Fraudsters posing online as legitimate businesses and agencies are successfully tricking people out of their money, according to Juho Jauhiainen, an information security specialist at Traficom's National Cyber Security Centre.
Pretending to represent trusted outfits like national mail firm Posti, Microsoft and--most recently--the Tax Administration, scammers have been increasingly successful.
In recent days the criminals unrolled a new scam under the guise of Finland's tax man. The scheme's victims are sent a message that a tax refund is waiting for them--and all they have to do is click a link to collect it.
However, that link isn't related to the tax office and instead prompts victims to divulge personal ID numbers and credit card information, Jauhiainen explained.
One such message seen by Yle displayed the Tax Administration's logo and colour schemes. However, the Finnish text was rather awkward and likely an automated translation.
Story continues after photo.
They're not really from Microsoft
Meanwhile, the common Microsoft IT support scam has plagued targets in Finland since last year
Around 50 criminal complaints have been filed with Helsinki police just this year, according to the head of the city's police cybercrime unit, Jukkapekka Risu.
In that scam, potential victims receive phone calls from scammers speaking broken English, falsely claiming they're from Microsoft tech support and requesting for permission to remotely connect to targets' computers. Once that hurdle is passed, the scammers then attempt to go after the victims' money, Risu explained.
"Using remote access software, at some point, the scammer will darken the device's screen and then clear their accounts. It often takes quite a while to go through everything; savings and other accounts, as well as credit cards," he said, adding that one victim lost 85,000 to such a scam at the beginning of the year.
However in that case, those assets were recovered successfully, Risu noted.
The phone numbers used by the fraudsters are generated automatically, so even people with unlisted numbers can be targeted, he said.
Last year, the capital police department received about 1,000 Microsoft scam-related complaints, according to the National Bureau of Investigation's (NBI) crime commissioner Juha Tompuri.
Millions in damages
Altogether, the criminals behind the Microsoft scheme have so far bilked about 2.8 million euros from victims in Finland, with about 200 such incidents recorded across the country this year, Tompuri said, underscoring that he prefers the terms "fraudsters and criminals" rather than "scammers" when talking about the perpetrators.
Already in less than two months this year the Microsoft scam has cost victims more than a million euros, Tompuri noted.
"This is a professionally-organised activity," he said.
However, he acknowledged that combatting cyber fraud is difficult, as the criminals regularly change how they operate and are also international outfits that pose challenges to traditional police work at the local level.
Another common trick fraudsters use is via SMS text messages, according to the Cyber Security Centre's Jauhiainen. In one such scheme, victims are sent a message that seems to be coming from Posti saying a package is on its way. If the included web link is followed, a bogus website attempts to siphon personal information like Apple ID data.
Then, the fraudsters try to get victims to agree to billing authorisations that will later appear on their phone bills, Jauhiainen said. In some cases, malware is installed on the victims' Android smartphones.
How to protect yourself
Jauhiainen emphasised that people need to be cautious about disclosing personal information, as well as healthily suspicious of being contacted by authorities like the tax office.
"The Tax Administration never sends links to people saying where they can get their tax refunds redeemed. The tax office only conducts such matters via its [secure] website," he explained.
Authorities in general, he added, do not relay detailed sensitive information to individuals via email or web links.
The Tax Authority itself warns on its website that it never requests personal data like credit card or bank account details from its customers.
First contact bank, then police
Helsinki police's Risu said that people who learn that they've been duped should first contact their bank and then the police--particularly in that order.
The bank will be able to see where any siphoned funds went and--if caught quickly enough--can be retrieved, he explained, noting that about half of cyber crime victims are able to claw back their money.
Risu said that if scammers call saying they're from IT support, people should just hang up the phone.
The NBI's Tompuri said there are a few rules of thumb to avoid becoming a cyber crime victim.
"Don't click on links, don't download programmes you're unfamiliar with and do not give out your information, or at least think twice before you do," he said.
"If I get an email from a firm, like my bank or Posti, I never click on links in the message, but go to the company's official website instead," Tompuri said.
Jauhiainen agreed with that strategy, saying that people should carefully type in the website addresses in web browsers themselves, rather than rely on possibly-questionable links.
The cyber criminals are becoming increasingly creative in their efforts.
Recently, the fraudsters tried tricking people with gift card offers from firms like Tokmanni, Prisma, Elisa, Finnair and HBO Nordic. They've even used the coronavirus crisis as a way to defraud victims, according to the Cyber Security Centre.
"Scammers are inventive. In practice, they can come up with anything," Risu said.
