Weekly review of the National Cyber Security Centre Finland (NCSC-FI) - 3/2026

Phishing messages themed around hotel and travel booking services

At the beginning of the year, many people plan and book trips and accommodation for the upcoming holiday seasons. This period is also favourable for phishing messages sent in the name of travel booking systems. Various hotel booking-themed scams and phishing campaigns have been reported internationally for several years. The most common hotel or travel booking-related online scams include phishing messages sent, for example, in the name of the Booking.com reservation service.

There are several known variants of phishing messages, but in all cases the criminals’ objective is the same: either to harvest payment card details or to gain direct financial benefit by redirecting payments to an account controlled by the criminals. The communication channel can be anything from email to WhatsApp messages. Messages may appear within an existing booking service message thread in the name of the accommodation provider, come from unknown numbers or be sent by email from a spoofed address.

Messages containing detailed information about the reservation and the person who made it have also become more common. Criminals obtain this information by carrying out data breaches. Such breaches occur in reservation systems used by hotels and accommodation providers.

In cases reported to the NCSC-FI, victims have suffered financial losses. Entering credit card details on a phishing site can also lead to more substantial financial losses.

General advice for avoiding phishing messages:

• Use strong, unique cryptographic keys.
• Avoid opening links via messaging services and log in only via authentic websites.
• Check the website’s domain name — phishing site domains usually differ noticeably from the genuine one.
• Review the content of the message calmly and critically; phishing messages aim to create urgency and anxiety, which can lead to hasty decisions.

If you have entered banking or personal details on a phishing site, you should contact your bank and file a report with the police.

Read more: Data breaches in hotel and travel booking services are used to scam customers (External link) (in Finnish) 

Data breaches in hotel and travel booking services are used to scam customers (External link) (in Finnish)

Intelligent assistants, new risks – information security perspectives on the use of AI assistants

AI-based assistants have rapidly become more common in organisations. Their use ranges from customer service to improving knowledge work, as well as meeting and communication environments. At the same time, the use of AI assistants brings significant information security and cybersecurity challenges that must be taken into account both in system design and in day-to-day operations.

We have published an Information Security Now! article on the topic, explaining what AI assistants and AI agents are. When AI is integrated directly into systems, databases and tools, even small shortcomings in design or oversight can lead to significant consequences. Careful risk assessment, restricting access rights, logging, regular testing and clear guidelines help ensure that AI can be used effectively and responsibly.

Read the full Information Security Now! article here (External link) (in Finnish)

Automated scam calls in the name of banks have become more common

The NCSC-FI has recently received reports of several scam cases involving recorded automated calls. In these calls, the caller poses, for example, as a bank’s technical support service or as a bank employee. The call often begins with a recorded security notice stating, for instance, that there has been an unauthorised login to the account or suspicious transfers. The recording instructs the recipient to press a certain number to be connected to what is claimed to be the bank’s security department. According to reports received by the NCSC-FI, the calls have come particularly from foreign phone numbers, as spoofing scam calls to appear as if they originate from Finland has largely been prevented.

Traficom’s regulation has almost completely stopped scam calls disguised as Finnish numbers (External link) (in Finnish)

The purpose of scam calls is to create a sense of urgency and fear. Behind them are often criminals whose goal is to manipulate the victim into acting quickly. For this reason, any call that pressures you to take immediate action should be treated with suspicion. A genuine banking matter is never so urgent that it cannot be addressed calmly at a later time.

Be especially cautious with suspicious calls, particularly if you are asked to provide personal details or online banking credentials, or to perform actions on your device. Banks and authorities will never ask for your credentials. If you doubt the authenticity of a call, hang up. You can verify the situation by calling the organisation’s official customer service number yourself. In suspicious situations, calm consideration is the best protection against scams.

Read more

• How to protect yourself against online scams (External link)
• Where to get help if you fall victim to an online scam (External link)

Multiple reports of verification codes sent by text message

Over the past week, the NCSC-FI has received several reports of cases where recipients have received a Telegram verification code by text message without having registered for or logged in to the service themselves. Most reports concern the Telegram app, but similar reports have also been received relating to WhatsApp and other instant messaging services. These messages have been sent widely and do not appear to be targeted.

In some cases, it appears that a third party has been able to create a Telegram account without the phone number owner entering the verification code received by text message anywhere. Based on reports received by the NCSC-FI, in some instances the attacker has also managed to reset and take over an account that was already in use. After taking over an account, the attacker may enable two-step verification, as a result of which the original owner of the phone number may no longer be able to regain access to the account.

The NCSC-FI has not investigated the reported cases in detail, and at this time it is not known how the user accounts were technically compromised or how the verification messages are precisely connected to the incidents. In some cases, several text messages containing verification codes have been received, which suggests that the attacker may be using a fatigue-based technique that succeeds only in a small proportion of attempts. The best way to protect your account is to enable two-step verification, which can be activated in the app’s security settings.

If you receive a verification code notification without having requested it, someone else has entered your phone number into the service and requested a registration code. This may have happened due to a mistyped number, or it may indicate an attempt to take over your account. Never share verification codes received from an app with anyone.

It is not possible to directly prevent the creation of a Telegram or WhatsApp account using a specific phone number. If you wish to register a Telegram or WhatsApp account for your phone number, the only way is to create the account yourself and secure it with two-step verification.

Funding call opening for SMEs to support the implementation of the CRA

The EU-funded SECURE project is opening a funding call for SMEs to support the implementation of the Cyber Resilience Act (CRA). The call will open on 19 January 2026 and close on 22 March 2026. The purpose of the funding is to help European companies meet the obligations arising from the CRA.

The call is intended for European SMEs to which the CRA obligations apply. These include manufacturers, importers and distributors of products with digital elements, open-source software stewards, and other categories covered by the CRA.

In this funding round, a total of EUR 5 million is available. A single applicant may apply for up to EUR 30,000 for one project. The co-funding requirement is 50 per cent of the total project costs, meaning at least EUR 30,000 if the company applies for the maximum amount.

Read more

• More information on, for example, eligibility and eligible activities is available on the funding provider’s official website (External link)
• The call will be presented in a webinar on Monday 19 January 2026, 11:00–12:30 (Finnish time).Registration for the webinar takes place via the funding provider’s website (External link)

December Cyber Weather report published

December began relatively calmly compared to the previous months. However, the cyber weather was darkened towards the end of the month by a heightened number of critical vulnerabilities and the exceptionally strong Storm Hannes, which caused widespread power outages and network disruptions across Finland, as well as subsea cable damage in the Baltic Sea around the turn of the year.  

In the final long-term cyber weather section of the year, we focus on cybersecurity in industrial automation.

Changes to cyber weather reports in 2026

The layout and content of the Cyber Weather report will be updated starting with the January 2026 edition. The aim of the changes is to make the publication more accessible, more consistent in quality, and at the same time more informative. We will provide more details about the changes in connection with the first updated Cyber Weather publication in February. 

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.