Facing Digital Risks

Quarterly report

In the latest overview of the SHARE Foundation’s digital rights monitoring in Serbia, a total of 35 digital rights violations were recorded between March and the end of May 2026. Fraud, threats and manipulation once again accounted for the largest number of cases, with 22 incidents. The other two categories were significantly less represented, with 7 cyber incidents and 6 cases involving privacy and personal data violations. The second quarter of the year was marked by major incidents involving leaks of citizens’ sensitive data and online fraud campaigns. The trend of pressure on media outlets and threats to journalists also continued.

One Click into a Scam

A traffic fine. Support for a child in a competition. A friend asking for an urgent money transfer. While many would be cautious and avoid scams, a considerable number of people act on such requests out of panic or lack of knowledge – otherwise fraudsters would not keep sending these messages.

Among the social engineering scams recorded during the recent period of digital rights monitoring in Serbia, two stood out in particular. The first involved SMS messages sent from Philippine phone numbers (starting with +63), which circulated widely in April. The messages warned citizens about alleged traffic fines that could supposedly be paid online. Users were offered a 50 per cent discount if they paid within a specified period – all they had to do was enter their payment card details on a website designed to resemble the Serbian eGovernment portal. As the campaign progressed, fake domains and websites multiplied, but the scammers’ goal remained the same: to collect as many payment card details as possible and withdraw funds before cardholders could block their cards. A very similar campaign, also involving SMS messages from +63 numbers related to traffic offences, was observed in early May.

The second scam affected a large number of WhatsApp users in Serbia. Through requests for alleged account “verification”, attackers managed to link their own devices to victims’ WhatsApp accounts using the platform’s “linked devices” feature. They then used legitimate accounts to send messages to contacts asking for money transfers. According to Serbia’s Ministry of Interior, the High-Tech Crime Unit uncovered hundreds of cases involving the misuse of WhatsApp accounts during this period. Earlier this year, a similar campaign was active, but relied on a fake children’s competition that spread through WhatsApp voting requests.While education remains extremely important, protection against phishing scams cannot be reduced to advice such as “do not click suspicious links” or “do not enter card details on unknown websites”. As electronic communication between public authorities and citizens becomes increasingly common, the risks posed by social engineering continue to grow. Service providers and device manufacturers should make greater efforts to prevent fraudulent messages from reaching end users, particularly where there are strong indications that services such as iMessage, SMS or WhatsApp are being abused, such as via messages sent from unknown foreign numbers. Earlier this year, WhatsApp introduced an additional warning when linking an account to another device in response to the increasing misuse of the linked devices feature. At the same time, artificial intelligence tools are making it possible to create increasingly convincing scam messages and fraudulent websites.

A Spiral of Irresponsibility

Despite a legal framework for data and information systems protection that is largely aligned with EU standards, data breaches and other privacy violations rarely receive an adequate response. Two new incidents involving the privacy of large numbers of people attracted significant public attention. The first came to light in March, when a subscriber database belonging to Telekom Srbija’s satellite television service was compromised and published online.

Compiled through the work of field technicians and call centres between January 2019 and December 2025, the database contained nearly 700,000 entries, including 338,934 unique ID numbers belonging to citizens from 151 towns and municipalities across Serbia. In addition to personal identification numbers, the leaked data included names, mobile phone numbers, home addresses, contract details and even information about users’ private lives. Notes attached to records contained information about users’ daily routines, living circumstances, health conditions and, in some cases, details of heirs if users had passed away. The database also included information on corporate clients of Telekom Srbija, among them the Ministry of Interior, the Ministry of Defence and the Serbian Armed Forces, as well as the personal identification numbers of responsible officials. Rather than providing answers and outlining measures to address the consequences of the breach, Telekom Srbija’s management downplayed the seriousness of the incident in public statements. Following the breach, the Commissioner for Information of Public Importance and Personal Data Protection contacted the company to gather relevant facts, but it remains unclear whether a formal inspection has been initiated or completed.

The second incident, even more sensitive in nature, involved leaked data from a private gynaecological clinic. A database containing more than 6,000 patient records was published online after the clinic reportedly ignored hackers’ demands and refused to pay a ransom. The leaked information included patients’ full names, telephone numbers, personal identification numbers, home and email addresses, and medical diagnoses. This incident represents not only a severe intrusion into the intimate lives of the affected women, but also a form of gender-based violence that may result in further stigmatisation and online harassment. The Commissioner responded by initiating an inspection of the clinic in April. However, the public has still not been informed whether the inspection has been completed or what its findings were.

