-expiring links. Protect your banking credentials like the keys to your safe — because that is exactly what they are.