The National Cyber Security Centre Finland’s weekly review – 26/2023

Topics covered in this week’s review

• CEO fraud attempts are especially prevalent during the summer
• Cyber security situation in Finland stable during Midsummer
• New instructions on what to do in the event of M365 account compromise

CEO fraud attempts are especially prevalent during the summer

CEO fraud typically involves criminals impersonating the CEO of an organisation in order to send messages to employees asking them to purchase gift cards or pay invoices. The scammers will often claim that the matter is extremely urgent, thus justifying the bypassing of normal processes. The scammers may also claim that the CEO is currently in a place where they cannot talk or attending a meeting.

Criminals can attempt many different types of scams by impersonating a CEO. In addition to CEOs, criminals may also impersonate financial, payroll or HR personnel. These types of fraud are typically carried out during holiday seasons. In recent years, the numbers of CEO fraud attempts reported to the NCSC-FI have been highest during the summer.

It is important for organisations to remind summer employees – and even senior employees from time to time – of the organisation’s correct procedure for processing incoming invoices. The most effective way of protecting your organisation from CEO fraud is to be suspicious of any payment requests that you receive via email and always verify the request by phone or using the original contact information of the issuer if you are unsure about it.

CEO fraud can provide major financial benefits to criminals when successful. According to a report by Finance Finland, in 2022 Finnish people lost just under EUR 5 million to CEO fraud alone. Read more here (External link) (in Finnish).

More information about business email compromise (BEC) is available here (External link).

Cyber security situation in Finland stable during Midsummer

The NCSC-FI monitored the conflict between the Russian government and the private military organisation Wagner actively during Midsummer weekend. Based on the NCSC-FI’s observations and situational picture, the conflict did not have an impact on cyber security in Finland. Otherwise, the Midsummer weekend was no different from other weekends in terms of the situational picture.

New instructions on what to do in the event of M365 account compromise

There has been a wave of Microsoft 365 user account compromise among Finnish organisations this year, with the NCSC-FI having received over 100 reports of M365 account compromise in May and June alone. The compromised accounts are used for invoice fraud and to send out thousands of new phishing messages. The NCSC-FI urges all Microsoft 365 customers to use two-factor authentication and limit the use of email forwarding rules. Our new instructions detail how you can regain control of your account and warn others. We also explain how to isolate your account, determine what the attacker has done and what you can do to prevent account compromise.