One click and it’s hot. A new wave of SMS is circulating in Poland

The beginning of the year is traditionally the time of tax settlements – returns can be submitted until the end of April, and those using automatic PIT filling will be able to check their data on the e-PIT website as early as February 15. It was this moment that cybercriminals decided to take advantage of.

In recent days, CERT Orange Polska has been reporting an increased inflow of SMS traffic impersonating government sources. They contain messages about refunds of amounts of PLN 600 – it is difficult to ignore such an amount.

Initially, the official GOV and MOF subtitles appeared as the sender of the message, but after they were blocked, the fraudsters switched to regular phone numbers. Experts predict that as further lockdowns are introduced, criminals will try to use names more or less similar to government ones.

The safe-tax-return(.)com domain, to which the links from the phishing SMS messages lead, was registered only on Tuesday, February 10 – just a day before the campaign began. After clicking on the link, the user lands on a website in the style of Polish government websites, part of which is an exact copy of the website of the Ministry of Finance.

CERT Orange Polska also pays attention to the content of the website. The fraudsters used the phrase “the Polish government owes you money” – too colloquial and informal to appear on the official website of the Ministry of Finance.

In the next step, the fake website presents a window asking you to choose a bank under the guise of confirming your identity necessary to return the alleged e-PIT surplus. After selecting a financial institution, the user is redirected to a fake page pretending to be an electronic banking login panel.

This social engineering trick can fool even cautious Internet users. Many users know that one of the official methods of accessing government websites is actually logging in via e-banking systems. That’s why it’s so important to check the address in the browser bar – in the case of fraudsters’ websites, the graphic overlay impersonates a specific bank (e.g. Bank Millennium), while the user remains in the safe-zwrot-tax(.)com domain.

After carelessly entering the login and password on a fake website, the victim will see a request for an SMS code, described in a way that does not arouse suspicion. Entering this code means giving criminals almost full control over your bank account.

CERT Orange Polska warns that this type of campaigns are usually operated by fraudsters in real time – the victim may have their account wiped just a few minutes after providing their credentials.

CERT Orange Polska experts appeal for distrust of text messages with tax-related content. From February 15, people who want to check their tax returns should only use the official website available at epit.podatki.gov.pl. Any interactions with government platforms should be undertaken only on websites whose address ends with gov.pl.

Basic safety rules:

• Approach links in text messages with very limited trust.
• The more emotions the content of the message evokes, the more closely you should look at it.
• Always make sure that the website address is correct when entering your login, password or payment card details.
• Read the content of SMS messages with authorization codes from the bank very carefully – they usually describe in detail what you will confirm with a given code.
• Remember: official government websites never ask you to provide your bank login details to verify your identity or process a tax refund.