Warning: criminals are now phishing for user IDs by combining messages with phone calls

Messages are being combined with calls in a new kind of scam. Criminals may pose as tax administration or bank representatives.

Criminals are now using multi-part scams to go after your and other customers’ user IDs. First, the customer is sent a phishing message. When the customer clicks on the link in the phishing message and enters their user ID in an imposter website, they may then receive a scam call, supposedly from OP. If you receive a call which you can’t be sure is genuine, do not follow the caller’s instructions (for example, by moving your money to another account). End the call and report it to your bank. 
A particularly fast-spreading scam is around in which the victim receives an SMS in the name of the tax administration, for example. The link in the SMS takes the victim to an imposter website. When they enter their user ID in the website, they may receive a call, supposedly from OP. The criminal making the call will ask the victim if they used the link in the message and warn that the link is a scam. Next, the scammer says that the victim’s assets are in danger and tells them to move their money to a “secure account”. In some cases, the scammer has prepared a payment in the victim’s online bank and urges the victim to confirm the payment. In fact, the secure account does not exist and the victim’s money falls into the hands of criminals.
Banks or authorities never make phone calls or ask customers to give their online user IDs or to make payments. 
In addition, various kinds of phishing messages are currently being sent in OP’s name. They may refer to an attempted payment or the activation of mobile key. 
Scam messages spreading right now:  
  • ask you to call a number specified in the message
  • describe an attempted payment
  • urge you to to update your identity
  • include a link to a phishing website whose address may resemble OP's real website but is spelled differently. 
Using a stolen user ID, the criminals will attempt to make fraudulent payments and gain access to the victim’s Mobile key. 
The scam messages may look like this:  


Please note that phishing messages may be in the same message chain as genuine SMSes from OP.
If you get such a message, do not click on the link in the message. Because cybercriminals often change the content of their scam messages, other kinds of scam messages may also be in circulation.  

If you suspect that your user ID has fallen into the wrong hands, deactivate your user ID by calling 0100 0500 (personal customers) or 0100 05151 (corporate customers). When our Customer Service is not available, please call the OP Deactivation Service at +358 100 0555. It is available 24/7. Also remember to call our Customer Service during service hours to report the incident.

This is how our messages differ from scam messages

We will never send you messages with a link to the online bank's login page. The bank will never ask you about your user ID or card details through messages. Such messages are scams – do not click on the links in the messages. 
Even when receiving or cancelling a payment, you do not need to log in via a link, confirm with codes, or give your details. If you are asked to do this, contact the bank's Customer Service.

Please remember these seven things when banking online

1. Do not go to the op.fi service through a link you have received or a search engine. The message directing you to the login page is a scam. You may end up in a scam website through search results on Google, Bing or another search engine too, so type the address on the browser’s address bar yourself.  
2. Check the address. Always make sure that you are at www.op.fi. Do not enter your identifiers into a site if you are not sure that it is genuine.  
3. Keep your user ID and password to yourself. The bank will never ask you to provide your user ID over the phone or by SMS or email.  
4. Do not open email or SMS attachments sent in the bank’s name. Check with your bank’s customer service that the attachments are genuine.  
5. If a person you don’t know asks you to install an application, do not do so. Install any software you need through your device’s app store.  
6. Do not confirm transactions you are not certain you have made yourself. Always read the confirmation requests with due care – if there is anything that does not match, do not confirm anything.  
7. Please ask if you are unsure about anything. If a contact or message is suspicious or the op.fi service page is not working in the usual manner (for example, login with Mobile key is not working), please contact your bank before doing anything else.