Slovakia's government warns: phishing scams now use QR stickers on cars

A parking lot in Bratislava. Someone has been sticking QR codes on windshields. They look like parking fines. They are not.

Scan one with your phone and you land on a page that looks exactly like a Slovak government portal. A form asks for your name, national ID number, and identity card details. You think you have a fine. You want to deal with it quickly. And that is the moment the attacker gets what they need.

Slovakia's national CSIRT (Computer Security Incident Response Team), which operates under the Ministry of Investments, Regional Development and Informatization (known by its Slovak acronym MIRRI), caught this campaign in early April and issued a public warning. But the QR stickers are only one piece.

The fake government websites

CSIRT found platby-mvsr.sk, pretending to be a payment portal for the Interior Ministry. And sk-slovensko.web.app, a clone of slovensko.sk, Slovakia's official e-government portal, basically the equivalent of gov.uk or id.me, where citizens access tax filings, electronic mailboxes, and public services.

The clone was hosted on Firebase, Google's free hosting platform. Free to set up. Automatic HTTPS certificate. An attacker can have a convincing fake government website running in under an hour. The padlock icon in your browser? It only means the connection is encrypted. It says nothing about who is on the other end.

Both sites had the right logos, the right colors, the right forms. Some asked for direct payment, allegedly for processing an official document.

The campaign also uses SMS messages claiming your access to government services will be deactivated within 24 hours unless you verify through a link. For Slovaks, losing access to their slovensko.sk electronic mailbox is a genuine concern, because official government correspondence arrives there. So people click.

Why the QR sticker tactic matters globally

This is not just a Slovak problem. QR-based phishing (sometimes called "quishing") has been reported by CERT teams across Europe: Czechia, Poland, Austria, and beyond. But the physical sticker angle is what makes the Slovak campaign interesting.

Most people have at least a vague awareness that phishing comes through email. Physical stickers bypass that instinct entirely. Something printed. Placed on your car by a person. That feels official. Like an authority acted.

And when you scan a QR code with your phone, you are suddenly outside every security perimeter your company has built. No corporate firewall. No email filtering. No endpoint protection. Just a mobile browser and a fake page.

The business risk nobody talks about

If an employee scans one of these QR codes on a personal phone that also holds corporate email and access to internal systems, a compromised password becomes a path into company infrastructure. BYOD policies amplify this: personal and work life on the same device, same browser, same saved passwords.

And if attackers are cloning ministry websites, they can just as easily clone your client portal or invoicing system. A domain like invoicing-yourcompany.com costs a few euros. Within an hour, your login page has a twin that you do not control. When a customer gets phished through it, they will not blame the attacker. They will blame you.

Company phone numbers are not hard to find. Public business registries, LinkedIn profiles, corporate websites. SMS phishing campaigns can target your sales team as easily as they target private citizens.

For context: ENISA puts the average EU cybersecurity readiness score at 62.65 out of 100. Individual country scores are not public, but campaigns like this one show up across the bloc. The attack is the same everywhere. Only the language changes.

What to actually do about it

If you do not have DMARC set to reject on your domain, attackers can send emails that look like they come from you. Your customers receive them. You never find out. Setting up SPF + DKIM + DMARC takes hours, not weeks.

DNS-level blocking through services like Cloudflare Gateway or Cisco Umbrella can stop known phishing domains before the page even begins to load. For companies under 100 people, free tiers exist.

Your security policy probably does not mention QR codes yet. It should. A simple rule: no scanning unverified QR codes on company devices, verify physical stickers before acting. That covers a gap most organizations have not thought about. QR codes embedded in emails are almost always suspicious.

Send your team the specific domains CSIRT flagged. Include screenshots of the fake pages. Generic "be careful" messages get ignored. A screenshot of a fake form asking for a national ID number sticks in memory.

How to spot a fake government website

Slovak government sites run on .gov.sk or slovensko.sk. Anything on .web.app, .site, .online, or with hyphens mimicking a ministry name is suspect. If a site asks for national ID numbers through a simple form without eID authentication, it is not legitimate. And if an SMS arrives with a 24-hour deadline, know that no real government service will revoke your access that fast without prior postal notice.

That pattern holds across Europe. Check the domain. Check the authentication method. If it feels urgent, slow down.

---

We run phishing recognition workshops for company teams. 90 minutes, hands-on, with real examples, including the Slovak ones CSIRT flagged this month. We do these because we have seen how people react when they see an actual local phishing page on screen: it clicks in a way that abstract warnings never do. If that sounds useful, reach out.

Related reading:

• How to recognize AI phishing and deepfake attacks
• Slovakia's cybersecurity strategy 2026–2030
• Protecting your website from third-party scripts