More and more Poles recognise phishing, but only half of them know what to do if they click on link

86 % of Poles say they can recognise a fake e-mail, text message or phone call in which criminals pretend to be a well-known company or institution. But only one in five respondents is absolutely sure of this. We fare much worse when it comes to responding to the theft of personal data. Less than 56 % of respondents know what action to take in such a situation. In the event of a data leakage from a website or application where one has an account, only 45 % of account holders would know how to act. These are the conclusions of a survey commissioned by and the National Debt Register under the patronage of the Personal Data Protection Office and the Personal Data Protection Law Institute.

Although as many as 86 % of Poles declare that they are able to recognise a fake message or phone call claiming to be from a well-known institution or company, only 18.5 % of respondents are absolutely sure of this. Taking into account only "definitely yes" answers, men are better at recognising fake news (at least in their declarations) - almost 23 %, while the figure for women is 14.5 %. Confidence in this regard is also high among young people aged 18-24. In this group, nearly 31 % have no doubts that they will be able to distinguish a genuine message from one sent by criminals. By comparison, in the two oldest age groups (over 55), this percentage ranges from 10 to 12 %.

It is worrying that there has been a slight increase in the group of people who admit that they cannot distinguish between fake news and real news. While 11 % of respondents made such a declaration in 2022, 14.4 % did so in the current edition of the survey.

Do nothing if you are not sure!

When asked how they verify whether messages or calls received are genuine, respondents most often point to carefully checking the email address (58.4 %), the link in the message (50.7 %) and visiting the company’s or institution's website to confirm the number from which the call was received (51.2 %). Nearly 49 % pay attention to the graphic and stylistic form of the e-mail. Unfortunately, only one in three respondents calls the company's or institution's helpline to check whether its representatives actually contacted them.

- “A large number of people say that they know how to recognise a fake message. This is encouraging but we still have a large percentage of people vulnerable to cybercriminals. Above all, let us not be fooled by appearances. Check the sender of the message! Pay attention to the messages addressed to you! You should be alert, for example, to language errors you notice in the content. Do check the domain address from which the message comes! Often the contact is aimed at taking quick action, so if we are not sure of the authenticity of the information received, it is better not to take any action. Unfortunately, more than 14 % of the respondents confirm that despite the application of basic security rules, any of us can become a victim of criminals. That is why the Personal Data Protection Office warns to always be cautious and follow the principle of limited trust” – comments Adam Sanocki, Director of the Communications Department, the spokesperson for the Personal Data Protection Office.

My data have been phished, now what?

Only 55% of respondents know what action to take when their personal data is phished or stolen. 31% of respondents are unable to give a clear answer to this question and 14% have no idea what to do in such a situation. This is a similar result to last year's edition, but worse than the first survey in 2021. Back then, more than 61 % of Poles declared that they were able to react appropriately if their personal data fell into the wrong hands, while 11.5 % showed a lack of knowledge in this regard at the time.

In the case of phishing or theft of personal data, the most popular action is to report the incident to the Police or prosecutor's office - 85% of respondents chose this answer. The second most common step is to report the incident to the bank where they have an account - 78% of respondents. Changing login details is less popular, with only 72% of respondents saying that they perform this action. However, the fewest people choose to check information about themselves with the Economic Information Bureau. Only 26 % of respondents declared such an action. Significantly more respondents exchange their documents, including, for example, an ID card - 39 %. As many as 52 % of respondents report such an action to the Personal Data Protection Office. Here we can observe the biggest increase, as a year ago it was only 45 %.

- “Unfortunately, there is no increase in Poles' awareness of the action to be taken when their data is taken over by criminals. In part, this may be due to the fact that many people are completely unaware of how to detect such a breach, and only become aware of it when a bailiff seizes their account because someone has incurred liabilities in their name. Therefore, we invariably appeal to people that they not only keep an eye on their personal identification number (PESEL number) but also monitor what happens to it and whether someone uses it against their will” – says Bartłomiej Drozd, an expert of the service.

Service hacked and data leaked

In the event of a data leakage from a service or application in which Poles have accounts, only 45% of respondents know what to do. On the list of actions that need to be taken as soon as possible in the event of a data leakage, respondents most often indicated changing the password to the service from which information about them has leaked (78.6%), reporting the incident to the Police (53.5%) and verifying exactly what data could have fallen into the wrong hands (48.2%).

- “Many people underestimate the leakage from services or applications. Mainly due to the fact that most often we do not provide our PESEL number there. The most common data are: name and surname, address, telephone number and e-mail address. However, it is worth bearing in mind that it is thanks to these data that thieves can contact us impersonating representatives of a well-known institution or company. And because they have mastered manipulation techniques, they are able to phish other data from us. We should treat leaks from services and applications in the same way as theft of these data because it is only one small step to it” – warns Bartłomiej Drozd, an expert of the service.

The survey “Knowledge of personal data protection security in Poland” was conducted in May 2023 by IMAS International on a representative sample of 1007 Poles, commissioned by and the National Debt Register – Economic Information Bureau under the patronage of the Personal Data Protection Office and the Personal Data Protection Law Institute.