Instructions for phishing messages
Today, there is a high number of different phishing messages in circulation, with Posti sometimes used as the fake sender. In most cases, the phishing messages are either SMS or email messages. Posti cooperates with the police and other parties to combat phishing messages.
Phishing messages may seem deceptively authentic.
Appearance: The message may include Posti’s logo, colors or other artwork.
Contents: The message may contain a genuine Posti tracking code.
Channel: An SMS message may appear in the same message thread on your phone as authentic notices of arrival, seemingly sent by the same sender.
The contents of the phishing messages vary, but often they pretend to notify you of the arrival of an item, a prize you have won or OmaPosti. For instance, messages related to an incoming item may ask you to book a delivery time, confirm your delivery address, clear the item or pay the delivery fee.
If you have received a suspected phishing message:
Delete the message without opening it. Do not click any links in the message.
Do not reply to the message or perform the measure suggested by it.
Be extremely careful if you’re unsure of the sender and you’re asked to log in or to provide your personal information, bank details or user information.
Remember that you can always check Item Tracking or OmaPosti to make sure that the status of the item corresponds with the information in the message.
If you received a phishing message and revealed your bank details, immediately contact your bank and then report the issue to the police.
How phishing works
Typically, scams are based on phishing, i.e. the goal is to steal your personal information, user information or bank details.
What the scammers do:
You receive a seemingly genuine message including a link and a suggested course of action.
Clicking the link takes you to a temporary website established for the purpose of the scam.
The page asks you to provide information, such as to identify yourself using your online bank credentials or Apple ID.
The page stores the information you provide and uses it for criminal purposes.
If the message contains a download link, it attempts to install a malicious application on your device. The goal of the application is to steal your data.
Characteristics of messages sent by Posti
Posti’s notice of arrival includes the pickup location and its address; you will not be asked for additional information or to identify yourself with your Apple ID.
Posti does not send a link for the payment of a customs clearance fee or a handling fee. Customs clearance is handled either on the Finnish Customs website or in OmaPosti. Posti’s handling fee for a cleared item is always paid on Posti’s website.
When it comes to Cash on Delivery items, the notice of arrival includes a link to the COD payment.
You can only download the OmaPosti app through your phone’s application store. Posti never sends the application file directly to the customer.
Posti sends SMS messages to map customer satisfaction after picking up a parcel. The SMS includes a link to the survey site. The link is in the following format: https://isms.fi/xxxxx. The SMS messages are sent from normal cell phone numbers owned by BookIT Oy.
Below is an example of an SMS sent by Posti so map customer satisfaction.
Examples of scams perpetrated in Posti’s name
Phishing messages can look extremely authentic, which can make them hard to recognize. See the pictures of phishing messages sent in Posti’s name .
There are fakes accounts on social media pretending to be Posti. For example, these fake accounts may claim to sell items unclaimed by Posti’s customers. As Posti never sells its customers’ items, this is a devious attempt to phish for personal information or make money through illegal means.
Scams related to prize draws and competitions. Some of the phishing messages are linked to competitions that claim to be organized by Posti. In reality, they are used to phish for personal information or bank details. You can check Posti’s official social media accounts or https://www.posti.fi/en to verify that the competition is truly organized by Posti.
People selling things on online marketplaces may also be approached with the intent to scam them. Someone passing themselves as an interested buyer may approach the seller, for example, on Whatsapp and claim to have transferred the payment for the product to the seller’s account via Posti. Then, when the funds do not show in the seller’s account, the “buyer” sends the seller a link to a phishing website resembling Posti’s website for the seller to check that the payment has reached their account. The purpose of the site is to phish for the seller’s bank details or personal data.
OmaPosti and information security
Only download the OmaPosti app from an official application store, either Google Play store or App Store. The publisher of the application is Posti Group Corporation. In the application store, you can access the download link via the OmaPosti info page. Alternatively, search for “omaposti” in the application store.
Please read the detailed instructions on how to improve your security in OmaPosti .
Read more on government websites
You can find more information about online scams as well as instructions on how to identify phishing messages on government websites.
Police:
Finnish Competition and Consumer Authority (FCCA):
National Cyber Security Center:
Reporting a suspected vulnerability
Security is the foundation of our digital services. We use advanced security methods and develop our systems constantly to ensure the data security of our services.If you suspect a vulnerability or want to help us improve our data security, you can participate by sending us a security report in Posti’s official bug bounty programme at login.intigriti.com/account/register . All reports will be reviewed.