Weekly review of the National Cyber Security Centre Finland (NCSC-FI) – 49/2025

Scam call blocking solution developed by Traficom and Finnish telecommunications operators wins the European Crime Prevention Award

The technical solution for blocking scam calls, developed jointly by the Finnish Transport and Communications Agency Traficom, the National Bureau of Investigation, Elisa and other telecommunications operators, has won the 2025 European Crime Prevention Award. Earlier, the same cooperation won Finland’s national crime prevention award.

This year’s theme for the European Crime Prevention Award was the prevention of online scams and fraud. The results were announced in Copenhagen on 28 November.

The solution developed by Traficom, the National Bureau of Investigation, Elisa Corporation, DNA Plc, Telia Finland Oyj, Länsilinkki Oy, Setera Communications Oy, Suomen Numerot NUMPAC Oy and Ålands Telekommunikation Ab makes it possible to identify and block caller ID spoofing in calls originating from abroad. The solution has significantly reduced the number of scam calls and the financial losses they cause to people in Finland.

Before the introduction of the solution, spoofing a foreign caller ID to appear as a Finnish number was one of criminals’ main tactics to make scam calls appear credible. As many as 90 per cent of calls from abroad to Finnish numbers used falsified caller ID information. Thanks to the work carried out by Elisa, Traficom, the National Bureau of Investigation and other partners, the number of scam calls first fell to about ten percent and then further down to three percent. At the same time, the National Bureau of Investigation has observed that this solution has almost eliminated this type of crime from Finland.

Other countries face the same problem, and the solutions developed jointly in Finland have attracted strong international interest. The model developed in Finland has also been adopted abroad.

“The fact that these solutions were developed in Finland demonstrates the strength of our cooperation culture and shows that collaboration between authorities and telecommunications operators works exceptionally well. The award is therefore a recognition for everyone involved,” emphasise Senior Specialist Klaus Nieminen and Development Manager Lauri Isotalo from Traficom.

Guidance for EU funding and applications now available on the NCC-FI website

The National Coordination Centre (NCC-FI) at the NCSC-FI has published general guidance on its website for funding calls under the Horizon Europe and Digital Europe programmes, as well as general instructions for preparing an EU funding application.

The general funding call guidance provides advice for every stage of the application process — from identifying suitable calls and finding partners to submitting a project proposal.

The page on tips for preparing a good application offers concise instructions on how to address the different sections of an application. Although the guidance focuses primarily on Digital Europe funding, the advice is also applicable to research, development and innovation projects under the Horizon Europe funding instrument. The page also provides tips for preparing a budget.

The NCC-FI supports Finnish organisations in participating in EU funding calls related to cybersecurity. Learn more about the services provided by the NCC-FI at www.koordinointikeskus.fi (External link), or contact us by email at ncc-fi(at)traficom.fi.

EU Cyber Resilience Act has been in force for a year — what does it mean for consumers and businesses?

It is now almost a year since the EU’s Cyber Resilience Act (CRA) officially entered into force. For the first time, the regulation introduces EU-wide mandatory cybersecurity requirements for all “products with digital elements”, such as home IoT devices, software and other smart devices.

• National implementation moving forward

The Finnish Parliament is currently examining the Government’s proposal for national provisions to supplement the CRA. The proposal includes a new Act on the cyber resilience of certain products and on cybersecurity certification. In addition, amendments are proposed to the Act on Electronic Communications Services and the Cybersecurity Act.

As an EU regulation, the CRA is directly applicable, but national supplementary provisions are required particularly to organise supervision and define the related duties of competent authorities, and to set out administrative sanctions.

The CRA becomes applicable after a transition period on 11 December 2027. However, the obligation to report actively exploited vulnerabilities will already apply from 11 September 2026, and the provisions concerning notified bodies from 11 June 2026.

Commission has published material to support preparation for CRA compliance

The implementing regulation for the CRA — Commission Implementing Regulation (EU) 2025/2392 on the technical description of the categories of important and critical products — has been published in the Official Journal of the European Union. The regulation sets stricter requirements for important and critical products than for other categories, and manufacturers of such products are encouraged to familiarise themselves with its contents. In addition, the Commission has published dedicated CRA web pages and an FAQ document providing answers on the regulation’s application and the obligations it imposes.

This year’s final Cyber sector in transition webinar on 10 December 2025

This year’s final Cyber sector in transition webinar will explore both the past year and the year ahead. The webinar will begin with a look back at the past year from a cybersecurity perspective, focusing on the key phenomena and trends that emerged during 2025. In the second half, attention turns to the future: What developments can we expect in 2026, and how can cooperation help us prepare for both anticipated and unexpected cyber threats? 

