Two kinds of phishing messages in OP Financial Group’s name

Phishing messages may claim that the customer’s account must be verified. Visually, these messages may look like OP’s confidential emails. Other kinds of phishing messages claim that a new device has been linked to your mobile phone and you are asked to react if you have not done it yourself.

The link in both messages may direct you to a phishing website resembling the service where you are asked to enter your online user ID and your password. The purpose of these phishing websites may also be to phish for payment card details or online user identifiers of other banks. These messages have also been sent to other people apart from OP’s customers, and the senders of the messages do not know if the recipients are OP’s customers or customers of another bank.

Never use a link received by email to log into an online bank   

Never use a link received by email or SMS to log into an online bank. Never give your user identifiers to anyone – a bank or the authorities will never ask you for these by SMS, phone or email. If you are uncertain about anything, always contact our Customer Service first.

Never download any software into your device if you are asked to do so by someone whose message your did not expect.

If you suspect that your user ID has fallen into the wrong hands, please do as follows  

  • Deactivate immediately your OP eServices user ID by calling our Telephone Service at 0100 0500.   

  • Outside service hours, deactivate your user ID by calling OP Deactivation Service at +358 100 0555 (24/7).   

  • Also remember to call our Customer Service during service hours to report the incident. 

Are you sure you’re on the genuine OP website?  

  • The bank will never send you a link to any website that would require you to log in with your online user ID or give your card details. Only criminals do so.  
  • If you are uncertain about the legitimacy of the message you have received, always contact your own bank first before doing anything else. 
  • Do not open the link or any attachments before checking with your own bank’s customer service.  
  • Never confirm such payment transactions or a linking to a device that you do not recognise.  
  • Check the browser’s address bar to make sure that you are at the right address, and that the address is protected.  
  • Click on the padlock in the address bar to view the website’s digital certificate. Check the following:  
    • The website's certificate has been issued to OP Financial Group (e.g. OP Osuuskunta).   
    • On the genuine OP website, the certificate states the address and in OP Identity Provider Service the address  
    • The certificate is valid. 
    • The issuer/publisher of the certificate is Symantec, Entrust or DigiCert.   

Example images of phishing emails:

Esimerkki nyt liikkeellä olevasta huijausviestistä. Viesti on suomenkielinen. Aihekentässä lukee pelkkä Re: Viestissä kerrotaan, että uusi laite on linkitetty matkapuhelimeesi. Viestin lopussa on kohta "Jos se ei ollut sinä", jonka alla on Klikkaa tästä -linkki. Allekirjoittaja on OP Ryhmä.


The sender field includes, subject is Account verification: Log in & phone number