Fraudsters are trying to get OP customers’ contact information and user identifiers for OP eServices by sending phishing email messages and possibly also through SMS phishing (smishing). The sender of the message may look something like OP’s customer service or contain a word that commonly refers to online banking. The message may have been formulated with the intention of phishing other banks’ user identifiers, too.
The sender of a phishing message may refer to the PSD2 directive and ask you to register an imaginary key code device. The link in the message may direct you to a phishing website that resembles OP eServices. The fraudster requests you to give your contact information, online user identifiers and a photo of your key code list.
If you have given your personal data, such as a phone number, on the phishing website, the fraudster may impersonate the bank's representative and call from a number that has been falsified to look like the phone number of OP's customer service. The phone call may also come from a number that resembles the phone number of OP's customer service. Never give any information to fraudsters!
You can spot the legitimate website of the bank from the following, for example:
- The website's certificate has been issued to OP Financial Group (e.g. OP Osuuskunta).
- The certificate contains OP’s domain name.
- The issuer/publisher of the certificate is Symantec, Entrust or DigiCert.
- The certificate is valid.
Please note that OP never asks you to log into its online services via a link in an email or text message or to provide your personal data or user identifiers.
Never give or disclose your user identifiers, PIN or key codes to anyone – even a bank or the authorities will never ask you for these by SMS, phone or email in connection with, for example, information updates or legislative changes. If you wish to make changes to your user identifiers or other details, always do this by logging in to the bank’s own service or by visiting a bank branch. You can check the services approved by OP under ”Services you can access with your user identifiers”. If you are uncertain about something, always contact our customer service for more information.
If you already entered your OP eServices user identifiers on a phishing page, deactivate them immediately! To do so, call OP’s telephone service at 0100 0500 (Mon–Fri 8–22, Sat 10–16, local network charge/mobile charge). Outside the telephone service hours, deactivate your user identifiers by calling the Deactivation Service, tel. +358 20 333 (24/7). Be sure to also call OP telephone service during service hours to report the incident.
Send us an email and attach to it the phishing email you received. How to save a phishing email and send it to us:
Save and send the email as follows (this may vary depending on your email provider):
- In the File menu, select Save As
- In the Save As dialog box, select the drive and folder in which you want to save the email.
- In the File name field, enter a name for the file.
- Use the default file format shown in the Save as type field or select some other file format for saving the file.
- Write an email message, attach the file you just saved and send it to tietoturvailmoitukset(a)op.fi.
Include your name, contact information and your bank’s name (e.g. OP Mallila) in your email. We will not reply directly to messages sent to this email but you will receive an automatic reply. Also report the event to OP telephone service at 0100 0500, or to your bank.
Example of a phishing email:
Example 1 of a phishing website:
Example 2 of a phishing website: