What's new

10.11.2023 15:23

Warning: Scammers in online marketplaces for second-hand goods

We have been notified of numerous cases in which a criminal has phished for customers' banking details with the help of a fake service disguised as Posti or some other courier service.

Criminals may try to get your user identifiers and payment card details through online marketplaces for second-hand goods. In scams involving second-hand goods, criminals try to make you believe that a payment will be recorded on your card once you've given your card details and your banking user ID. However, in reality, your card can't receive payments, but with the user ID and card details the criminal will be able to freely use the card. 

If a buyer asks for your user ID or card details, end the conversation immediately. Also, end the conversion if a buyer asks you to pay unusual expenses or give extra details that appear to have to do with the delivery of goods or receipt of payment. Card details and user IDs are being phished for in Posti's name, for example. 

Please note that you must not ever give away any other payment details than your account number when selling second-hand goods. Of course, if you use MobilePay, you may reveal your phone number. 

Common scams also persist

Common hoax messages in OP's name are circulating again. Phishing messages that are circulated especially via SMS refer to the activation of Mobile key or deactivation of user identifiers. 

At the moment, especially messages in Finnish are spreading and they  

  • inform about the deactivation of user identifiers
  • refer to the activation of Mobile key
  • include a link to a phishing website whose address resembles OP's real website but is spelled differently. 

Using a stolen user ID, the criminals will attempt to make fraudulent payments and gain access to the victim’s Mobile key.  

The scam messages may look like this:  

Please note that phishing messages may be in the same message chain as genuine SMSes from OP.

If you get such a message, do not click on the link in the message. Because cybercriminals often change the content of their scam messages, other kinds of scam messages may also be in circulation.  

If you suspect that your user ID has fallen into the wrong hands, deactivate your user ID by calling 0100 0500 (personal customers) or 0100 05151 (corporate customers). When our Customer Service is not available, please call the OP Deactivation Service at +358 100 0555. It is available 24/7. In addition, be sure to call our Customer Service during service hours to report the incident.  

This is how our messages differ from scam messages  

We will never send you messages with a link to the online bank's login page. Your bank will never ask you about your user ID or card details through messages. Such messages are scams – do not click on the links in the messages.  

Even when receiving or cancelling a payment, you do not need to log in via a link, confirm with codes, or give your details. If you are asked to do this, contact the bank's Customer Service.  

Please remember these seven things when banking online  

  1. Never log into OP's digital services through a link you've received or a search engine. The message directing you to the login page is a scam. You may end up in a scam website through search results on Google, Bing or another search engine too, so type the address on the browser’s address bar yourself.  
  2. Check the address. Always make sure that you are at www.op.fi. Do not enter your identifiers into a site if you are not sure that it is genuine.  
  3. Keep your user ID and password to yourself. The bank will never ask you for your user ID over the phone or by SMS or email.  
  4. Do not open email or SMS attachments sent in the bank’s name. Contact your bank’s Customer Service to verify that the attachments are genuine.  
  5. If a person you don't know asks you to install an application, do not install it. Install any software you need through your device’s app store.  
  6. Never confirm transactions if you are not certain that you made them. Always read confirmation requests with due care – if there is anything that does not match, do not confirm anything.  
  7. Please ask if you are unsure about anything. If a contact or message is suspicious or your online bank's login page is not working in the usual way (for example, login with Mobile key is not working), please contact your bank before doing anything else.