“A free domain of a public entity is like an open door for fraudsters and enemies of the state,” says Monika Kamińska, legal adviser and founder of Truesta, one of the ten most promising startups in Poland, which deals with combating hate and disinformation on the web, in an interview for Bankier.pl. We talk, among other things, about the knf.pl website, which, despite associations, has nothing to do with the Polish Financial Supervision Authority.
Michał Kubicki: Do you think that domains with the .pl extension are to some extent a part of the national identity in Poland?
Monika Kamińska: Definitely yes. A domain is more than a technical identifier – it is a digital identification mark of Poland on the Internet. Formally, .pl is a national top-level domain assigned to Poland by IANA (Internet Assigned Numbers Authority). In practice, however, it plays a much bigger role. Subconsciously, it is associated with our market, language, culture and regulations. Search engine algorithms also understand this preference. Google automatically displays results with .pl domains higher in the ranking for Polish Internet users. This phenomenon can be noticed by anyone who has been abroad – search results are different there.
The .pl domain has become an element of Poland's digital recognition. This trust is our strength, but it can also become a vulnerability.
The knf.pl website leads to a cryptocurrency exchange. In addition, it is on the KNF warning list
Government institutions use the gov.pl domain, which allows their websites to be distinguished from those such as knf.pl, which uses an abbreviation in the address associated with the Polish Financial Supervision Authority and leads to a cryptocurrency exchange.
Read also…
Are Polish companies more likely to choose Internet domains with .pl in the address or others such as .com, .biz.net, .eu, etc.?
Choosing a domain is a very important marketing and communication decision today. The .pl domain remains the default address for companies operating on the Polish market. Companies with global ambitions choose .com, but those who are aware of it also secure the .pl variant. At the same time, industry domains such as .ai, .app, .io are becoming popular. These endings signal innovation and attract specific groups of recipients.
Some companies modify the product name to an available domain. If the key address is taken, this is a rational approach that limits potential disputes.
What does a domain address say about its owner from an image perspective? How do companies and institutions care or should care about this image on the Internet? Is it a practice for large corporations to buy associated “www” addresses in order to protect the image and security of their customers and stakeholders?
A domain is a digital business card that often determines the first impression. A short, intuitive domain effectively builds a professional image.
A spectacular example is the purchase of the friend.com domain for $1.8 million by a young technology startup. According to press reports, the transaction absorbed a large part of the startup's funding, but it was assumed that it would save more in marketing costs – a prestigious, trust-building, simple and memorable name is worth more than advertising campaigns.
Companies buy typos and similar domains to prevent typosquatting (registering similar domains in bad faith) and unfair competition that would like to exploit their reputation, mislead customers or direct customers to their own sites. In the case of abuse, injured companies are not defenseless – they can use a wide range of legal instruments. The basis for protection may be, among others, the provisions of the Civil Code on the infringement of personal rights, intellectual property law protecting trademarks and the act on combating unfair competition.
It is important to remember that the registrar does not verify whether the name violates someone else's rights. The registrant is responsible for the legality of the name. In practice, this means that if someone registers a domain that violates someone else's trademark, then in the event of a lack of agreement, the injured party can use domain arbitration.
Domain arbitration is a faster alternative to court proceedings. A final judgment allows for a change of subscriber in the NASK register.
However, the most important thing is prevention. Image protection requires continuous actions, not one-time actions. It is not only a matter of domain registration and appropriate technical security, but also systematic monitoring, proactive legal actions and awareness of the entire team.
Can we equate the image potential and the perception of the knf.pl and knf.net addresses by Internet users?
Absolutely not. In the minds of users, these addresses carry completely different messages. The .pl domain automatically signals a connection with Poland and suggests that the entity wants to reach Polish users. It contains an implied message: “I am from here and I am subject to Polish regulations”. The .net domain is a global extension without any national connotation. Originally, it was intended for entities related to computer networks, today it is not limited thematically and anyone can register it.
Is the example of the existence of the website knf.pl, which does not belong to the Polish Financial Supervision Authority, a real risk of using the institution's image for disinformation and financial fraud?
It's not just a risk – it's a reality we're facing right now.
A “free” domain of a public entity is like an open door for fraudsters and enemies of the state. The Russian “Doppelganger” campaign has shown that impersonating media and government agencies in local domains is standard in information warfare.
Let's imagine an extreme scenario: the website at knf.pl has the graphic design of the Polish Financial Supervision Authority and a false message is published there about the bank's bankruptcy, the entry of competitors on a warning list or the serving of malware. The fact that a rumor can cause panic on the market was learned by Silicon Valley Bank in 2023, when negative posts on social media caused a “bank run 2.0”. Within 24 hours, customers withdrew $42 billion, leading to the loss of liquidity of one of the largest banks in the United States.
