Weekly review of the National Cyber Security Centre Finland (NCSC-FI) - 31/2025

Aggressive extortion email campaign ongoing

Earlier this week, we published an Information Security Now! article on a widespread and aggressive extortion email campaign. The campaign is still ongoing, and a particularly large number of scam messages linked to it are currently circulating.

The scam involves mass-mailed messages in which criminals claim to have obtained sensitive material—such as private videos—and threaten to publish it unless the recipient pays a ransom in Bitcoin. The purpose of these messages is to instil fear and pressure the victim into acting quickly. The spam emails have been sent from a botnet consisting of several thousand computers, and large volumes have also been directed to non-existent addresses. 

Aggressive extortion email campaign ongoing (External link) (in Finnish)

Race to patching – system administrators, make sure your organisation is first to the finish line!

Keeping software and devices up to date is one of the cornerstones of organisational cyber security. Neglecting security updates can expose systems to serious vulnerabilities actively sought out by criminals. Automation has made it possible to exploit vulnerabilities faster than ever. The latest updates ensure protection against known vulnerabilities.

It is the administrator’s responsibility to ensure that all systems in use—such as servers, workstations, network devices and IoT equipment—receive the necessary updates without delay. Installing security updates promptly is especially critical, as any delay benefits precisely those actors the organisation is meant to be protected from.

Make sure the update process is part of a planned maintenance routine. While summer holidays may mean lighter maintenance and update practices, important updates should not be postponed. Remember to check that no end-of-life software or services are still in use. Don’t forget rarely used or passive servers either.

Unupdated devices attract criminals (External link) (in Finnish)

Do not ignore your update process during the summer (in Finnish) (External link)

Sun and suspicious invoices – invoice fraud is common especially during the holiday season

Invoice fraud tends to increase during the summer, when organisations operate with holiday substitutions and temporary staffing arrangements. Cybercriminals take advantage of these setups by falsifying billing information in pursuit of financial gain. Typically, a fraudulent but realistic-looking invoice or payment request is sent, redirecting the funds to a criminal’s bank account. Often, the message stresses urgency to pressure quick action.

A common variant is the so-called CEO fraud, where the attacker impersonates a senior executive and requests a payment to a supposedly important business partner. In some cases, the scam may involve an invoice for a non-existent product or service, or the attacker may exploit a compromised email account to send fake invoices. If successful, these scams can be costly.

Protection against invoice fraud relies above all on attentiveness, verification procedures and staff training. For instance, payment requests should be verified via a secondary communication channel. There should also be a clear and documented process for handling changes to payment details.  Technical defences, such as spam filters and email inspection tools, also help prevent fraud attempts.

Cybercriminals are constantly refining their methods, so year-round vigilance is essential. Training and regular communication help keep scam techniques top of mind—especially during times when routines deviate from the norm.

OSCE Helsinki+50 conference proceeded calmly from a cyber security perspective

On 31 July 2025, Finland hosted the Helsinki+50 conference to mark the 50th anniversary of the Helsinki Final Act of the Organization for Security and Co-operation in Europe (OSCE). The aim of the conference was to promote participating states’ commitment to the organisation’s principles. The event took place at Finlandia Hall in Helsinki. Ensuring security—both physical and cyber—was once again the result of collaboration between many parties. The Ministry for Foreign Affairs was responsible for organising the event, and the Finnish Transport and Communications Agency Traficom also contributed to the security arrangements.

To support the protection of such events, Traficom draws on its networks, which include authorities across different administrative sectors as well as private service providers and businesses. These networks rely on long-term trust and pre-established procedures for information exchange. This greatly facilitates the detection of cyber incidents or other disruptions, the sharing of related information and the recovery process. A shared situational awareness also helps stakeholders to recognise their own roles and responsibilities in any given situation. Although the authorities were prepared for potential cyber interference, the conference remained calm and went according to plan.

A well-functioning civil society depends on trust in digital services and the protection of individuals’ personal data and property. Finland currently holds the OSCE Chairpersonship, and cyber security is a key theme in the programme of the year. For example, Finland is organising a cyber security-themed conference in Helsinki this autumn. Cyber security is more broadly an important area in OSCE’s work, being one of the sectors in which member states are able to engage in concrete cooperation—such as through measures that foster trust in the digital society.

More on Finland’s OSCE Chairpersonship programme (External link).

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.