Front Page: NCSC-FI
Front Page: NCSC-FI

The National Cyber Security Centre Finland’s weekly review – 3/2023

Information security now!

This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 13–19 January 2023). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens.


Topics covered in this week’s review

  • Wave of Microsoft M365 account phishing
  • Multi-factor authentication protects against phishing
  • ‘Hi mum’ scams spreading

Wave of Microsoft M365 account phishing

There has been a new wave of Microsoft 365 user account compromise among Finnish organisations recently. The compromised accounts are used for invoice fraud and to send out thousands of new phishing messages. The NCSC-FI urges all Microsoft 365 customers to use two-factor authentication and limit the use of email forwarding rules.

Lately there have been phishing messages going around that have been made to look like secure email messages. These message also often include the logo of Kela, a health station, a wellbeing services county or insurance company, for example. Thus disguised as an important secure email, the phishing message will instruct the user to enter their email account username and password on a phishing site controlled by the scammer. The victim thinks that they are entering their login details on a Microsoft 365 login page, but is actually disclosing them to criminals.

Compromised email accounts belonging to companies and other organisations are valuable assets for criminals. Once an email account is compromised, the criminals will set up forwarding rules for it, allowing them to read and follow the email traffic on the account. If the compromised email account is used to process e.g. invoices and monetary transactions, the criminals may also exploit it for invoice fraud. Hijacked accounts belonging to interesting organisations are bought and sold on criminal forums, while the rest are used to send out new phishing messages to everyone in the compromised email account’s address book. After all, a scam message coming from a familiar address is far more likely to be read than a random spam message.

Multi-factor authentication protects against phishing

Aggressive phishing has resulted in the Microsoft 365 email accounts of many organisations being compromised. The criminals’ aim in phising is to get a hold of usernames and passwords with which to access user accounts. However, there is an effective way to prevent email account compromise: multi-factor authentication (MFA). This week, we have once again received several reports of email compromise and hijacking that could have been prevented with multi-factor authentication.

The way phishing usually works is that the victim will receive an email message with a link to a fake login page made by the criminals. The page may look practically identical to the real login page that it is imitating. In fact, the only difference may be the URL. Any usernames and passwords entered on the fake login page are relayed to the criminals, who will then proceed, often within just a few minutes, to check whether the username and password actually work.

Phishing email messages may arrive from familiar cooperation partners. They may also be disguised as secure emails. The subject of the message may reference some topical matter or include words like invoice or debt collection, prompting the recipient to investigate further.

Once an email account is compromised, the criminals will use it to send out more phishing messages, wait for an opportunity to change account details on invoices or impersonate the account holder to send messages to others asking them to transfer money to a bank account controlled by the criminals. In addition to this, compromised email accounts are scoured for any sensitive information that could later be used for other crimes or even facilitate a future ransomware attack.

In addition to requiring technical recovery measures, email account compromise can result in damage to the organisation’s reputation, sensitive data being leaked, loss of customer trust and financial losses that could even lead to bankruptcy.

Once a criminal breaches an email account, they can change the account numbers on outgoing invoices and cause hundreds of thousands of euros worth of damage in the form of invoice fraud.

Enable multi-factor authentication now

Companies should enable multi-factor authentication without delay at least for any services used via external connections, such as cloud-based email services.

Multi-factor authentication means verifying the user’s identity based on several different factors when they sign in to a service. In practice, this means that after entering a username and password, the user is required to verify their identity in some other way as well, such as by using a smartphone app paired with the service, which works similarly to the login mechanisms of online bank services.

In organisations, multi-factor authentication must first be enabled by IT personnel before it can be enabled for basic users. IT personnel can also force all users to enable multi-factor authentication. Secure multi-factor authentication should be enabled at least for any business-critical personnel. The ‘lightest’ solution is SMS verifications, followed by various authenticator apps, followed in turn by WebAuthn, which is based on the FIDO standard.

‘Hi mum’ scams spreading

The ‘Hi mum’ scam has been spreading across the globe in recent months, and reports indicate that there is also a Finnish version of the scam going around again.

Criminals are constantly trying to come up with new ways of winning over the trust of their victims, with the ‘Hi mum’ scam currently spreading via WhatsApp being a good example of this. In the ‘Hi mum’ scam, the scammer attempts to impersonate the potential victim’s child, explaining that they are messaging from an unknown number because their phone broke down, for example. As the discussion continues, the criminal will ask the potential victim to transfer some money to a bank account for the purpose of purchasing a new phone, for example. In reality, the money is transferred to a bank account controlled by the criminal.

‘Hi mum’ scam messages can arrive from both Finnish and foreign numbers. If you receive a message from an alleged family member from a new number, you should try to verify their identity by sending a message to their old number. You can also ask them some questions without giving away any personal information. If you do not receive any straight answers or the messages are written in poor Finnish or illogical, you can be sure that you are not chatting with your actual family member. Do not open any links included in the messages or give out your personal information unless you are absolutely sure that you are chatting with the person you know.

Even if the scammer fails to scam you, you should still report the attempt to the police. If you have already transferred money, you should immediately contact your bank and then contact the police.

Follow us on social media!

Have you found us on social media already? We provide information on e.g. currently circulating scams, topical cyber security issues and open jobs on social media.

Did you know that Traficom is involved in nearly all aspects of transport and communications? These social media channels explore land, sea, air and data networks.

Subscribe to the NCSC-FI’s newsletters or RSS feeds to be notified as soon as new information is published.