Defense mechanisms exist, but they have limitations. NASK can block domains, and browsers mark suspicious sites with warnings. But disinformation works on the principle of first impressions and can have a huge impact if it is used in critical moments of information chaos, which accompany, for example, wars, natural disasters, changes of office or detention of famous people. In addition, it helps to perpetuate false narratives, which are often built for months in many separate channels of communication.
The problem may be exacerbated by artificial intelligence. Generative models can create credible-looking pages and content in minutes. Deepfakes allow impersonation of specific people – not only in the form of images, but also video and audio recordings. The cost of an attack is falling dramatically, and detection is becoming increasingly difficult.
On the one hand we have knf.pl, but on the other hand e.g. prezydent.pl or other sites belonging to state institutions ending in .pl. This could cause some chaos?
The .gov.pl domain is a domain controlled by NASK. Registration requires the presentation of documents confirming the status of a public entity. This is a safe space.
The problem is that the .pl domain is available to everyone without verification of authorization – as a rule: whoever registers first, has the domain. Domains referring to public authorities should be secured by them. CERT Polska operating within NASK structures, among others, blocks malicious sites in the .pl domain – this applies to phishing sites and sites containing malicious software.
For sites with other categories of illegal or harmful content, such as defamatory content, content that exposes intimate images without consent, or content that sells counterfeits, there are also legal options to block the site.
This, however, takes time, during which undesirable content can reach thousands of users and cause damage that is difficult to reverse, not only financial, but also image-related. That is why prevention, and in the event of risk identification – immediate reaction – are so important.
Interestingly, NASK itself uses the .pl domain. Other institutions do the same, such as the National Bank of Poland. Maybe we should briefly describe the situation regarding domains of public institutions?
Individual entities have adopted different domain strategies, so it is worth looking at specific examples. NBP uses .pl as its main domain, but also has gov.pl and com.pl domains, from which there is a redirection to .pl. Perhaps the central bank wanted to emphasize its independence and constitutional position in this way. The Sejm and Senate, on the other hand, chose gov.pl as their main domain and also secured the .pl domain.
In the justice system: the NSA, administrative courts, common courts and the Constitutional Tribunal use the gov.pl domain, but the Supreme Court uses .pl. In the case of government administration, websites of ministries are redirected to unified gov.pl/web/(…). Differences can also be seen at the local government level – Warsaw uses .pl, and Lublin .eu.
The distinctiveness of some institutions may justify the desire to emphasize their autonomy. The problem is that the average user does not consider the nuances of the organizational structure of the state – whether a given institution is the executive, judicial or local government.
From the point of view of the information security of the state, what creates a real risk is leaving key domains unsecured. This can be a threat to the information security of the state.
So what can be done? Are changes to the law necessary, or will actions taken based on existing regulations be enough?
Existing legal instruments provide solid foundations, but the digital reality requires new solutions and, above all, changes in thinking about security. The fundamental change in thinking is that digital security is not a state, but a process. You can't protect yourself once and for all. Technologies change, attack methods evolve, new threats appear every day.
That's why we need a comprehensive approach. First, preventive actions. Public entities and companies should register key domain variants by default. This costs a few hundred złoty per year, but can save millions in the future.
Secondly, systematic monitoring. Today, the key is, among other things, regular checking of similar domains, tracking brand mentions, regular security audits. The technology exists for this, the question is about systematic implementation.
Third, user education. Despite numerous social campaigns, users still fall victim to fraudsters, because social engineering methods develop faster than awareness. Even well-informed people, when tired, inattentive or under the influence of emotions, can be fooled by sophisticated attacks. We should not be ashamed and hide when we have fallen victim to an attack, but react quickly and have a ready plan of action in a crisis situation. It is very important to introduce a “no blame culture” in companies and institutions, which motivates, and does not introduce fear, to report suspected security breaches.
In terms of new regulations, at the EU level we have the Digital Services Act, which strengthens the obligations of platforms to remove illegal and harmful content. Unfortunately, Poland is late in adopting implementing regulations that would allow users to protect their rights more effectively. Ultimately, security is not just a matter of one .pl domain, but of the entire ecosystem of activities.
Thank you for the interview.
Our interlocutor
Monika Kamińska is a legal advisor, founder and CEO of the Truesty startup, which stands out for its innovative approach to combating hate and disinformation online, in order to effectively protect the reputation of individuals and companies on the Internet. Truesty was among the ten most promising startups in Poland in the Rookie of the Year 2024 ranking. Kamińska is involved in legislative processes at the national and EU level. She is a member of the Association of Personal Data Protection Inspectors (SABI).
Monika Kaminska
