Information security now!
This week, we cover topics such as scam messages leading to Facebook account breaches, the Finnish InfoSec 2025 seminar on 12 March, and how to manage passwords securely.
Facebook accounts are being hijacked again through phone number inquiries
- You receive a message on Facebook Messenger from a friend asking for your phone number. In reality, the message was sent by a scammer who has hijacked your friend’s account.
2. The scammer, posing as your friend, claims to be participating in a contest or lottery and needs your phone number.
3. After providing your phone number, the scammer asks you to forward a code that you will soon receive via SMS.
4. Instead of entering a contest or lottery, the scammer attempts to hijack your Facebook account using your phone number and verification code. If you provide the requested information, the scammer will try to log into your account, change your password and alter your email address.
6. Once the hijacking is successful, your account is under the attacker’s control and will begin sending similar scam messages to your friends.
7. If the scammer has promised to share potential winnings with you, you may also receive a phishing message requesting your banking details to "transfer the winnings".
Scam messages are being sent through Facebook Messenger, attempting to hijack Facebook accounts using phone numbers and verification codes. This is not a new phenomenon, but the method is still active, and we regularly receive reports of account takeovers carried out this way.
The scam typically progresses as follows:
- Finnish InfoSec 2025 Seminar on 12 March – Theme: Protecting the Digital Society
We are living in an era in which digital technologies are shaping our lives, the ways we work and our societal interactions. How well prepared are we to protect this rapidly evolving digital environment? How do we ensure that our societies and everyday lives are based on cyber-secure solutions – from the earth’s surface all the way to space? What kind of threats will we face in the next few years?
Questions like these will be discussed at the free InfoSec 2025 seminar organised by Traficom and the National Emergency Supply Agency on 12 March from 9 to 17.
International top speakers at the event include Deputy Director General Emmanuel Naëgelen of the French Cybersecurity Agency (ANSSI), Professor Alice Hutchings of the University of Cambridge, Chief Analyst John Hultquist of Google Threat Intelligence, Managing director (Cyber security) Dr. Alexander Schellong of Schwartz Digits KG and CISO Joseph Carson of Wiretrap.
The morning session of the event will be in English, while the afternoon presentations will be in Finnish. The event can be followed remotely online, and the webcast is open to all.
Explore the program and register via the link below the image.
Manage your passwords securely
Passwords are still widely used in digital services, even though new authentication methods, such as passkeys, are becoming more common. Every password should be unique and used only for one service so that a data breach in one service does not give criminals access to other user accounts. As the number of accounts grows, most of us find it difficult to remember all our passwords. This is why using a password manager is recommended.
Password managers securely store different service passwords behind a single master password. These managers can be cloud-based services or locally stored applications, each with its own advantages and risks.
When selecting a password manager, assessing its reliability is important. Look for information and reviews about the software and providers before choosing one. Well-known and reputable providers are generally safer than random websites whose background and operations are uncertain.
Consider carefully whether to use a browser’s password vault, as stored passwords are often the first targets of malware. If you choose to store passwords in your browser, protect them with a master password if the browser offers this feature.
Although password managers improve security, they do not eliminate risks entirely. If the master password or the entire service is compromised, an attacker could gain access to all stored passwords. Therefore, the master password should be exceptionally strong, and multi-factor authentication should be enabled. Particularly critical credentials, such as the password for your primary cloud service account or those related to electronic authentication, may be better memorised rather than stored, even in a well-protected system.
Information Security Now!: Tips for using a password manager (External link)
Into Certification expands its Katakri 2020 qualification
The Finnish Transport and Communications Agency Traficom expanded the certification scope of security assessment body Huld Certification Oy on 25 February 2025 to include Katakri 2020 qualifications for security classification levels TL IV and TL III.
Into Certification Oy previously operated under the name Huld Certification Oy. The name change took effect on 28 February 2025.
WHAT TO DO IF YOU GET SCAMMED
- Immediately contact your bank if you have made a payment based on a scam or a criminal has gained access to your online banking service or payment card information.
- File a police report. You can file a police report online. (External link)
- You can also report the incident to the NCSC-FI.
- Instructions for victims of data leaks (External link)
Recognise online scams and protect yourself from them
ABOUT THE WEEKLY REVIEW
This is the weekly review of the National Cyber Security Centre Finland (reporting period 28 February–6 March 2025). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cybersecurity specialists to regular citizens.