BankID Phishing in Sweden: How Scammers Hijack Your Digital Identity

BankID is the digital backbone of Sweden. It is not just a banking tool — it is how you log in to your bank, file your taxes with Skatteverket, access healthcare records through 1177, sign contracts, and verify your identity for practically every government and private service. Over 8 million Swedes use it, making it one of the highest-adoption digital ID systems in the world.

That universal reliance is exactly what makes BankID phishing so dangerous. When scammers gain access to your BankID, they do not just access one account — they potentially access everything.

How BankID Phishing Works

BankID phishing does not typically involve stealing a password. Instead, scammers trick you into authenticating with your own BankID on their behalf. The scammer initiates a transaction (a login, a payment, a loan application) and then gets you to approve it on your device, believing you are doing something else entirely.

The Anatomy of a BankID Attack

1. Scammer initiates an action — Logging into your bank, signing a loan, transferring money
2. Scammer contacts you — Via phone, SMS, or email, pretending to be your bank or a government agency
3. You are asked to "verify" or "secure" your account using BankID
4. You open BankID and authenticate — But you are actually approving the scammer's transaction
5. The scammer completes their action with your authenticated identity

The Most Common BankID Scams

1. The Fake Bank Phone Call (Vishing)

You receive a phone call from someone claiming to be from SEB, Nordea, Swedbank, or Handelsbanken. The caller ID might even show the bank's real number (spoofed). They tell you there has been suspicious activity on your account and that you need to verify your identity with BankID to "block" the unauthorized transaction.

When you open BankID and enter your security code, you are actually approving a transfer or a login that the scammer initiated on the other end.

Critical fact: Swedish banks will never call you and ask you to open BankID. If someone asks you to do this, hang up immediately.

2. Remote Desktop Scams (AnyDesk/TeamViewer)

A caller claiming to be tech support, your bank, or even Polisen asks you to install AnyDesk or TeamViewer to "help secure your computer." Once connected, they have full access to your screen and can watch you enter your BankID code — or navigate to your bank themselves while you are distracted.

This scam is particularly devastating because the scammer can drain accounts, take loans, and make purchases while sitting in front of your computer remotely.

3. Fake SMS with BankID Verification Link

You receive an SMS that looks like it is from your bank: "Suspicious login detected. Verify your identity immediately: [link]." The link leads to a fake bank page that prompts you to authenticate with BankID. The authentication goes to the scammer, not to your bank.

4. The Investment Scam with BankID

You express interest in an online investment opportunity. To "register," you are asked to verify your identity with BankID. What actually happens is the scammer opens an account in your name at another bank or service, using your BankID authentication.

5. The Tax Refund Scam

An email or SMS claims you have an unclaimed tax refund from Skatteverket. To claim it, you need to verify with BankID. The link takes you to a fake Skatteverket page, and your BankID authentication is used for something entirely different.

BankID Scam Red Flags

Warning Sign	What It Means
Phone call asking you to open BankID	Always a scam — banks never request this
SMS with link to "verify" via BankID	Phishing link leading to fake page
Request to install AnyDesk or TeamViewer	Remote access scam targeting your device
Caller claims to be from Polisen or bank security	Scammer impersonating authority
Urgency — "You must act now or your account will be frozen"	Pressure tactic to bypass rational thinking
BankID prompt you did not initiate yourself	Someone else triggered that authentication

How to Protect Your BankID

1. Never open BankID because someone asked you to — Only use BankID for actions you personally initiated
2. Always read the BankID prompt carefully — It tells you what you are approving (login, payment, signing)
3. Hang up on anyone asking you to authenticate with BankID — Then call your bank's official number
4. Never install remote access software at anyone's request
5. Enable BankID security features — Use the "Only on this device" setting to prevent BankID from being used on another device
6. Report BankID abuse immediately to your bank and to polisen.se
7. Check your credit reports at UC (Upplysningscentralen) and Bisnode regularly for unauthorized loans

What to Do If You Were Scammed via BankID

1. Contact your bank immediately — Request a freeze on all accounts
2. File a police report at polisen.se
3. Contact UC and Bisnode to place a credit lock on your personnummer
4. Change all passwords and review active BankID sessions
5. Report to Finansinspektionen (Swedish FSA) if the scam involved financial services
6. Monitor your credit for unauthorized loans or accounts

Share Sensitive Identity Information Safely

Sometimes you need to share sensitive information — bank details, personnummer-related documents, or login credentials — with trusted family members, accountants, or legal advisors. Never send these through SMS or email. Use LOCK.PUB to create a password-protected, self-expiring link. Only the person with the password can access it, and it disappears automatically.

The Golden Rule of BankID

There is one rule that will protect you from virtually every BankID scam: never authenticate with BankID unless you personally initiated the action. If you did not start the login, the payment, or the signing — do not approve it. No matter who is asking.

Your BankID is your digital identity. Treat it like your house key — never hand it to someone who calls you on the phone. When sharing sensitive credentials or identity documents, use secure tools like LOCK.PUB instead of unprotected channels. Stay safe, and remember: if someone asks you to open BankID, the answer is always no.