Fake KSeF and gov.pl notifications target businesses
Criminals impersonate KSeF, e-government and gov.pl domains to target company finance teams. What this phishing looks like and how to secure it.
Whenever the regulatory landscape shifts, criminals exploit it immediately. The rollout of Poland’s National e-Invoicing System (KSeF) and the digitalisation of dealings with public administration created a perfect pretext for phishing aimed at businesses — because finance departments expect messages about invoices and official obligations.
What the attack looks like
CERT Polska has warned about campaigns with fake KSeF notifications and phishing that uses domains strikingly similar to gov.pl. A typical message reports a “new invoice in the system”, an “error in your settlement” or a “need to confirm your data”, and leads to:
- a fake login panel (for KSeF, e-government, corporate banking), where the victim gives up their credentials, or
- an attachment or link with malware — a macro in an “invoice”, a file that runs a downloader.
The goal is often to take over the finance team’s mailbox — and from there it’s a short step to CEO fraud (BEC) and swapping the bank account number on invoices.
Why companies are an easy target
- Routine — the finance team opens dozens of invoices a day; one forgery doesn’t stand out.
- The authority of officialdom — “it’s from the Ministry / KSeF” discourages questioning.
- Diffuse responsibility — it’s not always clear who verifies the authenticity of a notification.
What to watch for
- The full domain in the sender’s address and the link. Official services end in
gov.pl.ksef.gov.pl.rozliczenia.infois the domainrozliczenia.info. - Unusual attachments (files with macros, archives, “invoice.pdf.exe”).
- Pressure and threats — penalties, deadlines, blocks.
- A request to log in via a link instead of accessing the system directly.
How to secure your organisation
Technical minimum: properly configured SPF, DKIM and DMARC (which make it harder to impersonate your domain), attachment filtering, blocking macros from the internet, and 2FA on mailboxes and systems. Log into KSeF, e-government and banking only via a manually typed address or a bookmark, never from a link in a message.
Procedurally: introduce second-channel verification of any bank-account change (a call to a known contact) and a clear path for reporting suspicious emails to IT. These are exactly the “limit the impact” principles we write about in our piece on breach response — because a compromised finance mailbox can cost a company far more than a single invoice.
Preparing your company for KSeF? Make sure your accounting team can tell genuine notifications from phishing — we offer training and social engineering tests plus consultations for finance teams.
Sources and further reading: CERT Polska warning list, Sekurak, Niebezpiecznik.