Criminals are using fraudulent messages to phish for online bank user identifiers 

Criminals have been sending phishing SMSes in OP Financial Group’s name. The message may claim that use of the customer’s card has been blocked and urge the customer to confirm their identity by clicking on a link. 

The link in the message may direct you to a scam website resembling the service, where you are asked to enter, for example, your online bank user identifiers and password. The phishing website may also be used to gain access to payment cards or online user identifiers of other banks. To our knowledge, some customers of banks other than OP have also received these messages.  

Never use a link received by SMS or email to log into an online bank

OP Financial Group never sends SMSes or email messages requesting customers to log in, via a link, using their online bank user identifiers. Never use a link, which has been sent to you, to log into an online bank.    

Never give your user identifiers to anyone – not even a bank or the authorities will ever ask you for these by SMS, phone or email in connection with, say, verifying information. Never download any software onto your device if you are asked to do so by someone whose message you did not expect. If you are uncertain about anything, always contact our Customer Service first.     

If you suspect that your user ID has fallen into the wrong hands, please do as follows:

  • Immediately deactivate your online bank user identifiers by calling OP Customer Service on 0100 0500.

  • Outside telephone service hours, deactivate your user ID by calling OP Deactivation Service on +358 100 0555 (24/7).


  • Be sure to also call our Customer Service during service hours to report the incident.

Are you sure you’re on the genuine OP website?

  • The bank will never send you a link to any website that would require you to log in with your online bank user identifiers or give your card details. Only criminals do so.   
  • If you are uncertain about the legitimacy of the message you have received, always contact your own bank first before doing anything else.  
  • Do not open the link or any attachments before checking with your own bank’s customer service.   
  • Never confirm payment transactions, or Mobile key activations, which you do not recognise.   
  • Check the browser’s address bar to make sure that you are at the right address, and that the address is protected.  
  • Click on the padlock icon in the address bar to view the website’s digital certificate. Check the following:
    • The website's certificate has been issued to OP Financial Group (e.g. OP Osuuskunta).
    • On the genuine OP website, the certificate states the address and in OP Identity Provider Service the address  
    • The certificate is valid.
    • The issuer/publisher of the certificate is Symantec, Entrust or DigiCert.  

Example of phishing message:  

Example of a scam website: