Profil Zaufany Phishing: How Scammers Fake Polish Government Portals

Profil Zaufany (Trusted Profile) is Poland's digital identity system, used by millions to access government services online — from filing taxes on e-PIT to checking ZUS pension records, applying for benefits, and managing mObywatel. Because it is the gateway to your most sensitive government data, it has become a high-value target for phishing attacks.

During tax season (January through April), these attacks surge dramatically. Here is how to recognize them and protect your digital identity.

What Is Profil Zaufany and Why Scammers Target It

Profil Zaufany is your verified digital identity on gov.pl and other government platforms. With access to someone's Profil Zaufany, an attacker can:

• Access tax returns (PIT) containing income, employer details, and PESEL
• View ZUS records with employment history and pension data
• Access CEIDG business registration records
• View medical records through e-Zdrowie
• Change registered address and contact information
• Access mObywatel functions including digital ID
• Sign documents electronically with legal validity

In short, Profil Zaufany is the master key to your entire digital life in Poland.

The Most Common Government Portal Phishing Scams

1. Fake e-PIT Tax Refund Notifications

When: January through April (tax season)

You receive an email or SMS: "Twój zwrot podatku PIT w wysokości 1 847 PLN jest gotowy. Zaloguj się, aby odebrać: [link]"

The link leads to a fake gov.pl login page. When you enter your Profil Zaufany credentials (bank login or dedicated password), the scammer captures them.

Why it works: Tax refunds are real, expected, and people are eager to receive their money. The amounts in the fake messages are often realistic.

2. Fake ZUS Notifications

"ZUS: Masz nową wiadomość w PUE ZUS. Zaloguj się: [link]"

Since ZUS regularly communicates through PUE (Platforma Usług Elektronicznych), these messages seem legitimate. The fake login page captures your credentials.

3. Fake ePUAP/gov.pl Service Notifications

"Nowy dokument do podpisu w ePUAP. Zaloguj się tutaj: [link]"

These target people who regularly use government digital services for business or administrative purposes.

4. Fake mObywatel Update Alerts

"Wymagana aktualizacja aplikacji mObywatel. Pobierz najnowszą wersję: [link]"

The link downloads a malicious app instead of the real mObywatel update.

5. Fake Fine/Penalty Notifications

"Urząd Skarbowy: Zaległy podatek 450 PLN. Zapłać, aby uniknąć kary: [link]"

These create panic by threatening penalties, pushing you to act without thinking.

How to Spot Fake Government Communications

Feature	Real Government Communication	Phishing Scam
URL	gov.pl, epuap.gov.pl, podatki.gov.pl	gov-pl.com, epuap-login.pl, e-pit-zwrot.pl
Login method	Bank login, dedicated Profil Zaufany password, or e-dowód	Asks for credentials on external page
SMS links	Government rarely sends SMS with links	Almost always includes a clickable link
Payment requests	Directs to official podatki.gov.pl	Links to external payment pages
Tone	Formal, no urgency language	Creates panic, threatens penalties
Email sender	@gov.pl, @mf.gov.pl, @zus.pl	@gov-pl.com, @e-pit-refund.pl, etc.

Tax Season (e-PIT) Phishing: Special Alert

Tax season is the peak period for government phishing in Poland. Here is what to know:

Real e-PIT Process

1. Your PIT is pre-filled automatically on podatki.gov.pl
2. You log in through Profil Zaufany (via bank login or dedicated credentials)
3. You review, modify if needed, and submit
4. Refunds go to the bank account registered with your Urząd Skarbowy
5. The tax office never sends links to log in

Red Flags During Tax Season

• SMS or email with links to "check your tax refund"
• Messages claiming your refund will expire if not claimed
• Requests to enter bank details for refund processing
• Links to download "tax filing apps"
• Calls from "Urząd Skarbowy" asking for personal data

How to Protect Your Profil Zaufany

1. Always access gov.pl by typing the URL directly — Never through links in messages
2. Bookmark government portals — Use bookmarks for gov.pl, podatki.gov.pl, pue.zus.pl
3. Use bank login for Profil Zaufany — It adds your bank's security layer
4. Enable notifications in your banking app for Profil Zaufany login attempts
5. Never download mObywatel from links — Only from Google Play or App Store
6. Be extra vigilant during tax season (January-April)
7. Report phishing attempts to CERT Polska at incydent.cert.pl or forward SMS to 8080
8. Check the URL carefully — gov.pl has no hyphens, extra words, or different domain extensions

What to Do If You Entered Credentials on a Fake Page

1. Change your Profil Zaufany password immediately through the real gov.pl
2. If you used bank login, contact your bank to change credentials and monitor for fraud
3. Check your tax records on podatki.gov.pl for unauthorized changes
4. Check ZUS records for unauthorized access
5. Reserve your PESEL through mObywatel if not already done
6. File a police report
7. Report to CERT Polska at incydent.cert.pl

Share Government Documents Safely

When you need to share tax documents, ZUS statements, or other government correspondence with an accountant, lawyer, or family member, do not send them as email attachments. Use LOCK.PUB to create an encrypted, password-protected memo that auto-expires. The recipient views it once with the password, and the data disappears — no copies left in email inboxes or chat histories.

The Bottom Line

Your Profil Zaufany is as important as your physical dowód osobisty. A compromised Trusted Profile gives attackers access to your taxes, pension records, health data, and digital identity. The Polish government will never send you an SMS with a login link. Always access government services by typing the URL directly or using the official app.

When sharing sensitive government documents, use LOCK.PUB for encrypted, self-destructing memos. Your digital identity deserves the same protection as your physical one.