Analysis of 5000+ regex patterns NSAI uses to detect phishing impersonating Nova Poshta, PrivatBank, Monobank, and Diia services.

Ukrainian Scam Patterns 2026

Over the past year, the SMS and messenger fraud landscape in Ukraine has shifted significantly. Our NSAI system tracks these changes in real-time using a library of 5,000+ regular expressions specifically designed for the Ukrainian context.

Top Threat Categories

1. Nova Poshta (NOVA_POSHTA)

Scammers massively use fake parcel delivery notifications. Typical pattern:

"Your parcel #2847291 is delayed. Pay for delivery: novaposhta-pay.xyz"

Our system recognizes suspicious domains that mimic official Nova Poshta services.

2. PrivatBank / Privat24 (PRIVAT24)

Banking phishing remains the most common category. Key indicators:

Links to privat24-*.xyz instead of official privatbank.ua
Messages about "card blocking" or "suspicious transactions"
Requests for CVV/PIN codes

3. Monobank

A 40% increase compared to last year. Scammers have adapted to monobank's popularity among younger demographics.

4. Diia (DIIA)

A new wave of fraud — fake messages about "government payments" through the Diia app.

5. Military Donations (MILITARY_DONATION)

The most cynical category — fake fundraisers for the Ukrainian Armed Forces. NSAI has specialized heuristics to verify the legitimacy of volunteer organizations.

How Detection Works

NSAI uses a three-tier analysis approach:

Regex patterns — instant check against known patterns (< 5ms)
ML classification — neural network for novel, unknown schemes
LLM verification — Cloud AI for complex cases with contextual analysis

This cascading approach achieves 99.4% accuracy on our gold-standard dataset.

Takeaway

Scammers are getting smarter, but so are our systems. If you receive a suspicious message, check it via the NSAI API or our Telegram bot.

Ukrainian Scam Patterns 2026

Top Threat Categories

1. Nova Poshta (NOVA_POSHTA)

Scammers massively use fake parcel delivery notifications. Typical pattern:

"Your parcel #2847291 is delayed. Pay for delivery: novaposhta-pay.xyz"

Our system recognizes suspicious domains that mimic official Nova Poshta services.

2. PrivatBank / Privat24 (PRIVAT24)

Banking phishing remains the most common category. Key indicators:

Links to privat24-*.xyz instead of official privatbank.ua
Messages about "card blocking" or "suspicious transactions"
Requests for CVV/PIN codes

3. Monobank

A 40% increase compared to last year. Scammers have adapted to monobank's popularity among younger demographics.

4. Diia (DIIA)

A new wave of fraud — fake messages about "government payments" through the Diia app.

5. Military Donations (MILITARY_DONATION)

The most cynical category — fake fundraisers for the Ukrainian Armed Forces. NSAI has specialized heuristics to verify the legitimacy of volunteer organizations.

How Detection Works

NSAI uses a three-tier analysis approach:

Regex patterns — instant check against known patterns (< 5ms)
ML classification — neural network for novel, unknown schemes
LLM verification — Cloud AI for complex cases with contextual analysis

This cascading approach achieves 99.4% accuracy on our gold-standard dataset.

Takeaway

Scammers are getting smarter, but so are our systems. If you receive a suspicious message, check it via the NSAI API or our Telegram bot.

Ukrainian Scam Patterns 2026: What Changed

Ukrainian Scam Patterns 2026

Top Threat Categories

1. Nova Poshta (NOVA_POSHTA)

2. PrivatBank / Privat24 (PRIVAT24)

3. Monobank

4. Diia (DIIA)

5. Military Donations (MILITARY_DONATION)

How Detection Works

Takeaway

Ukrainian Scam Patterns 2026: What Changed

Ukrainian Scam Patterns 2026

Top Threat Categories

1. Nova Poshta (NOVA_POSHTA)

2. PrivatBank / Privat24 (PRIVAT24)

3. Monobank

4. Diia (DIIA)

5. Military Donations (MILITARY_DONATION)

How Detection Works

Takeaway