publication
2025-09-23 06:00
This week, three dangerous scenarios come to the fore: false recruiters contacting WhatsApp with the offer of “easy work” allegedly for Allegro, emails allegedly from ZUS with the “important document” leading to download a malicious file and an overpayment in PGE, which ends with the card data.
These campaigns are fresh and widely distributed, and they are confirmed by the latest messages of the CERT Polska team as well as signals from the market and from CSiRT KNF. In each of these cases, the mechanism is similar: a well -known brand, time pressure and a link or an attachment that is supposed to push us to quick action.
In the case of alleged recruitment, the matter starts with an SMS with an invitation to contact by WhatsApp. After a short conversation, “HR” orders simple tasks with small payments to build trust, and then directs the victim towards “investment” or asks for installation of the application or transferring data. CERT Polska warns about a new wave of such a pattern, indicating WhatsApp as a contact channel and describing further extortion of funds through alleged investments.
Impersonate ZUS and PGE
The second fresh thread about which the CERT informs is emails impersonating ZUS. The message talks about the delivered document that should be updated. The attachment is not a real document. This is a picture pretending to be a file that after clicking downloads malware. The effect can be serious, because malware can take over passwords and access to our mailbox or browser.
The third theme applies to PGE Ebok. The victim gets information about the alleged overpayment and a link to the page that looks like a panel of energy supplier. There is a form to enter the card data. Such a scheme works well on people who actually settle online media and count on a quick return.
A technical warning for companies and administration also appeared in the background of these consumer campaigns. CERT Polska announced that in Poland, susceptibility to the Omnissa Workspace One UEM mobile device management tool is actively used (formerly VMware Airwatch). Luka allows you to read files from the server and could be used before the organizations managed to upload corrections. This is important, because the effects of such incidents often “flow” on end users when criminals use the stolen data for further fraud.
More and more phishing cases
These examples confirm what results from the latest police statistics described at Bankier.pl: Phishing is cheap, simple and very effective, and the number of cases in recent years have been growing to record levels. This explains why fraudsters so willingly reach for known brands and offices and why we still see new variants of old tricks.
What does this mean for an ordinary user? If someone invites you to “recruit” outside the official company system and immediately proposes contact through the messenger, this is a warning signal. If the news about the document from ZUS encourages you to click on the attachment or thumbnail, ignore and report. If you are directed to the card form in PGE in the Card form, stop and go to E-BOK only by hand by entering the website's address or an official application. The rule is simple: do not click on the links and attachments from the messages that rushes us, we do not provide data or passwords in open forms from SMS or email and verify the case in the official channel. In case of doubt, we report messages to CERT Polska and remove them from the device.
