Threat Analysis: Matkahuolto Phishing – Fake Payment Release Scam (Finnish Variant)
This phishing campaign impersonates Matkahuolto, a well-known Finnish logistics and transport company. The scam targets sellers on classified or marketplace platforms, creating a fake payment confirmation process. The victim is led to believe that a buyer has already paid for an item, and the seller must “receive” the funds by providing bank card or online banking details.
How it works:
The victim (a seller) receives a message (e.g., via SMS, email, or messaging app) from a supposed buyer claiming that the item has been paid for and the funds are being held by Matkahuolto. The message includes a link to a fake Matkahuolto-branded page.
Step 1 – Fake Payment Confirmation & Recipient Info
The page displays:
A product (e.g., “Riihimäen lasi r”) and a price (e.g., 15.00 EUR)
Fake buyer details (name, address in Turku, Finland)
A message stating the buyer has paid for the item and shipping
Instructions that the seller must confirm the payment to receive the funds to their card or bank account
A button to “Hyväksy maksu” (Approve payment)
The page includes a fake online support chat section to add credibility.
Step 2 – Bank Selection Page
After clicking the approval button, the victim is taken to a page asking them to select their bank from a list of major Finnish banks (Nordea, Handelsbanken, OP Bank, POP Pankki, Aktia, etc.). Fake security badges (3-D Secure, HTTPS, PCI DSS Level 1) are displayed to appear trustworthy.
Step 3 – Fake Processing Page
The victim is being redirected to a fake banking login page.
Then the victim sees a waiting page claiming that their information is being processed and they should not leave the page.
The goal:
The attacker aims to:
Direct the victim to a fake online banking login page for their selected bank
Steal the victim’s online banking credentials (username, password, and possibly 2FA codes)
Alternatively, capture credit/debit card details if the fake flow asks for them directly
There is no actual buyer or payment – the entire transaction is fabricated. The promised funds (e.g., 15 EUR) are used as a lure.
Red flags to watch for:
Suspicious URL: The pages are hosted on domains that are not matkahuolto.fi. Legitimate Matkahuolto services are accessed through their official domain.
Illogical request for payment to receive funds: The seller is asked to “approve” or “confirm” payment to receive money – this is not how legitimate transactions work. Receiving funds does not require the seller to take action on a payment page.
Bank selection page after a shipping company page: Matkahuolto is a logistics company, not a payment intermediary. They do not handle payment processing between buyers and sellers.
Fake security badges and support chat: These are copied from legitimate sites to create false trust.
Urgency and pressure: The pages imply that the seller must act quickly to receive the funds, a common tactic to bypass critical thinking.
No login or tracking number provided: The victim cannot verify the supposed transaction through official Matkahuolto channels.
What to do if you encounter this:
Do not click any buttons or select your bank on these pages.
Do not enter any online banking credentials or card details.
If you are expecting a payment from a buyer, always verify directly through the platform where the item was sold (e.g., Facebook Marketplace, Tori, Huuto.net) – never through external links.
If you have already entered your banking credentials, contact your bank immediately to secure your account.
Report the phishing page to Matkahuolto (e.g., via their official customer service) and to the relevant authorities.
Protective measures:
Never click links in unsolicited messages claiming a buyer has paid through a shipping company.
Always type the official website URL directly into your browser.
Never provide your online banking credentials or card details to “receive” a payment.
Enable two‑factor authentication on your bank accounts.
Be suspicious of any message that creates urgency and asks you to log in to a bank via a link.