What is the article about?

The article describes a nearly successful fraud attempt where board members were contacted using a convincing story built on publicly available information.

What made the fraud attempt dangerous?

The attack was not obviously fake. The attacker used timing, real names, legitimate events, and psychological pressure to make the request appear credible.

Why is this relevant for boards and executives?

Modern fraud increasingly targets decisions, approvals, and trust rather than technical infrastructure alone.

What stopped the attack?

Not technology alone, but communication between board members, skepticism toward the BankID request, and verification through trusted channels.

What security measures should organizations consider?

Two-way verification, using trusted communication channels, encouraging internal confirmation, and avoiding approval of unexpected BankID requests under pressure.

How does this relate to NIS2 and cybersecurity regulation?

The article highlights that boards are expected to understand digital risk and contribute to a culture where cybersecurity is a shared organizational responsibility.

When the board was almost scammed

It started as a completely ordinary afternoon. The time was approaching 5 PM. Meetings were done. Thoughts were already drifting toward other things.

Then the phone rang. A board member answered.

“Hello, this is Pedersen from the auditing firm.”

The voice was calm. Professional. Slightly rushed. He explained that since the company had recently registered a relocation of its headquarters, a few formal registrations still needed to be completed. He was working late. He really just wanted to finish up and get home.

There was a slight sense of urgency. But not enough to seem suspicious.

Everything matched. Almost.

Pedersen knew who sat on the board, who the chairperson was, and who the company auditor was. He knew about the relocation. He referred to other board members by name. They had not had time to sign yet, he said. Could you help?

This is the core of modern fraud. It is not obviously wrong. It is almost correct. Almost professional. Almost completely believable. And that is exactly what makes it dangerous.

What had actually happened

The company had done something entirely normal: registered a relocation of its headquarters with the Norwegian Register of Business Enterprises. Public information, available to anyone.

And someone was paying attention.

Fraudsters do not monitor your business, they monitor your events.

As soon as the registration was submitted, the work began: mapping the board, gathering phone numbers, identifying the auditor, and preparing a believable story. This was not random. It was targeted.

Timing is an attack tool

The calls came around 5 PM. When people are tired, mentally moving on with their day, and less alert than they believe they are.

The best attacks do not happen because people lack competence. They happen because people are under time pressure.

The pressure

Pedersen was polite. But also slightly insistent. After all, he was working overtime. He just wanted to finish. Couldn’t they simply sign quickly?

Then came the request. A digital signature. A BankID request.

What almost happened

Several board members received the same call. Everyone reacted slightly, something felt off. But not enough for anyone to raise the alarm. Most said they did not have time. Some redirected him elsewhere. Then the signing request arrived anyway. It came very close.

What stopped it?

Not technology. Not security systems.

Coincidence, and communication. The request came from the wrong bank. Nobody approved it. And most importantly: the board members started talking to each other. Shared reflection stopped what individual skepticism alone could not.

Individual skepticism is good. Shared situational awareness is better.

What the board did afterwards

Afterwards, one thing became clear: this could have ended very badly. The board therefore introduced a few simple but effective measures:

Two way verification with code words: In unusual requests, one person provides an agreed code word, the other must answer correctly. Simple and difficult to bypass.
No decisions under time pressure: If something feels unusually urgent, it probably is not.
Always verify through a known channel: No action based solely on incoming phone calls, emails, or messages. Everything is verified through contact information you already have.
Never approve BankID requests without context: If you are not expecting it, do not approve it.
Low threshold for communicating internally: What actually stopped the attack was that the board members called each other.

The board’s role in 2026

This is not an IT problem. It is a board level responsibility. The attacks do not primarily target your infrastructure, they target your decisions. With regulations such as the Digital Security Act and NIS2, boards are expected to understand this risk, take active measures, and help build a culture where security is everyone’s responsibility, not just IT’s.

A true story

This was not an advanced technical operation. It was good research, perfect timing, psychological pressure, and a believable story. That was almost enough. And perhaps that is the most disturbing part of all.

You do not need to be careless to be deceived. You only need to be a little busy.

Would you like to know how prepared your organization is against attacks like this? Reach out for a no obligation conversation.

Sources

Would you like to know how prepared your organization is against attacks like this?

We are happy to have a non-binding conversation.