The BLIK Scam in Poland (2026)

The short answer

The BLIK code scam works like this: a fraudster hijacks someone's Facebook/Messenger account (usually via a phishing fake-login page), then messages that person's friends in their name — "I'm stuck, I forgot my wallet, can you lend me money? I just need a BLIK code now." A BLIK code is a one-time authorisation from your banking app; share it and confirm the amount, and you've approved a withdrawal to the scammer. CERT Polska and BLIK's operator have warned about it repeatedly. The one rule that defeats it: never send a BLIK code to anyone who messages you, and verify any urgent money request by calling the person back on a number you already have. Below is a recreated example, then a beat-by-beat decode.

If you use BLIK — and in Poland that is very nearly everyone — read the message below before you ever read a code aloud or paste it into a chat. The scam doesn't crack your bank. It borrows a face you trust and a moment of hurry.

Recreated example of the BLIK code scam on a phone: a Facebook Messenger chat where a 'friend' whose account was hijacked says they are stuck and asks the recipient to send a BLIK code urgently, decoded beside it — the hijacked-but-familiar account, the small urgent favour, the request for a one-time BLIK code, and the rule that a code is cash and a real friend can be reached by phone. — What the scam looks like, recreated. The message comes from a real friend's hijacked account — but a BLIK code is a one-time key to your money. Verify by calling them back. Example only, not a real chat.

Why BLIK became the scammer's favourite tool

BLIK is woven into daily life in Poland — pay in a shop, send money to a friend, withdraw at an ATM, all with a six-digit code generated in your banking app. That speed is the point, and it is exactly what fraud exploits. The code feels casual — a few digits you can read out — but each one authorises real money leaving your account. CERT Polska, the national CERT operated by NASK, reported a record year for fraud in 2025, with computer fraud and phishing dominating the incidents it handled — and the account-takeover that powers the BLIK scam is precisely that kind of phishing. The criminals didn't beat the technology; they moved to the person holding it.

The BLIK code trick is the Polish cousin of the family-impersonation scams and the "friend in trouble" message everywhere — but sharpened by BLIK's speed. There's nothing fake to spot in the app: the code is real, the request uses a real account, and the money moves the instant you confirm. The deception is who is actually typing, and how fast they want you to act.

Anatomy of the scam — decoded

The BLIK scam is a short sequence built on a borrowed identity and speed. Naming each move is what makes it visible.

1A message from a friend's real account

“Hej, jesteś tam? Mam do Ciebie wielką prośbę 🙏” (“Hey, are you there? I have a big favour to ask.”)

The lever — Borrowed trust. The message genuinely comes from your friend's Facebook or Messenger account — same name, same photo, same history — because the scammer has taken it over. Your guard is down before a single złoty is mentioned, because you are talking to someone you know.

The counter — A hijacked account looks exactly like the real one. The opening favour is the setup; the identity is stolen, not proof of who's typing.

2The small, urgent, slightly awkward favour

“Utknęłam w sklepie i zapomniałam portfela. Możesz wysłać mi kod BLIK? Oddam, jak wrócę 😣” (“I'm stuck at a shop and forgot my wallet. Can you send me a BLIK code? I'll pay you back.”)

The lever — Sympathy + urgency. A lost wallet, a quick loan, an apology — calibrated to be small enough to say yes to and urgent enough to skip thinking. The BLIK pretexts the authorities list are exactly these: a small loan, a forgotten wallet, not enough money in the account right now.

The counter — A real friend in a real bind can take a 30-second phone call. The urgency exists to stop you making that call.

3You send the code — and confirm the amount

You generate a BLIK code, paste it in, then tap to confirm in your banking app. Done.

The lever — The casual code + the rushed confirmation. Reading out six digits feels harmless, like sharing a Wi-Fi password. But the scammer enters your code at an ATM or checkout, and the confirmation you tap — without reading, because you're hurrying — approves the cash leaving your account. Some victims approve several before the 'friend' goes quiet.

The counter — A BLIK code is a one-time key to your money. Sharing it is handing over cash. No legitimate request ever needs the code you generated.

