Skip to content
Breachroad
Back to the blog
Banking

BLIK SMS spoofing: how one link hijacks your banking

An intensive campaign impersonates BLIK using SMS spoofing and fake login panels. We show how criminals take over online banking and how to break the chain.

KR
Karol Rapacz
5 June 2026 · 6 min read
BLIK SMS spoofing: how one link hijacks your banking

BLIK has become an everyday payment method in Poland — and that’s exactly why it’s a target. In 2026 we’re seeing intensive campaigns in which criminals impersonate BLIK and banks, combining SMS spoofing with fake login panels. The end result isn’t a single fraudulent payment, but a full takeover of the victim’s online banking.

What the attack looks like

The vector is almost always the same. The victim gets an SMS displayed as “BLIK” or the name of their bank — thanks to sender spoofing it lands in the thread with genuine messages. The content scares: “unusual transaction detected”, “confirm your identity”, “your account will be blocked”. The link leads to a page that faithfully mimics the bank’s panel.

When the victim enters their login and password, the attacker logs into the real banking session in real time. The trap page then asks for the code from an SMS (authorisation) — which the victim receives from the real bank, because the criminal is initiating the operation on the other side. The retyped code finalises adding a trusted device, changing limits or a transfer.

Why the authorisation code is the critical point

The most important rule we drill into clients: an authorisation code describes an operation, not a “login”. Banks put the exact details in the SMS text — the amount, the account number, the type of action. If the SMS says “adding a trusted device” while you’re “just logging in”, it means someone else is performing that operation with your hands.

Criminals count on nobody reading the code’s text — we retype the digits reflexively. This one habit — reading what you’re actually authorising — defuses most such attacks.

Warning signs

  • An SMS with a link “to log in” — banks do not ask you to log in via a link in a message.
  • A login page at an address that isn’t the bank’s official domain (check the certificate and the full address, not just the padlock).
  • Time pressure and threats to block the account.
  • A request for an authorisation code “for verification” right after you enter your password.

How to defend yourself

Only ever access your bank through a browser bookmark or the official app — never via a link from an SMS or email. Turn on push notifications for every operation, set sensible daily limits, and use the bank’s mobile app rather than SMS authorisation where possible (in-app authorisation shows the full context of the operation).

If you’ve entered your details on a fake page: call the bank’s hotline immediately, change your password from a trusted device and block access. The faster you act, the smaller the damage. That’s exactly the “first minutes” logic we describe in our piece on breach response.

We help financial sector companies test the resilience of their processes and people to spoofing and social engineering — check our services or book a consultation.

Sources and further reading: Sekurak (analyses of BLIK spoofing campaigns) and CERT Polska. Report suspicious SMS messages to 8080.

Share this article

Services Book a consultation