With technological advancements, scams involving phishing, smishing, spoofing, and CLI spoofing are gaining popularity. While they are not a new phenomenon, AI technologies certainly allow for increasingly faster and more effective image and voice impersonation, making impersonation easier. Furthermore, the latest tools help perpetrators tailor their manipulation techniques to specific individuals. Such activities serve a variety of purposes, from extorting personal data or stealing logins and passwords to persuading or intimidating victims into unfavorable financial transactions. The Polish Act on Combating Abuse in Electronic Communications aims to create mechanisms to limit these harmful phenomena. It aims to increase user protection against harmful activities carried out via communication technologies, such as text message fraud, data theft, and unfavorable financial transactions.

Polish Act on Combating Abuse in Electronic Communications

The Polish Act on Combating Abuse in Electronic Communications entered into force on September 25, 2023. Its material scope covers the rights and obligations of telecommunications companies, email providers, and public entities with respect to preventing and combating abuse in electronic communications (Article 1, point 1). CSIRT NASK is to play a special role in implementing the statutory tasks (Article 4). The concept of “abuse in electronic communications” has been defined as the provision or use of a telecommunications service or telecommunications equipment that is contrary to their intended purpose or legal provisions (Article 2, point 8), where the purpose or effect is to cause harm to a telecommunications undertaking or end user, or to obtain undue benefits for the entity committing the abuse of electronic communications, another natural person, legal person or organizational unit without legal personality. The Act prohibits, in particular, generating artificial traffic (sending or receiving messages or voice calls, the sole purpose of which is to be registered at the point of connection of telecommunications networks or by billing systems), smishing (a type of phishing carried out using SMS messages in which the sender impersonates another entity), CLI spoofing (impersonation by the caller using someone else’s address information in a voice call) and unauthorized change of address information (unlawful modification of address information in a way that prevents or makes it difficult to determine who the sender of the message is). Activities other than those mentioned may also constitute abuse of electronic communications.

Phishing

Phishing occurs when websites attempt to extort data. This is the most serious threat in Poland. The Act on Combating Abuse in Electronic Communications provides for the warning list, which has been in effect since March 2020 (Articles 20 and 39, paragraph 3). The list allows internet providers who enter into an agreement with the Ministry of Digital Affairs, NASK, to block traffic to phishing websites at the DNS server level. The warning list is public and covers internet domains used for data theft and the detrimental disposal of internet users’ property. It also includes internet domains whose primary purpose is to mislead internet users and lead to the extortion of their data or the detrimental disposal of their property (Article 20, paragraph 3). Anyone can submit an internet domain, with the option of providing justification (Article 20, paragraph 4), but the NASK CSIRT can also, on its own initiative, add a domain to the warning list (Article 20, paragraph 5). A telecommunications company may prevent internet users from accessing websites using domain names included in the warning list by removing them from the telecommunications company’s IT systems used to convert domain names to IP addresses (Art. 20, Section 8). In such a case, the telecommunications company will redirect connections referring to domain names included in the warning list to a website maintained by CSIRT NASK containing information addressed to internet users, including, in particular, information about the location of the warning list, the inclusion of the searched domain name in the warning list, and possible attempts at data fraud or unfavorable disposal of property (Art. 20, Section 9). Pursuant to Art. 21, an objection to the inclusion of an internet domain in the warning list may be filed with the President of the Office of Electronic Communications.

The objection should include:

• indication of the Internet domain to which the objection relates;

• a justification explaining why the inclusion of the Internet domain in the warning list is unjustified;

• data identifying the entity holding the legal title to the Internet domain:

• in the case of natural persons – name and surname, address of residence;

• in the case of legal persons and organizational units without legal personality – name of the entity, registered office address, number from the relevant register;

• name and surname of the person authorized to represent the entity holding the legal title to the Internet domain, together with authorization.

