Publication date: November 18, 2025
With technological advancements, scams involving phishing, smishing, spoofing, and CLI spoofing are gaining popularity. While they are not a new phenomenon, AI technologies certainly allow for increasingly faster and more effective image and voice impersonation, making impersonation easier. Furthermore, the latest tools help perpetrators tailor their manipulation techniques to specific individuals. Such activities serve a variety of purposes, from extorting personal data or stealing logins and passwords to persuading or intimidating victims into unfavorable financial transactions. The Polish Act on Combating Abuse in Electronic Communications aims to create mechanisms to limit these harmful phenomena. It aims to increase user protection against harmful activities carried out via communication technologies, such as text message fraud, data theft, and unfavorable financial transactions.
Polish Act on Combating Abuse in Electronic Communications
The Polish Act on Combating Abuse in Electronic Communications entered into force on September 25, 2023. Its material scope covers the rights and obligations of telecommunications companies, email providers, and public entities with respect to preventing and combating abuse in electronic communications (Article 1, point 1). CSIRT NASK is to play a special role in implementing the statutory tasks (Article 4). The concept of “abuse in electronic communications” has been defined as the provision or use of a telecommunications service or telecommunications equipment that is contrary to their intended purpose or legal provisions (Article 2, point 8), where the purpose or effect is to cause harm to a telecommunications undertaking or end user, or to obtain undue benefits for the entity committing the abuse of electronic communications, another natural person, legal person or organizational unit without legal personality. The Act prohibits, in particular, generating artificial traffic (sending or receiving messages or voice calls, the sole purpose of which is to be registered at the point of connection of telecommunications networks or by billing systems), smishing (a type of phishing carried out using SMS messages in which the sender impersonates another entity), CLI spoofing (impersonation by the caller using someone else’s address information in a voice call) and unauthorized change of address information (unlawful modification of address information in a way that prevents or makes it difficult to determine who the sender of the message is). Activities other than those mentioned may also constitute abuse of electronic communications.
Phishing
Phishing occurs when websites attempt to extort data. This is the most serious threat in Poland. The Act on Combating Abuse in Electronic Communications provides for the warning list, which has been in effect since March 2020 (Articles 20 and 39, paragraph 3). The list allows internet providers who enter into an agreement with the Ministry of Digital Affairs, NASK, to block traffic to phishing websites at the DNS server level. The warning list is public and covers internet domains used for data theft and the detrimental disposal of internet users’ property. It also includes internet domains whose primary purpose is to mislead internet users and lead to the extortion of their data or the detrimental disposal of their property (Article 20, paragraph 3). Anyone can submit an internet domain, with the option of providing justification (Article 20, paragraph 4), but the NASK CSIRT can also, on its own initiative, add a domain to the warning list (Article 20, paragraph 5). A telecommunications company may prevent internet users from accessing websites using domain names included in the warning list by removing them from the telecommunications company’s IT systems used to convert domain names to IP addresses (Art. 20, Section 8). In such a case, the telecommunications company will redirect connections referring to domain names included in the warning list to a website maintained by CSIRT NASK containing information addressed to internet users, including, in particular, information about the location of the warning list, the inclusion of the searched domain name in the warning list, and possible attempts at data fraud or unfavorable disposal of property (Art. 20, Section 9). Pursuant to Art. 21, an objection to the inclusion of an internet domain in the warning list may be filed with the President of the Office of Electronic Communications.
The objection should include:
• indication of the Internet domain to which the objection relates;
• a justification explaining why the inclusion of the Internet domain in the warning list is unjustified;
• data identifying the entity holding the legal title to the Internet domain:
• in the case of natural persons – name and surname, address of residence;
• in the case of legal persons and organizational units without legal personality – name of the entity, registered office address, number from the relevant register;
• name and surname of the person authorized to represent the entity holding the legal title to the Internet domain, together with authorization.
Article 22 states that the President of the Office of Electronic Communications (UKE) (or another authorized body) shall consider the objection within 14 days of its receipt and shall immediately inform the objecting entity of the outcome of its consideration. If the domain name is not used for data fraud or for the detrimental disposal of internet users’ property, the objection is upheld (Article 22, paragraph 2, point 1). Within three days of upholding the objection, the NASK CSIRT removes the domain from the warning list (Article 22, paragraph 3). Otherwise, the President of the UKE does not uphold the objection (Article 22, paragraph 2, point 2), but such a decision can be appealed to an administrative court.
A domain may be removed from the list once the grounds for its inclusion cease to exist. In such a case, operators should immediately cease blocking it. Each operator may independently decide to unblock a domain early. The appeal can be justified by stating that the decision was based on an incorrect classification and that the website did not contain phishing content or content infringing on personal rights or copyrights, that any infection or content hijacking was immediately removed, or that the measure taken proved disproportionate to the actual threat.
Smishing Distribution
Smishing is the distribution of links to phishing websites via text messages (Article 3, point 2). Pursuant to the Act, CSIRT NASK monitors smishing and creates message templates that possess characteristics that allow them to be recognized as smishing (Article 4). This activity is based on reports of suspicious messages from recipients and information from telecommunications companies and other entities. Blocking this phenomenon is divided into two aspects. First, CSIRT NASK maintains a list of malicious message templates. Operators will be required to block an incoming message if it matches any template on the list. Each template must be made public within 14 to 21 days of its appearance on the list. Second, protection of SMS sender surnames used by public entities will be introduced. This process consists of two elements:
• creating a list of restricted SMS overrides and their malicious variants;
• list of SMS service integrators providing services to public entities, maintained by the Office of Electronic Communications.
