Phishing Scams in Bulgaria 2026 — Complete Guide to Recognition and Protection
In 2026, 91% of all cyber attacks start with a phishing email. In Bulgaria the situation is particularly acute — the transition to the euro created a new wave of scams, and AI technologies made fake messages almost indistinguishable from real ones.
What is phishing?
Phishing is a fraud attempt where the attacker impersonates a trusted organization — bank, government institution, service provider — to make you share personal data, passwords or banking information.
Types of phishing attacks in Bulgaria 2026
1. Email phishing
The most common type. You receive an email that looks like an official message from NRA (tax authority), a bank or a courier company.
"You have an unpaid obligation. Pay within 48 hours or face fines."
"Your card is blocked. Verify your identity." Most active: DSK, Postbank, UniCredit.
"Confirm your bank account for euro conversion." The newest wave exploiting the EUR transition.
How to check: Use our free SPF Check to verify if the sender domain is legitimate.
2. Deepfake phishing — AI attacks
The newest and most dangerous form. Attackers use AI to imitate the voice of your colleague, boss or family member. According to Gartner, by 2026, 30% of organizations will consider their current identification tools inadequate against deepfakes.
Tip: Create a "safe word" with your family and colleagues. When receiving a suspicious call, ask for the safe word.
3. Business Email Compromise (BEC)
The attacker takes over or impersonates a manager email and orders a fraudulent bank transfer. The average BEC loss is over $130,000.
How to recognize phishing — 7 red flags
"Act within 24 hours!" — legitimate organizations do not use such pressure.
Check the sender: nra-bg@secure-mail.com is NOT nra.bg.
Hover over the link WITHOUT clicking. If the URL does not match the official site — it is phishing.
Although AI phishing now has excellent grammar, many attacks still have strange wording or machine translation artifacts.
.exe, .zip, .js, .scr — never open such files from unknown senders. Even .pdf and .docx can contain malware.
Banks NEVER ask for passwords, PINs or CVC codes via email or phone.
Fake sites often lack SSL certificates. Check with our SSL Check.
How to protect yourself — Practical steps
For individuals
- Enable MFA (two-factor authentication) everywhere — bank, email, social networks.
- Never click on links from emails or SMS. Instead, open your browser and type the bank address manually.
- Verify the domain — dsk.bg is legitimate, dsk-bg.com or dsk-secure.net are NOT.
- Never give CVC codes, PINs or SMS codes over the phone to anyone.
- Use a password manager — it will not autofill a password on a fake site.
For business
- Configure SPF, DKIM and DMARC for your domain. Generate SPF record | Generate DMARC record
- Train your employees — conduct regular phishing simulations.
- Enable MFA for everyone — use Conditional Access in Microsoft 365.
- Implement email filtering — Microsoft Defender for Office 365. See our Email Defence service.
- Prepare an Incident Response plan. Learn more.
Free verification tools
What to do if you are a phishing victim?
Start with email and banking. Use a unique password for each site.
If you shared banking data — call and block the card. Do not wait.
If you do not have two-factor authentication yet — now is the time.
File a report with GDBOP (cybercrime unit) at +359 885 525 252 or cybercrime@mvr.bg.
Run a full antivirus scan. If you opened an attachment — you may have malware.