Article 22 states that the President of the Office of Electronic Communications (UKE) (or another authorized body) shall consider the objection within 14 days of its receipt and shall immediately inform the objecting entity of the outcome of its consideration. If the domain name is not used for data fraud or for the detrimental disposal of internet users’ property, the objection is upheld (Article 22, paragraph 2, point 1). Within three days of upholding the objection, the NASK CSIRT removes the domain from the warning list (Article 22, paragraph 3). Otherwise, the President of the UKE does not uphold the objection (Article 22, paragraph 2, point 2), but such a decision can be appealed to an administrative court.

A domain may be removed from the list once the grounds for its inclusion cease to exist. In such a case, operators should immediately cease blocking it. Each operator may independently decide to unblock a domain early. The appeal can be justified by stating that the decision was based on an incorrect classification and that the website did not contain phishing content or content infringing on personal rights or copyrights, that any infection or content hijacking was immediately removed, or that the measure taken proved disproportionate to the actual threat.

Smishing Distribution

Smishing is the distribution of links to phishing websites via text messages (Article 3, point 2). Pursuant to the Act, CSIRT NASK monitors smishing and creates message templates that possess characteristics that allow them to be recognized as smishing (Article 4). This activity is based on reports of suspicious messages from recipients and information from telecommunications companies and other entities. Blocking this phenomenon is divided into two aspects. First, CSIRT NASK maintains a list of malicious message templates. Operators will be required to block an incoming message if it matches any template on the list. Each template must be made public within 14 to 21 days of its appearance on the list. Second, protection of SMS sender surnames used by public entities will be introduced. This process consists of two elements:

• creating a list of restricted SMS overrides and their malicious variants;

• list of SMS service integrators providing services to public entities, maintained by the Office of Electronic Communications.

Telecommunications companies may also block SMS messages other than those that conform to the template developed by CSIRT NASK, as well as MMS messages, using a system enabling automatic identification. Telecommunications companies may process and mutually share electronic messages to identify, prevent, and combat smishing (SMS and MMS) (Art. 26). Additionally, public entities may protect themselves against unauthorized use of their overrides by outsourcing the messaging service exclusively to a specific SMS integrator. Telecommunications companies are obligated to block SMS messages that:

• they contain an overlay reserved for a public entity and were not sent by an integrator serving a given public entity;

• contain a misleading variant of the public entity’s override, included in the CSIRT NASK list.

The SMS sender whose message has been blocked in this way has the right to file an objection to the President of the Office of Electronic Communications (Article 7). The objection should include:

• full text of the SMS;

• justification explaining why the content of the SMS does not constitute smishing ;

• indication of the number used to send the SMS;

• data identifying the sender:

Pursuant to Article 8, there is a 14-day period from the date of receipt of the objection to consider it, and then the SMS sender is informed of the outcome of the objection. If the SMS containing content consistent with the message template does not constitute smishing, the President of the UKE will uphold the objection. Otherwise, the objection will not be upheld. A complaint may be filed with an administrative court. A telecommunications undertaking engaging in smishing is subject to a fine (Article 37 paragraph 1 item 2). If the act also constitutes a criminal offence, only the provisions on criminal liability apply to a telecommunications undertaking that is a natural person (Article 27 paragraph 2). Furthermore, pursuant to Article 30, whoever, in order to gain financial or personal benefit or to cause harm to another person, sends an SMS, MMS or a message via other interpersonal communication services in which he or she impersonates another entity in order to persuade the recipient of the message to provide personal data, to dispose of property to an unfavorable extent, to open a website, to initiate a voice call, to install software, to provide computer passwords, access codes or other data enabling unauthorized access to information stored in an IT system, ICT system or ICT network – smishing – shall be subject to a penalty of imprisonment from 3 months to 5 years. In cases of lesser gravity, the perpetrator shall be subject to a fine, restriction of liberty or imprisonment for up to one year.

Spoofing

Spoofing is a form of fraud in which an attacker impersonates another person, company, or device to gain access to confidential information, money, or spread malware. This is most often done via email or phone calls. Spoofing can be used for phishing. Email providers serving at least 500,000 users or public entities are required to implement mechanisms designed to prevent a domain from being used to impersonate its owner or to alter messages sent from it:

SPF;

DMARC;

DKIM.

