Most fraud attempts that take place at Blocket Bostad are through hijacked accounts. This is because we do not allow ads to be published without BankID verification of the landlord's account. The fraudsters therefore need to access an already BankID-verified account, which they usually try to do by sending so-called phishing messages to access your login details.
We work actively and constantly to prevent fraudsters, but unfortunately our actions are not always enough. In this article, we explain how fraudsters often operate and what steps you need to take if you've been exposed.
Phishing email/text message
The first step is for the fraudsters to send out a so-called phishing message where you are asked to log in to your user account on a website that is similar to Blockets. Below we explain how you can tell the difference and what you should look for to recognize suspicious behavior.
- Have you received an email or text message regarding double billing, refund or similar? We at Blocket never ask you to log in via a link when we make a refund of advertising fees.
- Please note that we never send text messages about anything other than the signing of a rental agreement or booking requests.
- Check which email address the email was sent from. All our information emails are sent from email@example.com.
- Fraudsters are looking for your user account information to access accounts that are already BankID verified.
- Always check the link at the top of the website, never enter your login details to your user account at Blocket Bostad on a website that is not blocket.se or bostad.blocket.se.
- If you are contacted by someone you suspect is a fraud, please report this to us by reporting the user directly on the website, via the chat, or via email firstname.lastname@example.org
If you feel unsure about whether the link is safe, feel free to contact us in the support-chat or by emailing us (email@example.com) to ask.
We never ask for a landlords credit card details other than at the time of payment when publishing an ad as a corporation. If you receive an email or text message with information about a refund or similar, you should therefore never provide any information. If you receive an email or text message asking you to provide information about your account, please report this to us immediately.
What should I do and how do I know if my account has been hijacked?
- If you have clicked the link in the phishing email/text message, but NOT logged in, you have nothing to worry about and do not need to take any actions.
- If you have logged in after clicking on the link, you MUST change the password on your user account. You can reset your password here: https://login.schibsted.com/forgotpassword/
- If you have also entered your credit card details, you MUST block your card immediately. Contact your bank for help with how to do that.
- You do not need to report the incident to the police unless you have given away your credit card details.
How did a fraudster get my contact information?
Fraudsters often pretends to be potential tenants before attempting to take over an account belonging to a landlord. If you receive a contact request from a tenant who directly asks for contact details, you should therefore be vigilant. If you happen to give your contact details to a fraudster, you may receive a phishing email or text message. We therefore always recommend that you first keep the conversation via the message function at Blocket Bostad, if both parties then wish, you can continue the dialogue in another way if it feels safe.
If your account has been hijacked:
If someone logs into your account from a new device (other computer/mobile phone), you will receive an email from Schibsted with information that a new login has taken place. If you receive such an email without having logged in yourself on a new device, you should immediately change the password for your user account.
If you have inserted your credit card details, the first thing you should do is contact your bank and block the card. After that, you should also file a police report. If you have been charged for an advertising fee that you have not made yourself, you can get help from your bank to get this charge refunded.
How do I get my account reactivated after a hijacking?
When you have changed the password for your account, you can email us at firstname.lastname@example.org from your email address that the account is linked to. We can then reactivate your account for you.