Tuesday, 25 November 2025
The latest Anti-Fraud Report published by BIK indicates a further rise in cyber attacks and fraud attempts targeting both Polish companies and public institutions. The findings show that organisations of all sizes remain vulnerable, with social engineering, internal errors and insufficient security practices contributing to an increasingly challenging risk landscape.
Recent cases have underscored the scale of the issue. A data breach at a Polish loan provider exposed personal information of at least 10,000 customers, including national identification numbers, bank details and income information. Earlier in the year, more than 5,000 records were copied from the Marshal’s Office in Lublin by an employee. These events reflect a wider trend in which both external attacks and internal lapses lead to significant data leakage.
According to the BIK report, almost 32% of SMEs experienced attempted fraud or extortion in 2025, regardless of their size or industry. More than a third of companies surveyed reported exposure to cyber attacks, and among those affected, over half faced repeated incidents—up to ten times per year. Public sentiment mirrors these concerns: 63% of Poles believe the risk of data leakage has increased over the past year.
The most common methods used against SMEs include fake payment-related emails (35%) and fraudulent invoices (33%), often accompanied by social engineering tactics designed to impersonate contractors or financial institutions. BIK notes that all major categories of cyber-enabled fraud have increased since 2024.
While external attacks pose a serious threat, internal vulnerabilities remain a parallel concern. One in five entrepreneurs considers the risk of internal fraud or accidental data leakage a real issue within their organisations. Mistakenly sending sensitive files to the wrong recipient, mishandling databases or unknowingly installing malware typically result from human error rather than intentional wrongdoing, highlighting the importance of regular staff training.
Despite rising threats, protective measures remain inconsistent. The report shows that 5.8% of SMEs use no preventive tools, leaving more than 162,000 companies exposed to cyber risk. Many rely on informal measures: 36% of SMEs base their protection primarily on “common sense”, rather than structured security policies or tools. By contrast, 34% of companies have implemented regular cybersecurity training, one-third of medium-sized firms have established anti-fraud units, and 28% routinely verify contractors in external databases.
Companies that have previously experienced attacks are more likely to introduce formal safeguards, but many still lack the resources or tools needed to address vulnerabilities. A quarter of SMEs report a need for enhanced staff training, while more than 22% indicate they lack effective mechanisms for identifying fraud attempts.
The BIK Anti-Fraud Report concludes that while awareness of cyber threats is rising, the overall level of preparedness across the SME sector remains uneven. The organisation emphasises that as both external attacks and internal errors continue to grow in frequency, a formalised approach to cybersecurity—supported by training, monitoring tools and standardised procedures—will be essential for reducing exposure to fraud and data loss.