The Act imposes an obligation on public entities to use only email services that incorporate such mechanisms. Email providers that fail to meet these obligations may be subject to a fine if the scope or nature of the violation warrants it (Article 27, Section 4). Regardless of the fine, the President of the Office of Electronic Communications (UKE) may, by decision, impose on the manager of a telecommunications undertaking, in particular a person holding a managerial position or a member of the management body of a telecommunications undertaking or an association of such undertakings, a fine of up to 300% of their monthly remuneration, calculated according to the rules applicable to determining the monetary equivalent for vacation leave (Article 27, Section 6). Pursuant to Articles 40 and 41, email providers providing services to public entities that do not offer multi-factor authentication should have submitted an offer that would provide this functionality. The decision of the President of the Office of Electronic Communications (UKE) imposing a fine may be appealed to the District Court in Warsaw – the Court of Competition and Consumer Protection (Article 27, paragraph 9). Fines are subject to enforcement under the provisions on administrative enforcement proceedings for the enforcement of pecuniary obligations (Article 27, paragraph 10).

CLI Spoofing

This type of spoofing involves modifying the displayed number field of an incoming call. Unlike email security, there are no fully proven mechanisms in this case. Telecommunications companies are required to conceal number identification or block voice calls intended to impersonate another person or institution. Such numbers, which only serve as a receiving device and are easily linked to an institution, should be reported to the President of the Office of Electronic Communications (UKE), who has created a dedicated list for them. Telecommunications operators are obligated to block outgoing calls from numbers on this list (Article 16). The second obligation imposed on operators is to block or conceal the forged identifier if CLI spoofing is detected (Article 19). An operator that properly executes an agreement concluded with the President of the UKE specifying detailed organizational and technical measures to combat CLI spoofing (Article 19 paragraph 2) shall not be liable for non-performance or improper performance of a telecommunications service resulting from the organizational and technical measures applied (Article 19 paragraph 4). These rules apply to providers of publicly available telecommunications services providing services to at least 50,000 subscribers who are also operators (Article 19 paragraph 2). For other entrepreneurs, the President of the UKE may issue recommendations specifying detailed organizational and technical measures (Article 19 paragraph 6). If the obligations are properly fulfilled, such an entrepreneur shall not be liable for non-performance or improper performance of a telecommunications service resulting from the introduction of these measures. However, an entrepreneur who engages in CLI spoofing is subject to a fine (Article 27 paragraph 1 item 3). Of course, if the elements of a crime are met, only the provisions on criminal liability apply (Article 27 paragraph 2). According to Article 31, whoever, for the purpose of gaining material or personal benefit or causing harm to another person, when initiating a voice call, uses, without being authorized to do so, address information indicating another natural person, legal person, or organizational unit without legal personality, in order to impersonate another entity in order to persuade the recipient of the call to provide personal data, unfavorable disposal of property, or install software, provide computer passwords, access codes, or other data enabling unauthorized access to information stored in an IT system, ICT system, or ICT network – shall be subject to a penalty of imprisonment from 3 months to 5 years. In less serious cases, the perpetrator shall be subject to a fine, restriction of liberty, or imprisonment for up to one year. Pursuant to Art. 17, from 26 March 2024, the President of the Office of Electronic Communications shall maintain a public list of numbers used exclusively for receiving voice calls.

Artykuł Acts of Abuse in Electronic Communications, procedures and cooperation with authorities in EU and Poland pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

Both spoofing and phishing are methods of fraud using telecommunications and the Internet, but they differ in how they are used. Spoofing involves broadly impersonating the IP address of another device, telephone number, email address or DNS server. Everything is camouflaged in such a way that the identification of the real user or caller is impossible. The easiest to recognise is email spoofing. The content of the message sent by someone impersonating a chosen e-mail address indicates the intention of spoofing confidential information from the addressee of the message. Phone number spoofing is carried out using easily accessible websites that, for a fee, allow you to make a call from any phone number and change the voice or convert the text into a voice that the person answering the phone will hear. Detection of such spoofing is only possible after the fact, when checking the billing of the number called and impersonated. IP address and DNS server spoofing is the most difficult to detect, as it may differ only slightly from the real one. The essence of phishing is reflected in its pronunciation, which is similar to the word “fishing”. It consists in preparing a “lure” for the user, e.g. by means of a link sent in an e-mail message, SMS or via instant messenger, and then either installing malicious software on the device or phishing for login data. The fraudster may impersonate e.g. a bank, government agency, courier company or a friend of the victim. Phishing emails are usually designed to look as authentic as possible. One form of phishing is spear-phishing, which involves a targeted attack on, for example, a specific company and impersonation of a business partner.

