Warning of a New Wave of Smishing Attacks in Bosnia and Herzegovina: Fake Messages Exploit Institutional Identities

IDDEEA BiH has once again warned the public about an intensified, organized campaign of fraudulent SMS messages targeting citizens of Bosnia and Herzegovina. These messages misuse the names of state institutions, including authorities responsible for traffic and security. Despite earlier alerts, the attacks have not subsided—in fact, new versions of the messages are emerging, featuring modified content and fake web addresses designed to imitate official domains.

According to available information, this is a classic form of digital fraud known as smishing, where attackers rely on pressure—such as alleged fines, deadlines, and legal consequences—to trick citizens into opening suspicious links and entering personal or financial data. Particularly concerning is the increasing misuse of the name of the Ministry of Interior of Bosnia and Herzegovina, with claims of alleged violations recorded through fictitious or manipulated systems such as “E-Policija.”

Officials from IDDEEA BiH emphasize that the agency neither issues nor collects traffic fines, nor does it send SMS messages containing payment links. They also remind citizens that the only official website of the Agency is www.iddeea.gov.ba, while any similar domain variations should be considered fraudulent.

Analysis of specific messages further confirms their lack of authenticity. In some cases, the sender uses foreign phone numbers—such as those registered in the Philippines—which is a clear indicator that the message does not originate from domestic institutions. In addition, the links included in these messages rely on so-called “lookalike” domains, which may appear legitimate at first glance but redirect users to malicious websites designed to steal data. A common tactic is also to instruct users to manually copy and paste the link into a browser, thereby bypassing security filters in messaging applications.

The Agency warns that this issue goes beyond a single institution and requires a coordinated response from relevant authorities. It highlights the urgent need for more proactive engagement by law enforcement and security agencies, as well as close cooperation with telecom operators to identify the sources of these messages, block fraudulent domains, and protect citizens.

Citizens are advised to exercise maximum caution: do not open suspicious links, do not enter personal information, and do not make any payments based on such messages. In case of doubt, it is recommended to verify the information through official channels or consult trusted sources who can confirm the legitimacy of the message.

Experts further warn that these campaigns are increasingly using advanced social engineering techniques, targeting users’ sense of urgency and fear. For this reason, they stress that awareness and caution remain the most effective defense—because attackers rely on quick and impulsive reactions.