Let's see how we can help you!
Leave a message and our dedicated advisor will contact you.
Send us a message
0/10000
KSeF 2.0: A New Era of Taxation or a Golden Age for Cybercriminals?
Published: 18:29 02/10/2026
Cyberbezpieczeństwo
It is February 2026. The National e-Invoicing System (KSeF) has become our daily reality, and "structured invoice" is a term declined in all cases in every accounting department in Poland. The Ministry of Finance has built a digital fortress aimed at tightening the tax system and eliminating the grey economy. And it must be admitted – the server infrastructure is solid, resistant to DoS attacks, and fully based on domestic technological facilities.
Paradoxically, however, when the walls are impenetrable, criminals look for a way for you to open the gate for them. The digital revolution in taxes has brought with it an unexpected side effect: a system that was supposed to eliminate errors has become a new playground for social engineers and scammers who perfectly understand the psychology of fear regarding new, unknown regulations.
Let's take a closer look at the new reality and the threats that flow from the mandatory use of KSeF 2.0.
1. The "Ghost Invoice" Paradox: A Document You Didn't Order
In the old world of paper and PDFs, the matter was simple: you received a suspicious email with an invoice, you deleted it, and forgot about the matter. If a document came by post and did not concern any order, it landed in the trash. In the world of KSeF 2.0, the rules of the game have changed drastically.
The system is based on the assumption that an invoice is considered issued and received at the moment of validation by the MF system and assignment of a unique KSeF number. This means that a scammer can issue an invoice with your data (your NIP is public information after all), and it will automatically appear in your accounting system as a valid document.
Worse, the system does not provide for the possibility of "rejecting" an invoice. Once accepted, the document becomes part of the buyer's tax history. If your accounting department, in the flood of thousands of operations, overlooks such a fake and books it, you risk being accused of complicity in VAT fraud or documenting fictitious economic events.
How do scammers work?
They use the "small amount" method. They issue hundreds of invoices for small sums (e.g., 150-200 PLN) for difficult-to-verify intangible services: "IT consultations", "knowledge base access", "processing fee". They count on automatic accounting processes in companies letting such amounts through without additional authorization.
Red flags you must watch out for:
- Unknown counterparty not in your supplier database.
- Suspicious links in the comments field on the invoice (XML allows entering text comments – never click on them!).
- Lack of contact with the issuer at the given phone number.
- Service completely unrelated to your industry.
Remember: if such an invoice reaches you, your only weapon is reporting the abuse to KAS authorities. It does not remove the invoice, but it is proof of your "due diligence".
2. Deadly Social Engineering: Email Spoofing and "Fake KAS"
The biggest hit of early 2026 involves attacks leveraging the authority of the office. Criminals know that entrepreneurs are afraid of sanctions (even if these are suspended during the transitional period), so they massively send messages that deceptively resemble correspondence from the mf.gov.pl domain.
Attack scenarios:
- "Summons for explanations": You receive an email allegedly from the head of your tax office with information about errors in KSeF integration.
- "Synchronization error": Information about a KSeF gateway failure and the need to manually log in via a provided link to "unlock" the possibility of issuing invoices.
- "Overpayment refund": A classic motif, this time under the pretext of VAT settlements in the new system.
All these messages have one goal: to get you to click on a link that will infect your computer with malware (e.g., a keylogger) or redirect you to a fake login page (e.g., podatki-gov-pl.web.app), where you unknowingly hand over your authentication credentials to criminals.
[!IMPORTANT] Before you open an attachment or click on a link, check these 4 points:
1. DOMAIN: Is it definitely the government?
Real emails come only with the .gov.pl ending.
- ✅ Safe:
kancelaria@mf.gov.pl,powiadomienia@podatki.gov.pl- ❌ SCAM:
ministerstwo-finansow@poczta.onet.pl,ksef-admin@mf-gov.pl(watch out for a hyphen instead of a dot!),biuro@ksef24.eu.2. EMOTIONS: Is someone scaring you?
Scammers play on fear. If the email contains threats:
- "Your account will be blocked in 2 hours"
- "You have an unpaid invoice – fine 5000 PLN"
- "Final notice for verification" ...then it is 99% an attack. The Tax Office never sends such threats by email. Any official summons can be found after logging into the e-Tax Office.
3. ATTACHMENTS: Do not download "ZIPs"
The Ministry of Finance does not send free programs, instructions in
.zipformat, nor payment demands in.doc.
- If the email encourages you to download a "certificate update" or "new KSeF application" from an attachment – DO NOT CLICK. It is malicious software.
4. LINKS: Check the destination
Hover your mouse cursor over the link (do not click!).
- If you see a strange string of characters (e.g.,
bit.ly/ksef-loginorministerstwo.hosting123.pl), under no circumstances enter it.- Log under KSeF only by typing the address manually in the browser.
