Phishing campaign targets Polish mayors using fake government emails

Authorities warn that cybercriminals are impersonating Poland’s Ministry of Digital Affairs in an ongoing phishing campaign targeting local officials.

What happened

According to Cybernews, Polish officials have issued an alert about a phishing campaign directed at municipalities across the country. Emails are being sent to mayors and cybersecurity personnel, falsely appearing to come from Deputy Minister Paweł Olszewski. The attackers use official-looking imagery and branding, including the ministry’s logo and photos of the deputy minister, to gain recipients’ trust.

The emails fall into two categories. One asks officials to review and verify employee personal data under the guise of an “enhanced security standard,” while the other seeks confirmation of contact information for those responsible for cybersecurity, claiming it is required for the National Cybersecurity Program. Both email types contain links or attachments tied to malicious software.

Going deeper

CERT Polska, the country’s national cybersecurity response team, has confirmed that the attached files contain links to malware. Officials are being advised not to click on any links or open attachments and to check sender domains carefully. In this case, the fraudulent emails originate from domains ending in .govministry instead of the correct .gov.pl extension.

The Ministry of Digital Affairs stated that it does not request passwords or sensitive data via email and encouraged staff to independently verify any such requests using official contact details.

These events are unfolding in a broader context of heightened cyber threats in Poland. Just last month, the government increased its cybersecurity budget to €1 billion in response to continued targeting by suspected Russian actors, including a series of attacks on hospitals and energy infrastructure. Cybernews has reported that local government institutions and critical infrastructure are frequent targets, with over 170,000 cyber incidents recorded in Poland this year alone.

What was said

The Ministry of Digital Affairs has reiterated that it does not ask for confidential credentials or security data via email. CERT Polska has asked all officials to avoid interacting with questionable emails and to look closely at email addresses for subtle differences.

CyberDefence24 confirmed that both categories of phishing emails contain instructions that create urgency and pressure officials to act quickly, which is a common phishing tactic.

The big picture

The phishing campaign against Polish mayors shows how cybercriminals are exploiting public trust in government communication to spread malware. The attackers used realistic branding, official portraits, and formal language to make their emails appear legitimate, preying on urgency and hierarchy to increase response rates. Local governments, often with limited cybersecurity resources, are especially exposed to these kinds of targeted deception attempts.

Paubox recommends Inbound Email Security to detect and block impersonation-based phishing before it reaches users. Its generative AI analyzes sender behavior, tone, and message context to spot subtle inconsistencies that mimic official correspondence. That approach helps organizations prevent trust-based attacks that exploit familiarity rather than technical vulnerabilities.

FAQs

What is the significance of the fake “.govministry” domain?

Attackers often use lookalike domains that appear official at a glance. In this case, ".govministry" mimics Poland’s official ".gov.pl" domain to mislead recipients.

Why are municipal governments targeted instead of central agencies?

Local governments often lack the cybersecurity infrastructure and training found in national institutions, making them easier targets for phishing and malware campaigns.

What should officials do if they suspect a phishing attempt?

They should report the message to CERT Polska, avoid clicking links or downloading attachments, and verify the sender’s identity through official government contact channels.

Is there any link to previous cyberattacks in Poland?

Yes. This campaign follows months of cyber incidents attributed to Russian actors, including attacks on hospitals and infrastructure, suggesting a broader pattern of targeting.

How is Poland responding to the growing cyber threat?

In September, the Polish government allocated €1 billion to strengthen its national cybersecurity capabilities, focusing on both prevention and rapid response.