Article content
When we talk about cybersecurity in Estonia, we often forget that it’s not only about systems and servers. It’s about people. And 2025 showed this clearly.
Last year, we had 10,185 cyber incidents that actually affected someone, meaning a system was interrupted or someone was financially harmed. Of those, 2809 were phishing cases, and 4524 were scamming incidents in which people were tricked into giving away their passwords, eID PIN codes, and account access. Altogether, the Estonian people lost around 29 million euros. And the victims were across the board—not only older adults, but also owners of big companies and very successful business people.
Why did this jump happen? One reason is the expansion and training of AI. When you use AI, you can scam more people with less effort—AI does some of the work for you. But the bigger point is this: Estonians used to think of their language as a protective barrier. For years, you could detect scammers because their Estonian was full of grammatical mistakes. Our language is small, spoken by just over a million people, and that used to shield us. But today, AI speaks Estonian quite correctly and fluently. People don’t always know whether the person on the other end is real or a robot. And when the conversation moves to messages or emails, it becomes even more difficult to tell.
And this leads to fear. I had a conversation with my seamstress recently. She is a woman in her 60s. Interestingly, nothing harmful had happened to her. She had received strange calls and messages before, but she detected the lies early on. So far, she had even been confident enough to cuss them out or joke around with the scammers. What triggered her fear was not her own experience—it was everything around her. Stories from friends and family, harmful cases she read about in the media, and especially seeing a well-known Estonian influencer almost give away all of her money. It was a very close call, and the lifestyle influencer only realised her mistake at the very last moment. That story shook my seamstress. She told me that after hearing these examples, she is considering reverting to the old ways—going to public offices in person instead of using mobile versions of electronic ID—because she no longer feels confident.
’’I don’t mind taking a walk to the local office, if I need to,’’ she told me and added that in her age, she has enough time to do so.
Fear spreads fast. It spreads through conversations in friend groups and families, through social media posts, and through media coverage. And as someone with a background in journalism, I know that negative things pique people’s interest. What we are doing wrong right now is that every negative example gets attention, but we don’t pair it with lessons on how to avoid making the same mistake. People hear what went wrong, but not how to be smarter.
What we definitely do not want is withdrawal from digital services. We do not want people going back to paper. We do not want people to lose trust in the digital state. For me, this is not a theoretical point—it is simple. Our digital state and its safety are the one big thing our country has. And if we ourselves do not believe in this system, then who else will? About a month ago, in a meeting with Estonian leading cybersecurity specialists, one sentence stayed with me: “If you fall under an attack, the worst thing you can do is take a step back.” If we revert to doing things on paper, we are proving that the digital tools we have used so far were not safe, and that is not true. The Estonian digital system has worked very successfully. We need to adapt to new circumstances.
So how do we fix this? I see two options. The first stems from the citizen-centric mindset that has guided Estonia’s digital society from day one. Service providers must do more to keep the environment safe, and we know that around 50% of this is done by the private sector. This includes public institutions responsible for electronic identities, telcos, private banks, and financial institutions. And the good thing is that we are already seeing changes. SmartID has an improved version since 2026 that adds an extra step to identifying yourself, making it more difficult for scammers to steal it. We are seeing discussions about Telcos blocking scamming calls and messages before they reach people. Banks are considering temporarily withholding large transactions to allow the account owner to reconfirm. These steps matter.
The second option is education. You are as weak as your weakest link, and if our people do not know how to detect scammers early, that weakness will be exploited. We need to continue campaigns and maintain a strong information flow on keeping your data, PIN codes, and passwords safe. Last year’s numbers show that basic digital hygiene is still lacking in some areas. So we need to increase our efforts—and make sure educational messages are at least as loud as the negative examples people see online. This helps prevent harmful incidents, reduces people’s fear, and increases our confidence that we are tech-savvy and capable of checking whether the caller is a scammer or a real official.
Estonia has always adapted. This is simply the next moment in which we must update our systems and habits.