Polish legal regulations on spoofing and phishing

There are no provisions in Polish law that would directly prohibit spoofing and phishing, although this does not mean that such behaviour is not punishable on the basis of the Polish Penal Code. Spoofing, as impersonating someone else by its very nature, meets the requirements of the prohibited act pursuant to Article 190a § 2 of the Polish Penal Code: whoever, by impersonating another person, uses that person’s image, other personal data or other data by means of which that person is publicly identified, in order to cause material or personal damage to that person. Phishing is punishable under Article 267 §1 of the Polish Penal Code: Whoever without authority gains access to information not intended for them by opening a closed letter, by connecting to a telecommunications network or by breaking or bypassing electronic, magnetic, IT or other specific security thereof. Both phishing and spoofing may also constitute an offence under Article 287 §1 of the Polish Penal Code: Whoever, in order to gain a material benefit or to cause damage to another person, without authorisation, affects the automatic processing, collection or transmission of IT data or changes, deletes or introduces a new record of IT data. Naturally, these are the basic provisions, features of which are fulfilled by phishing and spoofing, as they may be in conjunction with other provisions of the Polish Penal Code, such as unlawful threat (Article 190 §1), forcing to behave, refrain from or cease in a specific manner (Article 191 §1), defamation (Article 212 §1 and 2), insult (Article 216 §1 and 2), false report of a danger (Article 224a §1 and 2), appropriation of the function of a public official (Article 227), destroying, damaging, deleting, altering or obstructing access to computer data (Article 268a), destroying, damaging, deleting, altering or obstructing access to sensitive computer data (Art. 269), interference with the operation of an IT system, data communications system or a data communications network (Art. 269a), theft of a computer programme (Art. 278 §2) and many other crimes that may be committed in relation to spoofing and phishing. The legal grounds for punishing spoofing and phishing are numerous in Polish law, depending on the specific action of the perpetrator and its purpose. However, a problem arises at the stage of detecting such offences and holding their perpetrators criminally liable. Spoofing and phishing are often of cross-border nature – the perpetrator of the crime using them is often located abroad. Moreover, the perpetrators are difficult to detect due to the masking methods used: creating intermediary middlemen, often unaware of the procedure, masking their identity or using another person’s identity and high dynamism in creating e.g. new websites.

Bank liability for inadequate protection against spoofing and phishing

The Act of 19 August 2011 on payment services (Journal of Laws 2011, No. 199, item 1175, with subsequent amendments) is relevant under Polish law from the perspective of the bank’s liability for inadequately protecting clients against such practices. The first obligation, arising from Article 40 of this act, is related to securing the executed transaction by means of various established methods of verification. Consent given by the payer before execution of the transaction is a prerequisite for the transaction to be deemed authorised. The payer can also hold the transaction until the payer’s provider receives an order to execute it. If there is an unauthorised transaction from the payer’s account, the bank is obliged under Article 46 to refund the amount that was debited from the payer’s account. There is an exception if the bank has a reasonable suspicion of fraud, in which case it will report this to the law enforcement authorities. In addition, the aforementioned act in article 45 point 1 requires the bank to prove that the transaction was authorised. Thus, if the customer exercised due diligence and nevertheless became a victim of fraud, the safeguards are deemed insufficient and the bank is held liable.