The reverse version: a transfer you didn't expect. You receive an unexpected BLIK transfer or payment, then a message claiming it was a mistake and asking you to send it back — to a different account. The Rzecznik Finansowy (Financial Ombudsman) warns against this: returning it yourself can make your account a money-laundering link, or simply hand a scammer your own money. If a transfer truly arrived in error, the sender's bank reclaims it through official channels — you do nothing. And if you've already lost money, ignore anyone who then offers to "recover" it for a fee — that is the second scam.

What to do

1Never send a BLIK code to anyone who messages you — friend, family, or stranger. A code authorises money leaving your account; no genuine request needs it.

2Verify any urgent money request by another channel. Call the person on their known number, or ask something only they would know. A hijacked account can't pass a real phone call.

3Treat urgency as the warning sign, not the reason to hurry. 'I'm stuck', 'it's urgent', 'just this once' is the pressure the scam is built on.

4If you approved a code, move fast: call your bank to try to block it, report to CERT Polska (incydent.cert.pl), and file with the police. See where to report a scam in Poland for the full directory.

5Unsure about a message or a "friend's" request? Run it through our Scam Checker or send it to our free case review before you act.

From the field. What makes the BLIK scam so good is that nothing about it is fake except the hands on the keyboard. The account is real, the friendship is real, the code is real, the app is real. The victim isn't fooled by a clumsy forgery — they're rushed past the one check that would end it: a phone call to the person they think they're talking to. That's why it catches careful, kind people; saying yes to a friend in a hurry is a virtue, not a failure. The defence costs nothing and takes thirty seconds: before any code, any transfer, any "it's urgent" — call them back on the number you already have. The scam cannot survive the sound of the real person's voice.

A "friend" asked you for a BLIK code? Send it to us first.

Paste the chat. A real expert reviews every case and replies within 24 hours. Free, confidential, no pressure — before you send anything.

Submit a free case review →Where to report a scam in Poland

Common questions about the BLIK scam

What is the BLIK code scam in Poland?

It's a social-engineering scam, not a hack of BLIK itself. A fraudster takes over someone's Facebook or Messenger account (usually after a phishing fake-login page), then messages that person's friends pretending to be them — saying they're stuck, forgot their wallet, or have a payment to make — and asks the friend to generate a one-time BLIK code in their banking app and send it over. If you share the code and confirm the operation in your app, you have approved a withdrawal or payment to the scammer. CERT Polska, the national CERT run by NASK, and BLIK's operator have both warned about the 'friend on Messenger' version repeatedly.

If I give someone a BLIK code, can they take my money?

Yes — that is the whole danger. A BLIK code is a one-time authorisation. Once you generate it and the recipient enters it, you still have to confirm the amount in your own banking app — but scammers rely on urgency so you confirm without reading. The moment you approve, the cash withdrawal or transfer goes through. Treat a BLIK code like cash you are handing to whoever asked: never give it to anyone who contacts you, no matter who they appear to be.

Will my Polish bank refund a BLIK scam?

Usually not, and it's important to be honest about why. Under the Polish Payment Services Act (which implements the EU's PSD2), banks must refund unauthorised transactions — ones made without your consent. But if you generated a BLIK code and confirmed the payment in your app, the bank treats it as an authorised transaction, and authorised payments you were tricked into making are generally not refunded. Some victims argue the consent was procured by deception and pursue it through the Financial Ombudsman (Rzecznik Finansowy) or the courts, but there is no guarantee. Chargeback does not apply to BLIK or bank transfers.

Someone sent me a BLIK transfer 'by mistake' and wants it back — what do I do?

Don't send it back yourself, and don't send it to any account they name. The Rzecznik Finansowy (Financial Ombudsman) has warned about this 'reverse' variant: returning an unexpected transfer directly can make you a link in a money-laundering chain, or hand a scammer your money. If a transfer truly arrived in error, the sender's own bank can reclaim it through official channels — tell them to do that. If anyone pressures you to act quickly or to use a specific account, treat it as a scam and check it with us first.

Sources & further reading

Claims here follow CERT Polska (NASK), the Rzecznik Finansowy, and BLIK's operator; the 2025 figures are as reported by CERT Polska's annual report.

A friend messages: "I'm stuck — can you send me a BLIK code?" It isn't your friend, and the code is cash.