Skip to content
Breachroad
Back to the blog
Smishing

Fake mObywatel fine: how one SMS can drain your account

A campaign impersonating mObywatel uses sender spoofing and a fake 200 PLN fine. We explain why it looks so convincing and how not to fall for it.

KR
Karol Rapacz
15 June 2026 · 6 min read
Fake mObywatel fine: how one SMS can drain your account

In the spring of 2026, a wave of SMS messages impersonating mObywatel (Poland’s official government ID app) swept across the country. The message reports an alleged traffic offence and an unpaid fine. It is one of the most cleverly crafted smishing campaigns of recent months — and it’s worth taking apart, because it shows where the real problem lies. For scale: in 2025 CERT Polska registered 260,783 incidents (+152% year on year), and 97% of them were computer fraud.

Why this SMS looks so convincing

Classic phishing gives itself away by the sender: a strange number, a random string of digits. Here it’s different. The criminals use sender-field spoofing (the so-called Alpha Tag), so the message shows up as “mObywatel”. Because both iOS and Android group SMS messages by sender name, the fake message lands in the same thread as genuine government notifications. The phone “thinks” it’s a continuation of a trusted conversation — and that builds trust before the victim even reads the content.

The attack step by step

The link in the SMS leads to a page strikingly similar to the government one. The scenario is psychologically polished:

  1. The victim “checks their penalty points” — which always ends with a message about an unpaid 200 PLN fine.
  2. The “pay” button opens a form asking for card details.
  3. After entering the details and confirming in the banking app, the card is… added to the attacker’s Google Wallet.

That last element is the most dangerous. The victim doesn’t authorise a single payment — they unknowingly agree to add their card to someone else’s phone. From that point on, the criminal pays contactlessly, without confirmations, until the funds or the limit run out.

How to spot the fake

  • Check the domain, not the looks. Genuine government services end in gov.pl (e.g. mobywatel.gov.pl). Fakes contain the words “gov” and “pl” but end in a different domainmobywatel-gov.pl-mandat.xyz is not gov.pl.
  • mObywatel does not send fines by SMS with a link to pay by card. Fines are handled through other channels.
  • Pressure and a specific amount are warning signs. “Pay within 24 h or the case goes to court” is social engineering, not procedure.

How to protect yourself

On the user side: don’t click links in SMS messages, open the mObywatel app manually, and if in any doubt, call the official hotline. If you’ve already entered your card details — block the card immediately and check, in your banking app, the list of devices and wallets it’s linked to.

For organisations, remember that content filtering isn’t enough — sender spoofing happens at the telecom-network level. The real defence is employee education combined with limiting the impact: transaction limits, push notifications for every payment and a fast path to blocking cards.

It’s the same pattern we cover in our piece on phishing: the most effective attacks don’t break technology, they break trust. And here trust hinges on a single detail — the sender name, which must never be treated as proof of identity.

We help companies limit the impact of similar smishing campaigns targeting employees — from training to social engineering tests and security audits. In case of an incident, contact us.

Sources and further reading: Niebezpiecznik, Sekurak and CERT Polska advisories. If you receive a suspicious SMS in Poland, report it to 8080 (CERT Polska).

Share this article

Services Book a consultation