3. QR Code: Your Beacon in the Dark
Many suppliers still send invoices by email in PDF format (the so-called visualization of a structured invoice). Remember: in the eyes of the law, this is not a document, only its "picture". Every such PDF must have a printed QR code.
This is your simplest verification tool. Have doubts about a document? Scan the code with the official taxpayer application.
- If the code takes you to the official MF gateway and you see the same data as on the printout – the document is safe.
- If the code does not work, leads to a suspicious page, or the data differs – you likely have a forged document in hand that never reached the KSeF system and was created only to extort a transfer from you.
4. MCU Module and the Outsourcing Trap
If you thought your bank password was important, look at the Certificates and Permissions Module (MCU). This is where tokens and permissions to issue invoices on your behalf are managed.
Risk of Accounting Offices
It is convenient to give the accountant "all permissions" to "have peace of mind". This is a mistake. If your accounting office falls victim to an attack (supply chain attack), and you gave them unlimited access, hackers gain access to your finances.
Remember: You, as the taxpayer, are responsible for what happens on your KSeF account, not the accounting office.
- Do not share your administrative token with anyone.
- Grant permissions precisely (e.g., only to issue invoices, without viewing, or vice versa).
- Require your accounting office to use two-factor authentication (2FA).
5. "The Guide" and "The Auditor": Creativity Knows No Bounds
Criminals quickly adapt to the situation. In February 2026, the Ministry of Interior and Administration warned against the "Security Guide" scam. The mechanism is simple: scammers call or write to companies, offering "mandatory" training materials or "necessary certification" of compliance with KSeF 2.0.
They demand fees for "express shipping" of free government brochures or try to arrange a visit from a "certified auditor" who is supposedly meant to check your systems. In reality, the goal of such a visit may be to gain physical access to accounting computers or to phish passwords "face to face".
Remember: Official knowledge and government materials are always free. Anyone who demands money for "access to KSeF instructions" or wants to "verify passwords for synchronization" is a scammer.
6. Are you ready for the maturity test?
The year 2026 is a great test for Polish business, not so much in accounting as in digital hygiene and security procedures. KSeF is a powerful tool that will speed up the circulation of money and tighten the system, but only if we learn to look at our financial systems as a front line in the fight for data security.
The weakest link in the KSeF chain is not the Ministry's servers, but us – our inattention when receiving mail, lack of counterparty verification, and too easy granting of permissions in IT systems.
Aleksander
FAQ
Can I reject an invoice in KSeF that I do not recognize?
No, the system does not have a "Reject" button. An invoice after being assigned a KSeF number is considered delivered. However, you do not have to book or pay it. Your duty is to report abuse in the system to inform tax authorities about the attempted fraud.
I clicked on a link in a suspicious email, but I did not enter anything. Am I safe?
Not necessarily. Just entering the page could have triggered the download of malicious software (so-called drive-by download). Immediately disconnect the computer from the network, scan it with a good antivirus, and change passwords to banking systems and KSeF (using another, safe device).
Does my accounting office bear responsibility if someone breaks into their account and issues fake invoices in my name?
Legally, responsibility for tax settlements always rests with the taxpayer. You can seek compensation from the office in civil proceedings, but before the Tax Office, you will have to provide explanations and corrections. That is why it is so important to cooperate only with offices that care about high cybersecurity standards.
I received a PDF invoice by email from a regular counterparty, but without a QR code. Is this an error?
From the moment mandatory KSeF entered into force, every visualization of a structured invoice transmitted outside the system (e.g., by email) must have a QR code. The lack of a code is an alarm signal – contact the counterparty by phone to clarify the matter.
About the Author
Aleksander Zębrowski
Chief Technology Officer at SecurHub.pl
PhD candidate in neuroscience. Psychologist and IT expert specializing in cybersecurity.
Related Articles
Cyberbezpieczeństwo
mObywatel and Facade Transparency
The release of the mObywatel source code was supposed to be a celebration of transparency. Instead, we got a lesson in "malicious compliance," right-click blockers, and proof that the Polish administration still confuses security with secrecy.
17:43 31.12.2025
9 min
Cyberbezpieczeństwo
WormGPT and KawaiiGPT: 5 Facts About the Dark Side of AI You Need to Know
Artificial intelligence is not just about medicine and productivity. It also involves specialized, malicious LLMs that democratize cybercrime and create perfect scams.
20:21 22.12.2025
9 min
Cyberbezpieczeństwo
6 Surprising Truths About Industrial Cybersecurity You Need to Know
The reality of Industry 4.0 marks the end of factory isolation. Discover how the IEC 62443 standard turns traditional thinking about critical infrastructure protection upside down.
18:21 22.12.2025
10 min
Comments
Loading comments...