Online security

Never share your card number or security number (CVV, validity period, Secure Code) when asked on social media, via email, SMS, or phone.

You should never agree to login or sign any documents using your electronic ID without checking the source.

Good to know

The number of fraud attempts has increased significantly in recent years, and they target both individuals and companies. You should pay close attention to internet security. The information on this website can help you prevent financial fraud attempts from succeeding. Customers are encouraged to contact us if they become aware of online fraud and to take screenshots if they notice suspicious activity.

Individuals and businesses should contact us by telephone (440 4000) immediately. We will send you a document entitled Changes to Telephone Transaction, which you must fill out and send back through this form. Immediate action is necessary as 2-3 days is all it takes to make it almost impossible for us to retrieve your money.

If you have any issues, you should notify the police, e.g.,, and your commercial bank.

  • More information on notifying Íslandsbanki about any suspicious activity

Main types of fraud:

  • Smishing: SMS fraud often takes place in the name of companies like DHL and UPS. These scams involve hackers obtaining card information, installing payment cards in Apple/Google Wallets, and accessing online banking accounts. They can increase authorisations on cards, apply for overdrafts and loans, and transfer money from the victim's accounts.
  • Vishing: Icelanders have been receiving fraudulent phone calls in recent weeks. Here are the scam phone numbers we know about: 539-5244, 539-5263, and 539-5264. Various methods are used to defraud people. Some of these scams are investor scams, where they pretend to be brokers and try to convince people to invest. They may also claim to have a large sum of money waiting for you. A recent incident occurred when a foreign entity claimed to work for a UK regulatory agency. The criminal said they were trying to access the person's bank account.
  • Phishing: Actual fraud was committed during a Hópkaup giveaway. Hópkaup announced the giveaway on their Facebook page. The game required people to leave a comment on the post. Participants were then told by the false Hópkaup Facebook page that they had won the giveaway. People were fooled into giving out their card details through a fake Hópkaup link included in the comments.
  • Investment Fraud: Facebook is currently flooded with fake investor fraud ads. Recently, an ad prompted victims to provide their phone numbers. Numerous calls from foreign numbers were made to the victims, inviting them to invest. During the phone calls, they sent the victims e-mails where they asked, among other things, for card information. They also sent a link to AnyDesk, which lets them control the victim's computer. Fraudsters used the victim's credit card to create a Binance account in the victim's name. The victim had trouble understanding their English, so they invited him to communicate with them in another language and suggested Danish, Norwegian or Swedish. After that, the victim selected Swedish, and all e-mail communications were in Swedish. While it is significant that the hackers offered a Nordic language to communicate, the emails indicate that they used Google Translate to write in Swedish.

If it sounds too good to be true, it's probably too good to be true.

Social media fraud

Cyber fraud has been a significant problem recently, with unscrupulous parties gaining access to sensitive customer information. If you become aware of online fraud, please let us know and take screenshots of suspicious interactions.

Under no circumstances should you disclose your card number or security number (CVV, validity period, Secure Code) to anyone on social media, in an email, in an SMS message, or over the phone. You should carefully read what you agree to when you receive a Secure Code security code or electronic credentials request.

Facebook and Instagram have been scammed recently with sites that claim to pay people for watching videos. One of these sites is called Telegram Money.

A real communication between the victim and fraudster is shown here, but the fraudster used Facebook Messenger to commit fraud in this case. See communication.


It's crucial to be alert when receiving texts or emails that appear to come from companies. There have been many SMS messages posing as mail delivery messages recently. An example would be to ask the recipient to click a link to update their information.

Have a look at the example of SMS fraud involving DHL, where the phone number, amount, and URL indicate it's a fraud.

Here is another DHL example, which reads as follows:

"The package is waiting for delivery. Please submit the payment (1.99 EUR) under the following link."

In this case, the relevant link leads to a fraudulent site.

Text messages rarely contain payment information, so always be on the lookout and check the sender's name and number if the message appears via text.

Card fraud

Card fraud can occur anywhere, including Facebook, Messenger, e-mail, online giveaways, etc. When a family member or friend asks for a picture of your credit card, it's most likely a criminal has hacked into their account.

These fake logins can be spotted by keeping the following in mind:

  • Word usage: Does the wording seem garbled and translated?
  • Icelandic alphabet: Are there any Icelandic letters missing in the name of a business or service provider?
  • Unusual font: Is the font different from what's usually used on Facebook?

Several logins contact individuals and tell them they've won a giveaway and only need to send their payment card details. Whatever the case, this is a scam that's too good to be true. Giveaways at stores never require card numbers or pictures of payment cards.

Normal circumstances should never require you to:

  • Share any details about your cards, e.g.  number, date and CVC number
  • Send a picture of your card to someone, regardless of whether you know them or not
  • Share information because you think you've won money or a giveaway at a store

Electronic ID

You are not required to enter your PIN if you did not sign in with an electronic ID but still receive an authentication message. Possible reasons are that someone entered the wrong number or it is a scam.

Your electronic ID belongs only to you. Someone who asks for your phone number online (often via messenger) and sends you authentication is likely part of a scam.

You should never:

  • Log in electronically to online banking and apps at the request of others, e.g., via Facebook and Messenger.
  • Sign documents with electronic ID created by and asked for by others, e.g., via Facebook or Messenger)

Please be careful with electronic IDs, and do not accept anything without knowing the source.

Cyber fraud and attacks

How can you protect yourself?

You should always verify payment requests by phone before making a payment.

Red flagging potential cyber-attacks:

  • The email address has been slightly altered.
  • The sender's name is correct, but the email address ending is different, e.g. or When viewing an e-mail on your mobile, click on the sender's name to see their e-mail address.
  • Soon after receiving an invoice, a new invoice was received stating that the previous invoice contained incorrect payment information.
  • When you receive an email from a high-ranking person within the company, do you feel pressured to make a payment? Call the person immediately for confirmation.
  • Are the payment details new, a new bank, a new country or a newly established company?
  • Are they communicating differently than you expect, e.g., sharper, shorter, using another language, even rude and highly demanding? Is the person abroad and unable to answer the phone?
  • Mistakes and grammatical errors are more likely to be overlooked since communications appear to be from a mobile device.


Examples of web scams

This is an example of phishing, where hackers pose as Netflix in an email:

Good habits

Examples of common cyber fraud and attacks

  • Stress attacks (DDos) - Vandalism
  • Dating/romance scam - Paid to a person in good faith
  • Investment fraud (false information)
  • CEO / BEC fraud - Paid to the wrong person
  • Data leaks, e.g. leaked passwords and personal information - Abuse
  • Hostage-taking software (Ransomware) - Extortion
  • Rent fraud, e.g. short-term rental - Paid to the wrong person
  • Use of personal content (Public shaming) - Blackmail
  • Social media scam- Abuse
  • Computer hacking - Abuse that results in fraud
  • Phishing - Abuse