Warning: lots of scams of different types are doing the rounds

Criminals are using scams via phone, SMS and the social media to phish for information.

Criminals are using a range of scams to gain access to our customers’ user IDs and money. In multi-part scams, the victim is sent a phishing message in the name of an authority, such as the police or the tax authorities. The message includes a link to an imposter website. When the customer enters their user IDs in an imposter website, they may then receive a scam call, supposedly from OP. 

The criminal making the call will ask the victim if they used the link in the message and warn that the link is a scam. After that, the criminal claims that the victim’s funds are at risk and should be moved to a so-called secure or safe account. 

The criminal may also have prepared a payment in the victim’s online bank and will urge the victim to confirm the fraudulent payment. The secure account does not exist and the victim’s money falls into the hands of criminals.

If you receive a call which you can’t be sure is genuine, do not follow the caller’s instructions. Banks or authorities never make phone calls to ask customers to give their online user IDs or to make payments. Never transfer your funds anywhere. End the call and notify your bank of what happened.

Phishing increased in early February

Traditional scam phone calls, which are not preceded by a hoax message, are being made in addition to multi-part scams. The criminal makes direct hoax calls in the name of OP or another company, such as a digital loan service. If the criminal is posing as someone from another company, they may connect the call to an accomplice pretending to be an OP employee.

As well as phone calls, more conventional phishing messages are being sent in the name of OP and the Suomi.fi service, for example. Scam messages spreading right now:  

  • notify of an added device
  • refer to the activation of Mobile key
  • state that a message has arrived
  • include a QR code (do not scan the QR code)
  • Include a link to a phishing website whose address resembles OP's real website, but is spelled differently. 

Hoax messages about added devices may look like this:

If you get such a message, do not click on the link in the message. Because cybercriminals often change the content of their scam messages, other kinds of scam messages may also be in circulation. 

There are also lots of scams around on OP’s social media channels. The criminal phishes for personal data by announcing a win in a prize draw organised by OP. The scammer seeks victims by adding fake links to the prize draw’s message chain. OP never sends links that lead to its online bank login page and would never ask for personal data via such a link. OP always notifies the winners of its prize draws directly.

If you suspect that your user ID has fallen into the wrong hands, deactivate your user ID by calling 0100 0500 (personal customers) or 0100 05151 (corporate customers). When our Customer Service is not available, please call the OP Deactivation Service at +358 100 0555. It is available 24/7. Also remember to call our Customer Service during service hours to report the incident.

This is how our messages differ from scam messages  

We will never send you messages with a link to the online bank's login page. Your bank will never ask you about your user ID or card details through messages. Such messages are scams – do not click on the links in the messages.  

Even when receiving or cancelling a payment, you do not need to log in via a link, confirm with codes, or give your details. If you are asked to do this, contact the bank's Customer Service.  

Please remember these seven things when banking online  

  1. Do not go to the op.fi service through a link you have received or a search engine. The message directing you to the login page is a scam. Search results in Google, Bing or another search engine may also direct you to a scam website. To avoid this, type the address into the browser’s address bar.  
  2. Check the address. Always make sure that you are at www.op.fi. Do not enter your identifiers into a site if you are not sure that it is genuine.  
  3. Keep your user ID and password to yourself. The bank will never ask you to provide your user ID over the phone or by SMS or email.  
  4. Do not open email or SMS attachments sent in the bank’s name. Contact your bank’s Customer Service to verify that the attachments are genuine.  
  5. Do not install an application if asked to do so by someone you don’t know. Install any software you need through your device’s app store.  
  6. Do not confirm transactions if you are not certain that you made them yourself. Always read confirmation requests with due care – if there is anything that does not match, do not confirm anything.  
  7. Please ask in case of doubt. If a contact or message is suspicious or the op.fi service page is not working in the usual way (for example, login with Mobile key is not working), please contact your bank before doing anything else.