The National Cyber Security Centre Finland’s weekly review – 34/2025

 Pension-themed scams circulating – how to spot them

In recent weeks, several scam attempts have been detected in which criminals impersonate pension insurance companies. In these scams, customers are lured into clicking on links and entering personal or banking details on fake websites. The messages may arrive by email or text message, and their appearance often closely resembles genuine communications from pension companies.

The fraudulent messages may claim, for example, that pension payments have been suspended or that the recipient must update their details via the link to continue receiving payments. In reality, the link leads to a phishing website.

The criminals’ goal is to obtain victims’ personal information and, in some cases, to trick them into transferring money. Pension providers will never ask customers to log in via links included in a message. Secure access is always through the pension company’s official website.

If you receive a suspicious message, do not click on its links or open attachments. If in doubt, you can confirm the matter by contacting your pension provider directly through their official contact details. Scams can also be reported to the NCSC-FI.

Screenshots of these scams can be found below in this week’s review under Current scams. 

Funding call opened to support the implementation of the Cybersecurity Act

Traficom has opened a funding call to support the implementation of the Cybersecurity Act (124/2025). According to section 3 of the Act, the funding is available to micro, small and medium-sized legal and natural persons (entities) within the scope of the Act who have registered in the list of entities maintained by the supervisory authority of their sector. Large companies, organisations covered by the Act on Information Management in Public Administration (906/2029), and entities that have not registered in the list maintained by their supervisory authority are not eligible to apply.

Funding may be granted for assessment and development measures in line with section 9 of the Cybersecurity Act. These measures are intended to evaluate and enhance the ways in which an operator manages risks and prevents or minimises adverse impacts on the security of communications networks and information systems.

The total amount of funding available is up to EUR 2,000,000. Each applicant and project may receive a maximum of EUR 100,000 and a minimum of EUR 10,000. The funding can cover up to 50 per cent of the total project costs. Funding may be granted for projects carried out between 1 January and 31 December 2026. The application period closes on 16 October 2025 at 16:15.

Malware review: BadBox 2.0

BadBox 2.0 is a threat that begins even before the user switches on the device. It is a malware campaign in which malicious code is pre-installed on Android devices—such as Android TV boxes, tablets or smart devices—sold via various online shops and distribution channels.

Unlike many other types of malware, BadBox 2.0 operates with root-level privileges, which makes its removal practically impossible without specialist procedures. The malware can install applications, click on adverts, spy on the user, or exploit the device as part of a wider botnet. The user may not notice anything suspicious. The device appears to function normally, while much is happening in the background.

The infrastructure behind BadBox operates on an “as-a-service” model: criminals can rent access to the botnet and use it, for example, for ad fraud, phishing or denial-of-service attacks.

When it comes to BadBox, caution at the point of purchase is crucial. Cheap devices from unknown manufacturers may contain pre-installed threats. Choose reputable manufacturers and verified retailers instead. Organisations are also advised to block the use of unknown Android devices within their networks.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.