Regulations under European Union law

European law also refers to spoofing and phishing. The law currently in force in this area is Directive (EU) 2019/713 of the European Parliament and of the Council of 17 April 2019 on combating fraud and counterfeiting of non-cash means of payment, replacing Council Framework Decision 2001/413/JHA. This Directive sets out requirements for Member States to prevent and combat crimes related to non-cash means of payment. Under Article 6 of this Directive, Member States are required to penalise conduct which consists in performing or causing a transfer of money, monetary value or virtual currency and thereby causing an unlawful loss of property for another person in order to make an unlawful gain for the perpetrator or a third party, punishable as a criminal offence when committed intentionally without right, hindering or interfering with the functioning of an information system or without right, introducing, altering, deleting, transmitting or suppressing computer data. The regulation in this article therefore refers to spoofing and phishing, although it does not name them explicitly. In Article 9, the Directive sets out the minimum criminal penalties to be applied in the criminal laws of Member States for the offences committed by natural persons set out in the Directive. The Directive obliges Member States to introduce provisions that punish not only natural but also legal persons. Article 10 of the Directive establishes the requirement that Member States’ legislation create the conditions for a legal person to be liable for an offence committed for its benefit by any person, acting either individually or as part of a body of the legal person, and having a leading position within the legal person, based on one of the following: a power of representation of the legal person, an authority to take decisions on behalf of the legal person or an authority to exercise control within the legal person. A legal person is also liable where the lack of supervision or control, by one of those persons employed by the legal person, has made it possible for a person under its authority to commit one of the offences listed in the Directive. Liability of a legal person shall not exclude liability of a natural person who has committed such an offence.

Direction and potential for change to reduce spoofing and phishing

One of the key methods of combating phishing and spoofing is to make bank customers in particular aware of the methods of fraudsters who use spoofing and phishing to defraud them. Widespread information campaigns and ongoing alerts on identified attacks are designed to warn potential victims and encourage people who have already been victims of spoofing or phishing to report the crime to law enforcement authorities. The Polish authorities are also taking steps to combat these harmful phenomena. One of them is the establishment, under the Act of 17 December 2021 on amending certain acts in connection with the establishment of the Central Bureau for Combating Cybercrime (Journal of Laws 2021, item 2447), of a special body to combat cybercrime – the Central Bureau for Combating Cybercrime as an organisational unit of the Polish Police. In January 2022, it was announced that changes would be presented in the Polish ICT sector to counteract crimes using spoofing and phishing, but these were not yet presented.

Sources:

1. https://www.avast.com/pl-pl/c-spoofing
2. https://niebezpiecznik.pl/post/spoofing-rozmow-telefonicznych/
3. https://www.gov.pl/web/baza-wiedzy/czym-jest-phishing-i-jak-nie-dac-sie-nabrac-na-podejrzane-widomosci-e-mail-oraz-sms-y
4. https://www.avast.com/pl-pl/c-phishing
5. https://rpms.pl/phishing-na-czym-polega-i-jak-mu-przeciwdzialac/
6. https://www.komputerswiat.pl/aktualnosci/bezpieczenstwo/rzad-zapowiada-nowe-przepisy-do-walki-z-oszustami-w-sieci-chodzi-o-spoofing-i/demsmk0
7. Act of 19 August 2011 on payment services (Journal of Laws 2011, No. 199, item 1175, with subsequent amendments)
8. Act of 6 June 1997. – Penal Code (Journal of Laws of 2021, item 2345)
9. Directive (EU) 2019/713 of the European Parliament and of the Council of 17 April 2019 on combating fraud and counterfeiting of non-cash means of payment, replacing Council Framework Decision 2001/413/JHA
10. Act of 17 December 2021 on amending certain acts in connection with the establishment of the Central Bureau for Combating Cybercrime (Journal of Laws 2021 item 2447)

• Strategic Technology Platform for Europe (STEP) Seal
• The rules regarding the choice of law applicable to international trade agreements
• Letter of credit in Polish banking law
• Pharmacy Advertising in the European Union, with a Focus on Poland after the CJEU Judgment of 19 June 2025
• KG Legal Kiełtyka Gładkowski at the Jagiellonian University Job Fair – March 26, 2026

Artykuł Spoofing and phishing in Polish law – current regulations and proposed changes pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.