Be vigilant on the web! – public event held at Oodi on 2 December 2025

Aalto University, the Digital and Population Data Services Agency (DVV), the police, and the NCSC-FI at Traficom organised the Be vigilant on the web! public event at Helsinki Central Library Oodi and on the Yle Areena service. The theme of the event was cybersecurity and digital scams, discussed together with crime fiction authors, people who had been scammed and those who had encountered fraudsters. The event also featured practical tips for safe online activity from experts representing the police, the NCSC-FI, DVV and Aalto University.

Crime fiction authors Helena Immonen and Christian Rönnbacka, interviewed by researcher and project manager Marianne Lindroth from Aalto University, spoke about how fiction can help open up cyber and security themes for general readers, and how they themselves have researched the topics discussed in their books. Their works explore everything from everyday scams to large-scale influence operations. In Rönnbacka's books, for example, the logic of everyday scams and the psychology of crime are present, while Immonen's works focus on geopolitics and societal vulnerabilities. Fiction is one way to learn new things.

In the section on experiences with scammers, Sonja Nylander and Merjan Mähkä shared their encounters with digital fraud, interviewed by Kimmo Rousku.

In the tips section, Detective Sergeant Juha Springare from the National Bureau of Investigation stressed that recipients of unsolicited messages should take time to examine the contents carefully, as fraudsters often try to create a sense of urgency. Springare also reminded the audience that if you suspect you have lost money, you should contact your bank immediately — and only after that, the police.

Senior Specialist Juha Tretjakov from the NCSC-FI explained that trusting other people is human, but not everyone is worthy of that trust. That is why some of us fall victim to scams online. Tretjakov noted that online fraudsters try to obtain banking credentials by frightening recipients and pushing them to act quickly without careful consideration.

Chief Senior Specialist Kimmo Rousku from the Digital and Population Data Services Agency presented concrete examples of how to identify scam messages by examining message details carefully. If a sender’s email address looks even slightly unusual — even one character off — it is likely a scam. Rousku also encouraged the audience to consider who initiated an interaction where you are asked for information or authentication. If the request comes from elsewhere — a call, message, or link — the risk of being scammed is higher than when you initiate the action yourself, such as paying bills in your banking app.

Cybersecurity expert Tuomas Heikkinen from Aalto University presented ways to improve personal cyber skills — learning can also happen through games. In Aalto University’s Cyber Citizen project, the free Cyber City Tycoon mobile game allows players to take on the role of a cybercriminal. Heikkinen also recommended the SecPort portal, which offers introductory materials on cybersecurity and information influence.

Weekly malware review: Waledac

Waledac was a malware strain that spread via email attachments in the late 2000s and early 2010s, becoming one of the best-known botnets of its time. It spread especially through spam campaigns that used topical themes, enticing messages or emails appearing to come from familiar contacts. The attachment used to distribute the malware was typically named “ecard.exe”. The contents of the emails varied, but the subject lines often referenced seasonal themes, such as Christmas greetings — for example: “Merry Christmas To You! Merry Christmas To You!” or “Xmas card for you Xmas card for you”.

If a user installed the worm by double-clicking the attachment, it would install itself on the system and save a copy of itself in the Windows registry. It then modified the registry so that this copy would be placed in a directory executed automatically on system startup.

Once infected, Waledac was capable of sending large volumes of spam, downloading additional malware and updating its own components, for example. It could also use P2P-style mechanisms, which made the botnet difficult to dismantle. Waledac demonstrated how flexible and rapidly adaptable a botnet could be, and served as a precursor to later malware families with similar capabilities.

Waledac continues to underline key lessons: email attachments and links must be handled with care, organisations should maintain effective spam filtering and detection of malicious network traffic; and command-and-control traffic analysis remains a critical part of threat defence.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.

Vulnerabilities

Bulletin: http://kyberturvallisuuskeskus.fi/fi/haavoittuvuus_23/2025  (External link)
CVE: CVE-2025-66478 
CVSS: 10.0
What: Critical vulnerability in React’s React Server Components functionality
product: React has identified that at least the following products use the affected packages: Next.js, React Router, Expo, Redwood SDK, Waku and @vitejs/plugin-rsc. The vulnerability may also affect any product that uses or supports React Server Components.
Fix: Install the updates according to the manufacturer’s instructions.

For more general information about vulnerabilities and the terminology used, please see our Information Security Now! article ‘NCSC-FI vulnerability coordination in a nutshell’. (External link)