Weekly review of the National Cyber Security Centre Finland (NCSC-FI) - 47/2025

Stay alert for parcel delivery scams! Fraud increases as Black Friday and the Christmas season approach

Parcel delivery scams have become increasingly common as online shopping has grown. Criminals send text messages or emails claiming that a parcel is on its way, stuck in customs or requires an additional payment. The message contains a link directing the recipient to a phishing site. The aim is to trick the victim into providing payment details, online banking credentials or other login information. The messages may look very convincing, and as Black Friday approaches, many people are expecting parcels. Amid the rush, anticipation or excitement, such scams can be difficult to recognise.

The key to avoiding these scams is patience and source criticism. A genuine logistics company will never ask for online banking credentials by text message or email. Always check the sender’s address, number or identifier — if it looks strange or contains long strings of numbers, it is likely a scam. Do not click on the link in the message. If you are genuinely expecting a parcel, go to the delivery company’s official website yourself or use their app.

Payment requests should also be assessed carefully. A small, unexpected extra charge is a common lure designed to make the victim act quickly. Customs fees and additional costs are always shown when placing the order — never afterwards via text message. If the message threatens to return the parcel or interrupt the delivery, it may be an attempt to pressure you.

If you suspect you have received a scam message, delete it and do not click any links. If you have entered, for example, your online banking credentials on the site, notify your bank and, if necessary, the police. Caution, calmness and using official channels are the most effective ways to defend yourself against parcel delivery scams.

Microsoft 365 account breaches threaten companies and organisations

Microsoft 365 accounts are being compromised continuously as a result of successful phishing attacks. Phishing messages are high in quality and often particularly deceptive because they may come from a compromised account belonging to a trusted partner. The threat of M365 account breaches remains, which is why organisations and companies have a particular responsibility to protect their M365 environments. The consequences of an account breach can be severe: reputational damage, invoice fraud and phishing carried out in the organisation’s name, leakage of sensitive data, or even the loss of the organisation’s most critical information to criminals. Microsoft 365 account breaches affect all sectors and organisations of all sizes that use the M365 environment.

Because messages may come from a known sender and contain a genuine file link that leads to a highly convincing phishing site, it can be extremely difficult for users to realise they are being scammed. Detection is further complicated by the possibility of a genuine multi-factor authentication (MFA) prompt, which criminals can bypass using AiTM (Adversary-in-the-Middle) techniques. For this reason, it is essential that companies and organisations implement all possible protection measures to secure their M365 environment.

Secure software development is also a management responsibility

On Tuesday 18 November, together with the National Emergency Supply Agency, we organised this year’s final Critical Code webinar on secure software development. This time, the focus was on how secure software development should be managed. The morning featured both practical case examples and in-depth discussion on the importance of management in ensuring software security.

The webinar attracted well over a hundred participants. If you were unable to attend, the recording of this webinar and earlier sessions are available on Traficom’s YouTube channel. You can also find links to these recordings, as well as additional material on software security, at ohjelmistoturvallisuus.fi.

We would also like to remind you that if you attended—or if the topic interests you in general—we welcome feedback on the types of content you would like to see covered in future, and on how we could further develop our webinars on this theme.

Sign up for info sessions on EU cybersecurity funding

The national coordination centre at the NCSC-FI will organise a general funding info session on Tuesday 25 November 2025, 10.00–11.00 (in Finnish, via Teams). The session will present the open calls in the Digital Europe Programme’s CYBER-09 funding round and provide practical tips for preparing applications.

At the beginning of December, we will also hold targeted info sessions 3–5 December, where we will take a deeper look at the call texts and offer an opportunity to network with others working on the same themes. Join us to learn about current funding opportunities and to develop your application further!

European Commission to host a CRA stakeholder event on 3 December

The European Commission will host a CRA stakeholder event, “CRAzy About Product Cybersecurity: From Compliance to Confidence”, on Wednesday 3 December, 11:00-13:00 UTC +2 (10:00-12:00 CET).

The event will cover the following topics:

• The CRA explained: objectives, scope, and practical implications
• Cooperation across institutions, industry and Member States: who does what
• Turning CRA into reality: key phases of the implementation phase, guidance, and ongoing regulatory efforts
• Making the CRA fit for SMEs: actions to support compliance of smaller businesses
• From compliance to innovation: state of the play of the standardisation work supporting the CRA

The final agenda and speaker information will be published later.

Survey on future assessment and approval needs for NCSA customers – respond by 5 December

The NCSA (National Communications Security Authority) at the Finnish Transport and Communications Agency Traficom is surveying its customers’ future assessment, approval and accreditation needs, as well as their experiences with previous assessments. The purpose of the survey is to support the planning of assessments, allocation of resources and development of services. The survey covers both information system assessments and cryptographic and product assessments. We kindly ask NCSA customers to complete and return the questionnaire by 5 December 2025.

Weekly malware review: Shiz

Shiz is a backdoor and infostealer-type malware targeting Windows environments. Its purpose is to give the attacker remote access to the infected machine and to collect sensitive information such as usernames, banking details and browser data. Shiz has been observed modifying registry keys and enabling files to be downloaded and executed remotely. The malware is often part of a broader criminal activity chain in which stolen data is exploited or sold onwards.

The malware commonly spreads via malicious email attachments, downloaded files, or exploitation of vulnerabilities. On an infected device, it collects browser data, system information and potentially saved credentials.

How to protect yourself from the malware:

• Keep your operating system and apps up to date Patched vulnerabilities block many infection vectors. 
• Do not open suspicious email attachments or download untrusted executables. Avoid .exe/.scr attachments and verify the sender’s reliability.
• Use up-to-date antivirus software and follow its alerts. These tools can detect abnormal process and network behaviour.
• Block unnecessary outbound connections and monitor C2-type traffic.
• Make regular and sufficient backups. Although Shiz is not always ransomware, backups limit the damage in cases of data leakage or secondary malware.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.

Vulnerabilities

CVE: CVE-2025-64446
CVSS: CVSS 9.1
What: Critical and exploited vulnerability in the Fortinet FortiWeb product
Product: Certain versions of the Fortinet FortiWeb web application firewall (WAF) are vulnerable.
Fix: The manufacturer urges users to install the updated versions in use as soon as possible.

If you cannot update the systems immediately, disable HTTP or HTTPS on interfaces exposed to the internet. Restricting access to management interfaces to internal networks only is considered best practice, which reduces—but does not eliminate—the risk. Updating remains essential and is the only way to fully remediate the vulnerability.

After updating, review the configuration and logs for any unexpected changes or the addition of administrator accounts.