CERT Polska’s 2025 annual report reveals a surge in cyber fraud, with 658,320 reported incidents resulting in 260,783 unique security events.
Reported Incidents and Fraud Prevalence
In 2025, CERT Polska received 658,320 reports, leading to the registration of 260,783 unique security incidents, according to their annual “Polish Internet Security Landscape” report.
Marcin Dudek, head of CERT Polska, stated at the Secure 2026 conference that 97% of incidents were cyber fraud, involving websites designed to steal data or induce investment in false schemes.
Types of Cyber Fraud
The report details 253,238 instances of cyber fraud, representing 97% of all handled events. This marks a 158% increase compared to the previous year.
The most common type of incident involved attempts to extract confidential data, such as logins and passwords for email, banking, social media, and other online services (phishing). There were 78,391 such incidents, accounting for 30% of all registered events.
Other forms of fraud included fake online stores and investment scams, where criminals impersonated energy companies, firms, institutions, and celebrities.
Phishing Campaign Examples
Frequently exploited phishing campaigns involved unauthorized use of the OLX marketplace’s branding (28,462 events) and Allegro (22,513 events), as well as attempts to obtain credentials for email accounts (2,519 events).
Shift Towards Social Engineering and Deepfakes
Dudek noted a trend away from technically complex attacks towards social engineering, where fraudsters persuade individuals to transfer money. He also highlighted the increasing use of deepfakes and images of well-known figures.
NASK Warning List
Since March 2020, NASK has maintained a Warning List of dangerous websites designed to mislead users and steal their data. The current second version lists harmful domains for six months from the date of analysis, with re-listing for continued malicious activity.
Warning List Effectiveness
An average of 67 domains were added daily to the warning list, blocking 140 million visits to these sites. All mobile operators in Poland utilize the Warning List.
Once a domain is added, it becomes inaccessible on all phones in Poland within five minutes.
CERT NASK SMS Patterns
Under the law on combating electronic communications abuse, NASK creates patterns of phishing messages. These patterns are published in a special register accessible to SMS operators, who are obligated to block messages matching the pattern.
In 2025, 790 patterns led to the blocking of 1,883,610 malicious SMS messages.
However, Dudek noted that after the first year of the new law, criminals are shifting away from SMS attacks, with only 80,000 malicious messages reported among all submissions.
Ransomware and Malware Attacks
The report identified malware as the second most frequent threat in 2025, with 3,438 incidents, including system infections and unauthorized access attempts using malicious code.
This included 179 ransomware cases, potentially leading to data loss, system unavailability, and significant disruption.
Common Attack Vectors
Dudek emphasized that attack vectors remain consistent, and organizations can mitigate risks with minimal effort by securing edge devices, preventing password leaks, and protecting remote desktop protocol (RDP) access with strong passwords.
Vulnerable Services
The report also highlighted vulnerable services as a significant threat, with 1,732 incidents in 2025 related to security flaws in publicly accessible services and telecommunications systems. Regular software updates, proper system configuration, and continuous security monitoring are crucial.
APT Group Activity
CERT Polska observed increased activity from Advanced Persistent Threat (APT) groups linked to foreign states, targeting Polish public entities, private companies, and individuals with current or past public roles, political involvement, or scientific research.
There was also a rise in politically motivated attacks, including attempts to extract information and polarize society. For the first time, CERT Polska observed coordinated attacks on Poland’s energy sector with destructive intent.
Dudek noted attackers are increasingly targeting individuals connected to prominent figures, Russian language translators, Orthodox priests, and small logistics firms transporting goods to Ukraine.
UNC1151/Ghostwriter Group
The report specifically mentioned the activity of the UNC1151/Ghostwriter group, linked to Belarus, which is highly active, launching multiple campaigns weekly.
These activities include phishing campaigns targeting email services, malware distribution, exploitation of vulnerabilities in Roundcube software to steal credentials, and electoral disinformation.
