Geslar
Phishing in Croatia
How to recognize a fake email, SMS, and website — and why a password manager is your first line of defense.
Alarming numbers
32%
of all cyber attacks in Croatia are phishing
1,513
reported cyber incidents in 2025
91%
of cyber attacks start with a phishing email
Phishing is not just a problem for large corporations. Every internet user in Croatia is a potential target — from fake Croatian Post messages to phishing emails impersonating banks, telecom providers, and government institutions.
Types of phishing attacks in Croatia
Email phishing
The most common form. Fake emails from your "bank", "post office", "tax authority", or "telecom provider" asking you to click a link and enter your information.
SMS phishing (smishing)
"Your package is awaiting delivery — click here." Fake SMS messages from postal services, couriers, or banks with links to phishing pages.
Fake websites
Identical copies of online banking, webmail, or web shop pages. The URL is similar but not identical to the original.
Vishing (voice phishing)
Phone calls posing as "technical support" from your bank or Microsoft. They request access to your computer or banking details.
Real-world examples from Croatia
Fake Croatian Post
"Your package #HR38291 is waiting at the sorting center. Pay 12.50 HRK delivery fee here: hp-dostava-hr.com"
The real Croatian Post never requests payment via an SMS link. The domain hp-dostava-hr.com is not the official Croatian Post website (posta.hr).
"Your package #HR38291 is waiting at the sorting center. Pay 12.50 HRK delivery fee here: hp-dostava-hr.com"
The real Croatian Post never requests payment via an SMS link. The domain hp-dostava-hr.com is not the official Croatian Post website (posta.hr).
Fake bank
"Dear customer, suspicious activity has been detected on your account. Verify your identity at: pbz-sigurnost.com/verify"
Banks never send login links via email or SMS. Always log in directly through the bank's official website.
"Dear customer, suspicious activity has been detected on your account. Verify your identity at: pbz-sigurnost.com/verify"
Banks never send login links via email or SMS. Always log in directly through the bank's official website.
Fake e-Citizens portal
"You have an uncollected document on the e-Citizens portal. Log in here: e-gradjani-hr.net/login"
The official address is gov.hr — everything else is fake. The e-Citizens portal never sends login links via email.
"You have an uncollected document on the e-Citizens portal. Log in here: e-gradjani-hr.net/login"
The official address is gov.hr — everything else is fake. The e-Citizens portal never sends login links via email.
7 red flags for recognizing phishing
- Urgency and threats — "Your account will be blocked in 24 hours!" Legitimate institutions do not threaten or impose short deadlines via email.
- Suspicious sender address — Check the full address, not just the name. "Croatian Post <info@hp-delivery-notice.com>" is not the same as @posta.hr.
- Generic greeting — "Dear user" instead of your name. Your bank knows your name.
- Spelling errors — Fake emails often contain strange translations, missing diacritical marks, or unusual phrasing.
- Suspicious link — Before clicking, hover over the link and check the actual URL. The difference between pbz.hr and pbz-sigurnost.com is enormous.
- Request for personal data — No legitimate institution will ask for your password, personal ID number, or card number via email.
- Unexpected attachment — "Invoice.pdf.exe" or "Bill_2026.docm" — never open unexpected attachments, especially with .exe, .scr, or macro-enabled extensions.
How to protect yourself
Use a password manager
A password manager will not auto-fill your password on a fake website because it checks the domain. If autofill doesn't activate — that's a warning sign.
Enable 2FA
Even if an attacker obtains your password, without a second factor (TOTP code) they cannot log in. Geslar has a built-in TOTP authenticator.
Never rush
Phishing relies on urgency. If an email says "immediately" or "within the next 24 hours" — stop, think, and verify before you click.
Check the URL
Always manually type the bank or service address in your browser. Do not click links from emails — even if they look legitimate.
Why a password manager is an anti-phishing tool
Many people don't realize that a password manager is one of the most effective defenses against phishing. Here's why:
1. It checks the domain for you
The Geslar browser extension automatically fills in your password only on the domain it was saved for. If you're on pbz-sigurnost.com instead of pbz.hr — autofill won't activate. That's an automatic warning that something is wrong.
The Geslar browser extension automatically fills in your password only on the domain it was saved for. If you're on pbz-sigurnost.com instead of pbz.hr — autofill won't activate. That's an automatic warning that something is wrong.
2. A unique password for every service
If you use the same password everywhere and an attacker steals it on one phishing site — they've compromised all your accounts. With a password manager, every service has a unique password. The damage is limited to one account.
If you use the same password everywhere and an attacker steals it on one phishing site — they've compromised all your accounts. With a password manager, every service has a unique password. The damage is limited to one account.
3. TOTP as a second layer
Even if you enter your password on a phishing page, the attacker cannot complete the login without a TOTP code. Geslar generates TOTP codes natively — you don't need a separate app.
Even if you enter your password on a phishing page, the attacker cannot complete the login without a TOTP code. Geslar generates TOTP codes natively — you don't need a separate app.
What to do if you clicked a phishing link
Don't panic — but act fast:
1. Immediately change the password for that service (and everywhere else you used the same password)
2. Enable 2FA on all compromised accounts
3. Check your email and bank transactions for suspicious activity
4. Use Geslar's security check to see if your data appears in known breaches
5. Report the incident to incident@cert.hr (national CERT)
1. Immediately change the password for that service (and everywhere else you used the same password)
2. Enable 2FA on all compromised accounts
3. Check your email and bank transactions for suspicious activity
4. Use Geslar's security check to see if your data appears in known breaches
5. Report the incident to incident@cert.hr (national CERT)
Conclusion
Phishing attacks in Croatia are becoming increasingly sophisticated. Fake emails are more convincing than ever, and fake websites are nearly identical to the originals.
Your best defense is not just caution — but tools that work on your behalf. A password manager that checks domains, generates unique passwords, and stores TOTP codes is a triple layer of phishing protection.
Your best defense is not just caution — but tools that work on your behalf. A password manager that checks domains, generates unique passwords, and stores TOTP codes is a triple layer of phishing protection.
Protect yourself with Geslar — free, local, private.