Another privacy violation with serious consequences for women occurred in mid-May, when professors at the Faculty of Education in Sombor who support the student movement were targeted with sexualised deepfake content shared on social media. A protest in support of the targeted professors was held in Sombor on 14 May in response to these misogynistic attacks.

Establishing liability and imposing sanctions on the gynaecological clinic and Telekom Srbija is not merely a matter of legal accountability, even though the data has already been exposed online and the damage has been done. More than ever, there is a need to break with over a decade of negligence and irresponsibility regarding the protection of citizens’ data and information security. Despite increasing digitalisation of public administration and society, these issues have not been treated as priorities. It has also not been confirmed whether citizens affected by the breaches were notified by Telekom Srbija or the clinic, despite this being a legal obligation under Serbia’s Personal Data Protection Act following incidents of this scale.

The data exposed in the two most recent major breaches also creates opportunities for more sophisticated personalised scams and political targeting, due to the combination of information made publicly available, including names, contact details and home addresses. The structured format of the leaked databases allows anyone with sufficient technical knowledge to create searchable datasets based on specific criteria, such as names or ID numbers, facilitating profiling, harassment and other unlawful activities.

Free Fall

On 30 April, Reporters Without Borders (RSF) published its 2026 World Press Freedom Index, recording the lowest global level of media freedom in the past 25 years. Only 1 per cent of the world’s population now lives in countries with a good media freedom environment, compared with 20 per cent in 2002. Serbia continues to follow these global trends. The country dropped from 96th to 104th place out of 180 countries in the Index, becoming the fourth worst-ranked country in Europe, behind Turkey, Belarus and Russia. Developments during the reporting period reflect RSF’s findings, as pressure on and attacks against journalists in Serbia continue unabated and attract international attention.

SLAPP lawsuits and other proceedings aimed at silencing journalists continued. The company Millennium Team filed a private criminal complaint against N1 journalist Maja Nikolić over an article concerning the purchase of Hotel Yugoslavia, seeking a one-year prison sentence for allegedly damaging the company’s reputation. Public officials, who frequently resort to legal action against journalists, also remained active. Prime Minister Đuro Macut opted for a different legal strategy, filing a complaint with the Press Council against the investigative outlet KRIK over its reporting on his assets and the purchase of a villa worth one million euros. Macut claimed that the reporting endangered his safety and compared his situation to that of assassinated Prime Minister Zoran Đinđić. The Press Council’s Complaints Commission unanimously concluded that KRIK had not violated the Serbian Journalists’ Code of Ethics in its reporting. At the local level, bizarre misdemeanour proceedings have been initiated against journalist Miljko Stojanović from Zaječar. The police filed as many as five misdemeanour charges against him for allegedly organising protests after he shared a Facebook post calling on people to attend demonstrations.

Another negative trend affecting media freedom during the reporting period was the continued targeting of journalists through threats and harassment. Maria Popović, journalist and editor of the local outlet Pravo u centar from Lazarevac, became the target of mass threats, insults and misogynistic comments on social media after reporting from a Serbian Progressive Party (SNS) gathering in her municipality. Popović was verbally attacked during the event, while online harassment escalated after she shared a recording of the incident on Instagram. Kristina Demeter Filipčev, a journalist with the outlet Bečejski mozaik, was targeted in a similar way through comments on Facebook after reporting on local elections in Kula held on 29 March.

When it comes to manipulation of the information space, after a while major online platforms once again focused attention on Serbia. In an official report, TikTok announced that in January 2026 it had removed a coordinated influence network originating from Serbia consisting of 60 accounts with more than 50,000 followers. According to the company, the network artificially amplified narratives favourable to the Serbian Progressive Party and manipulated public discussion around anti-government protests. The network was also active on other online platforms.

Media freedom remains a persistent point of concern, not only in the context of Serbia’s EU accession process but also for the overall state of human rights in the country. In May, a coalition of ten media and journalist protection organisations sent a letter to EU member states’ ministers responsible for European affairs, calling on them to support proposals to suspend EU funding to Serbia due to the escalating violence against journalists. If these negative trends continue, amid growing social tensions and ongoing repression by the authorities, further escalation of violence in both online and offline spaces can only be expected.