Telecommunications companies may also block SMS messages other than those that conform to the template developed by CSIRT NASK, as well as MMS messages, using a system enabling automatic identification. Telecommunications companies may process and mutually share electronic messages to identify, prevent, and combat smishing (SMS and MMS) (Art. 26). Additionally, public entities may protect themselves against unauthorized use of their overrides by outsourcing the messaging service exclusively to a specific SMS integrator. Telecommunications companies are obligated to block SMS messages that:
• they contain an overlay reserved for a public entity and were not sent by an integrator serving a given public entity;
• contain a misleading variant of the public entity’s override, included in the CSIRT NASK list.
The SMS sender whose message has been blocked in this way has the right to file an objection to the President of the Office of Electronic Communications (Article 7). The objection should include:
• full text of the SMS;
• justification explaining why the content of the SMS does not constitute smishing ;
• indication of the number used to send the SMS;
• data identifying the sender:
Pursuant to Article 8, there is a 14-day period from the date of receipt of the objection to consider it, and then the SMS sender is informed of the outcome of the objection. If the SMS containing content consistent with the message template does not constitute smishing, the President of the UKE will uphold the objection. Otherwise, the objection will not be upheld. A complaint may be filed with an administrative court. A telecommunications undertaking engaging in smishing is subject to a fine (Article 37 paragraph 1 item 2). If the act also constitutes a criminal offence, only the provisions on criminal liability apply to a telecommunications undertaking that is a natural person (Article 27 paragraph 2). Furthermore, pursuant to Article 30, whoever, in order to gain financial or personal benefit or to cause harm to another person, sends an SMS, MMS or a message via other interpersonal communication services in which he or she impersonates another entity in order to persuade the recipient of the message to provide personal data, to dispose of property to an unfavorable extent, to open a website, to initiate a voice call, to install software, to provide computer passwords, access codes or other data enabling unauthorized access to information stored in an IT system, ICT system or ICT network – smishing – shall be subject to a penalty of imprisonment from 3 months to 5 years. In cases of lesser gravity, the perpetrator shall be subject to a fine, restriction of liberty or imprisonment for up to one year.
Spoofing
Spoofing is a form of fraud in which an attacker impersonates another person, company, or device to gain access to confidential information, money, or spread malware. This is most often done via email or phone calls. Spoofing can be used for phishing. Email providers serving at least 500,000 users or public entities are required to implement mechanisms designed to prevent a domain from being used to impersonate its owner or to alter messages sent from it:
SPF;
DMARC;
DKIM.
The Act imposes an obligation on public entities to use only email services that incorporate such mechanisms. Email providers that fail to meet these obligations may be subject to a fine if the scope or nature of the violation warrants it (Article 27, Section 4). Regardless of the fine, the President of the Office of Electronic Communications (UKE) may, by decision, impose on the manager of a telecommunications undertaking, in particular a person holding a managerial position or a member of the management body of a telecommunications undertaking or an association of such undertakings, a fine of up to 300% of their monthly remuneration, calculated according to the rules applicable to determining the monetary equivalent for vacation leave (Article 27, Section 6). Pursuant to Articles 40 and 41, email providers providing services to public entities that do not offer multi-factor authentication should have submitted an offer that would provide this functionality. The decision of the President of the Office of Electronic Communications (UKE) imposing a fine may be appealed to the District Court in Warsaw – the Court of Competition and Consumer Protection (Article 27, paragraph 9). Fines are subject to enforcement under the provisions on administrative enforcement proceedings for the enforcement of pecuniary obligations (Article 27, paragraph 10).
CLI Spoofing
This type of spoofing involves modifying the displayed number field of an incoming call. Unlike email security, there are no fully proven mechanisms in this case. Telecommunications companies are required to conceal number identification or block voice calls intended to impersonate another person or institution. Such numbers, which only serve as a receiving device and are easily linked to an institution, should be reported to the President of the Office of Electronic Communications (UKE), who has created a dedicated list for them. Telecommunications operators are obligated to block outgoing calls from numbers on this list (Article 16). The second obligation imposed on operators is to block or conceal the forged identifier if CLI spoofing is detected (Article 19). An operator that properly executes an agreement concluded with the President of the UKE specifying detailed organizational and technical measures to combat CLI spoofing (Article 19 paragraph 2) shall not be liable for non-performance or improper performance of a telecommunications service resulting from the organizational and technical measures applied (Article 19 paragraph 4). These rules apply to providers of publicly available telecommunications services providing services to at least 50,000 subscribers who are also operators (Article 19 paragraph 2). For other entrepreneurs, the President of the UKE may issue recommendations specifying detailed organizational and technical measures (Article 19 paragraph 6). If the obligations are properly fulfilled, such an entrepreneur shall not be liable for non-performance or improper performance of a telecommunications service resulting from the introduction of these measures. However, an entrepreneur who engages in CLI spoofing is subject to a fine (Article 27 paragraph 1 item 3). Of course, if the elements of a crime are met, only the provisions on criminal liability apply (Article 27 paragraph 2). According to Article 31, whoever, for the purpose of gaining material or personal benefit or causing harm to another person, when initiating a voice call, uses, without being authorized to do so, address information indicating another natural person, legal person, or organizational unit without legal personality, in order to impersonate another entity in order to persuade the recipient of the call to provide personal data, unfavorable disposal of property, or install software, provide computer passwords, access codes, or other data enabling unauthorized access to information stored in an IT system, ICT system, or ICT network – shall be subject to a penalty of imprisonment from 3 months to 5 years. In less serious cases, the perpetrator shall be subject to a fine, restriction of liberty, or imprisonment for up to one year. Pursuant to Art. 17, from 26 March 2024, the President of the Office of Electronic Communications shall maintain a public list of numbers used exclusively for receiving voice calls.