Weekly review of the National Cyber Security Centre Finland (NCSC-FI) - 29/2025

Text message scams in the name of the police

Text messages sent by criminals have increased. The NCSC-FI has received reports of the scam messages from banks, authorities, companies and brands. During the last week, scam text messages have been sent using the police as the sender, such as "KRP", "POL-KRP", or "KrpKutsu". Scammers have used threats of legal action, such as interrogation notices, to pressure victims into clicking the link in the messages. Behind the link, a page opens displaying the police logo, followed by a counterfeit login page intended to steal the victim's online banking credentials.

Emails have also been circulated in the name of the police, threatening recipients with a traffic fine payment. The email contains a PDF attachment that threatens the recipient with an €89 fine and prompts them to click a link.

Many other scams impersonating banks or authorities aim to lure recipients into clicking a link that leads to a phishing site targeting online banking credentials. Criminals who acquire online banking credentials through phishing can use them to access the victim's bank account. 

Registering the sender name of a company or organization

An organization can register a sender name for its own use to prevent criminal fraudsters from sending messages in the name of the organization or its brand. A sender name can be registered if it matches the organization’s business name, auxiliary business name, or parallel business name. Even if an organization does not need to send text messages under its own name, it is worth considering registering a sender name to prevent fraud attempts. Can scam messages sent under a company's name cause reputational damage? If so, registration is a good way to protect your name and prevent it from being used in scams.

Non-updated equipment exposes devices to information security threats

Microsoft will end support for the Windows 10 operating system in October 2025. This is part of a broader phenomenon affecting devices and operating systems, where products that have reached the end of their lifecycle no longer receive security updates or technical support. The end of updates makes the device vulnerable to information security threats. This applies to all internet-connected devices and operating systems, including routers and modems.

As a result of exploited vulnerabilities, a user's sensitive information may be exposed, or the devices may become part of networks controlled by criminals. Using compromised devices or stolen data, criminals can continue to send phishing and scam messages. Outdated software, such as an obsolete antivirus program, may no longer protect the user against malware, which can lead to data exposure and financial loss.

Check for available updates in the device’s settings. Enabling automatic updates ensures that your protection stays up to date. The manufacturer provides information on when a device or operating system will reach the end of its support lifecycle. If security updates are no longer available, it is recommended to replace the device in order to maintain cybersecurity. Information security is part of the entire lifecycle of a device and should be taken into account already at the time of purchase.

We published an Information Security Now! Article:  Non-updated devices attract criminals (External link), (in Finnish)

An international police operation succeeded in curbing the actions of hacktivists

The Finnish police and Europol announced about the international police operation Eastwood where police from 15 different countries took over the infrastructure used by the hacktivist group NoName057(16). In a large-scale operation, dozens of arrests and house searches were carried out around the world, and more than a hundred servers used for denial-of-service attacks were seized. The denial-of-service infrastructure that has repeatedly targeted Finland is now largely under the control of authorities.

Since 2022, the pro-Russian group NoName057(16) has launched politically motivated attacks targeting multiple countries. Finland experienced multiple days of attacks during the election week in spring. Denial-of-service attacks, which impair the availability of online services, have been a common occurrence on the internet for years. The attacks often involve botnets composed of hundreds or thousands of end devices, generating simultaneous traffic loads that overwhelm and freeze the targeted online service. In June, authorities reported the takedown of the Gorilla botnet used by criminals. Now, law enforcement has launched an operation against the NoName group.

We sincerely thank all those who reported the attacks to the authorities and submitted a criminal report. Without active reporting from victims, the police would not have the necessary tools to intervene in the attacks. Operation Eastwood's success shows that reporting crimes truly matters — it provides the police with the information they need to take effective action. The internet is, for a moment, a better place again.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.

Vulnerabilities

CVE: CVE-2025-20257

CVSS: CVSS 9.6

What: Fortinet has released a patch for a critical vulnerability in FortiWeb that allows an unauthenticated attacker to execute SQL commands via crafted HTTP or HTTPS requests. A method for exploiting the vulnerability is now publicly available and is being widely used.

Product: FortiWeb versions 7.0, 7.2, 7.4 and 7.6

Fix: Install the latest version of the corrective update available for each product series.

Read more: Vulnerability 16/2025 (External link), (in Finnish)