During the summer, many people in Finland have been targeted by a new, multi-stage bank fraud.
It usually begins with a phishing message sent under the name of an authority or service provider. The message is not necessarily related to banking, but includes a prompt to click a link in the message.
The link leads to an imposter website where the customer must log in using their online banking user ID to continue. Once the customer has entered their user ID on the website, it is captured by the criminals.
Funds transferred to a "secure account" will always be lost
Once the fraudster has obtained a customer's user ID, they use it to log into the online bank. Subsequently the fraudster creates a payment template that is used in the second stage of the scam.
Next the fraudster calls the customer, pretending to work for the bank, saying that the website on which the customer entered their user ID is a scam website. The fraudster says that the customer's user ID is compromised.
After this the fraudster asks the customer to log into their online bank and confirm the payment template created earlier by the fraudster, in order to transfer the funds to a "secure account". The customer confirms the payment and in doing so transfers the funds to the fraudster.
It is important to understand that there is no such thing as a "secure account". Only online fraudsters talk about "secure accounts".
How to recognise scam calls
The main tool used by fraudsters is manipulation. Their aim is to influence customers to make decisions against their own interest.
In this scam using "secure accounts", the customer may remember logging into a website, and then panic about having done so. The customer may also trust the fraudster who can talk about the matter so convincingly. The fact that half of the story is actually true makes it all the more convincing: the customer did indeed enter their user ID in a scam website.
For a scam to work, customers generally have to take a certain action, and therefore you should consider the caller's motives carefully. You should be suspicious of any callers urging you to do something quickly. No banking matter is ever so urgent that you cannot think about it for a moment.
What you should bear in mind
- Only fraudsters talk about secure accounts.
- A bank will never call you and ask you to take some action to save your funds.
- If you receive a call from someone claiming to work for a bank or the authorities, always treat it with some suspicion.
- You can tell it's a scam call if you're asked to take quick action and that failing to do so will have serious consequences. Talking about secure accounts is also a clear indication of a scam.
- Never give your banking user ID to anyone.
- Read all notifications carefully and confirm only actions that you have yourself started.
- If the caller says they work for your bank, you can ask for the call to be confirmed in OP-mobile.
- Do not click any links in your messages if you don't know what they are. Links may redirect you to a scam website where user IDs are phished.
- If you suspect a scam, end the call and call the bank's customer service.
Do as follows if you suspect that your user ID has fallen into the wrong hands
If you suspect that your user ID has fallen into the wrong hands, deactivate your user ID by calling 0100 0500 (personal customers) or 0100 05151 (corporate customers). Our Customer Service is open on Mon–Fri, 8.00–16.00. Outside these times, call OP's Deactivation Service on 0100 0555; this service is open 24/7. Be sure also to call the Customer Service during service hours to report the incident.