S Bank’s online banking app on a smartphone in Vantaa on Wednesday, 14 September 2022. Police on Wednesday said it is investigating a series of means of payment frauds and computer break-ins in connection with the system error that affected a few hundred of the supermarket bank’s customers for months earlier this year. (Timo Jaakonaho – Lehtikuva)


POLICE OFFICERS in Eastern and Western Uusimaa are investigating 53 cases of means of payment fraud and roughly 150 cases of computer break-in in connection with a long-standing vulnerability in the online banking services of S Bank.

Police on Wednesday confirmed that the series of frauds and computer break-ins continued throughout the summer, having started in May.

The perpetrators, for example, exploited the vulnerability to access the online banking services of other customers, use their log-in credentials to access other online services and to make unauthorised payments, indicates a press release issued by S Bank on Tuesday. The system error, it said, enabled a “small group of customers” to log in to the online banks of others “in certain circumstances”.

The error was rectified immediately upon its detection, on 5 August.

Klaus Geiger, the detective chief inspector in charge of the pre-trial investigation at Western Uusimaa Police Department, said the case is unusual because the suspects reside and committed the offences in Finland. Another unusual aspect is that the suspects did not need to deceive the victims to commit the wrongdoings.

“The series of offences under investigation is completely different to the so-called phishing frauds that have occurred across the nation, which are orchestrated from abroad by misleading the victims,” he said in a press release.

The perpetrators are tentatively suspected of aggravated means of payment fraud, aggravated money laundering and computer break-in. Two of them are currently in pre-trial detention, while a few others have been in police custody or under arrest during the pre-trial investigation.

Geiger told Helsingin Sanomat that the suspects were friends with one another. “The entire group of perpetrators had known each other one way or another,” he said.

Although the victims reside all over the country, the investigation is being carried out by police in Eastern and Western Uusimaa. The officers will be contacting all victims in the case in the coming days.

Also S Bank has indicated that it has been or will shortly be in contact with all the victims.

Helsingin Sanomat on Wednesday wrote about a man who notified the bank of several unauthorised withdrawals and loans taken out on his account in May. He also filed a report of an offence, but he was later told that the pre-trial investigation had been discontinued after police concluded that there was reason to believe the offences had taken place overseas, beyond their jurisdiction.

The man told the newspaper that while police instructed him not to pay any bills linked to the misappropriated money, the bank insisted that the bills would have to be paid because the withdrawals were the consequence of careless handling of log-in credentials.

It remains unknown why it took nearly four months for the bank to detect the error.

“Every case like this is too much, but one explaining factor is that the error affected such a limited group. Now that the error has been located, it’s easier to look into the cases. Nowadays criminals are targeting a lot of activity at banks through digital channels, for example. We didn’t see the whole scope immediately,” Hanna Porkka, the acting chief executive of S Bank, said to Helsingin Sanomat on Wednesday.

Aleksi Teivainen – HT