The National Cyber Security Centre Finland’s weekly review – 08/2024

Email account compromises are on the rise again

The National Cyber Security Centre Finland (NCSC-FI) has received reports of Microsoft 365 account compromises again. Scam messages masked as secure emails lead to a phishing site that attempts to steal user IDs and passwords. If you make the mistake of clicking the link in the scam message and entering your email username and password on the website that opens up, your email account will be hijacked by criminals, who will use it for fraud and to send out more phishing messages. Compromised accounts can be used to send thousands of new phishing messages.

The NCSC-FI urges all organisations using Microsoft 365 services to provide their employees with information about the threats posed by phishing messages. We also recommend using two-factor authentication and restricting the creation of email forwarding rules. One effective way of protecting against phishing campaigns is to make two-factor authentication mandatory for your organisation’s users. Leaving the use of two-factor authentication up to the user does not provide the same level of protection.

Read more: Weekly review 04/2024 and Alert 1/2023

Attempts of fraud by pretending to be the CEO

A large number of cases of CEO fraud have been reported to the NCSC-FI again. In recent weeks, similar types of email messages have been sent to the financial administration of various organisations, asking questions about the balance under the name of the CEO or Director-General and containing requests to make an urgent transfer of tens of thousands of euros to a foreign account. Finnish accounts have also been used for payment fraud. The scam messages use fairly good Finnish, and the sender’s address may look right. There are also some more suspicious-looking messages sent from random Gmail addresses, but you should not think that a wrong sender’s address is a sure way to tell the difference between a scam message and a real one.

In some cases, the organisation’s email account has been breached, meaning that the CEO’s address can be used by criminals. A genuine Teams or email message sent from the CEO’s real address makes the scam more believable. If the email account has been compromised, the confirmation messages sent by email will be answered by the scammer, who assures that everything is all right. You can confirm suspicious messages by calling the sender by telephone. Scam messages often mention urgency or secrecy or claim that it is not possible to talk on the phone right now, but the money transfer has to be done quickly. Financial administration needs to remain calm and keep to the organisation’s normal payment approval practises even if the scam message demands that the normal checks and approvals must be bypassed.

In addition to regular CEO fraud, cases of salary payment fraud have also been found. In them, the scammer sends a message to the payroll clerk under the name of the CEO, asking to change the account to which the CEO’s salary is paid. In these cases, too, it is important to stick to the organisation’s secure confirmation practises instead of changing the account to which any person’s salary is paid simply based on a message.

Attempts of payment fraud using the names of Matkahuolto and Posti

A new phenomenon in the reports we have received during the two last weeks has involved attempted payment fraud using the name of the parcel and travel service company Matkahuolto and the Finnish postal service Posti at various online marketplaces. Attempts to target sellers in the scams and attempted fraud are highlighted in the reports we have received. As far as we know, an interested buyer approaches the seller and offers to pay the product via Matkahuolto or Posti. In reality, the payment page is a phishing site created by criminals, where sellers are deceived into filling in information on their means of payment and handing over their online banking credentials in order to receive the payment.

We have received reports of fraud and attempted fraud at least from the users of the Tori.fi service and Facebook Marketplace. The Finnish language used in the messages sent to the victims has been fairly convincing. Scammers may justify the use of the suggested payment service by claiming that they have been scammed before in other services.

If you enter your own information at a phishing site by mistake, contact your own bank immediately. In addition, we recommend that you file a report of an offence on the issue and also report it to us (report here ).

We also recommend that you read our instructions ‘How to protect yourself against online scams ’.

Together against text message scams – more than 70 sender IDs have been protected already

In recent years, many of us have received scam messages that look real, in which the sender ID of the text message makes it seem that the message has come from your own bank or a logistics company sending a package, for example. However, the messages and the links they contain have come from scam sites, used by criminals to phish for online banking credentials, for example.

Thanks to the cooperation between operators and the Finnish Transport and Communications Agency Traficom, criminals are again finding it a bit harder to manufacture text message scams. Starting from 9 November 2023, Traficom has offered organisations an opportunity to protect their own sender ID. So far, various organisations have already protected more than 70 text message sender IDs. Participants include e.g. Nordea, OP, S-Pankki, Posti, the Finnish Social Insurance Institution Kela, the Finnish Tax Administration and the Finnish police. You can check the protected IDs and the day when the protection became valid on Traficom’s website .

What does the protection mean in practice and what does it require from the applicant? Read more in our news .

Mark the date: National Coordination Centre’s brokerage event, 23–24 April 2024

Mark the date! The National Coordination Centre (NCC-FI) will organise an international brokerage event in Helsinki 23–24 April 2024. A more detailed invitation and programme will be updated on the event page (External link) soon!