Cyber criminals getting more innovative, attack businesses with weakest defences
It’s a tough battle to stay ahead of online scammers who are constantly thinking of new ways to scam and attack businesses. And even though cyber criminals don’t differentiate between organisations, small to medium businesses are often more vulnerable because they tend to have less security in place.
According to a report by the Australian Competition and Consumer Commission (ACCC), financial losses among businesses due to scams rose by 80% last year to around $3.1 billion.
Businesses losing money
According to the ACCC report:
- Businesses submitted 3,857 scam reports in 2022 with reported losses of $23.2 million.
- Small and micro businesses reported losses of $13.7m across 2,019 reports.
- Small and micro businesses were more likely to report losses to phone or email scams and the payment method ($10.8m) was mostly bank transfer.
Common cyber crimes
According to Westpac Head of Financial Crime Insights Ben Young, scammers’ approaches are becoming more sophisticated as they adopt the latest technologies, and AI-driven bots are being widely used to increase activity scale.
He says “business email compromise” scams are behind the biggest losses to businesses in 2022.
“One is ‘spoofing’ or CEO impersonation, where an employee gets an email that looks like it's from their own CEO, CFO, or another senior manager, asking them to make a payment to a third party on behalf of the business and the employee feels compelled to act on it immediately,” he says.
“Alternatively, an organisation’s payroll team may receive an email that looks like it's legitimately from an employee asking them to redirect their salary into a new account.
“Bigger losses come from invoice fraud or false billing, where an expected invoice arrives by email that looks legitimate, but in fact the scammer has intercepted it and made small changes to the invoice – like editing the BSB and account number so payment will land in their own account. The reasons these scams work is because the invoice is expected, looks legitimate and comes from the correct email address.
“The scammer will often have compromised the organisation’s email system and so it will come from the ‘real’ email, making it harder to spot as a scam, although sometimes it’s from an email very similar to the real one.”
Peta O’Brien, Westpac Institutional Bank's Managing Director Client Engagement in Global Transaction Services, says scams are most successful in organisations with the weakest defences.
"This includes those that don’t have robust upfront due diligence on their supplier or payee details, and those with people who react to urgent messages for payments from senior executives,” she says.
“Scammers rely on urgency to have victims take action without checking.
“It’s a volume game for criminals – they’ll bombard as many targets as possible expecting that a proportion will be successful – and the scale is growing.”
How can businesses stay protected?
Young says get your cyber protection “up as much as you can”, including switching on two-factor verification if you’re using a system such as Microsoft Office 365.
Staff education is also paramount.
“Train your employees on the risks of email compromise and phishing, and on how not to react to urgent payment requests. Taking time to check thoroughly will be worth it,” he says.
O’Brien says it is important to have robust supplier and payee governance processes upfront, including independent follow-up checks. Also develop processes for payment requests and authorisations. Email should not be one of these options.
“Always verify the payment details on an invoice – to do so, don’t use the phone number given on an invoice, rather locate it independently such as on the business’ official website,” she says.
“If you’re sending or receiving documents with sensitive information, use a secure method – rather than a PDF attachment – to reduce risk if your emails are hacked.”
Collaboration will be key
Catriona Lowe, ACCC Deputy Chair, says it is going to take “genuine effort, resources and collaboration” to fight online criminals.
“There is a real opportunity for business to lead the way by implementing meaningful change that has real and effective outcomes for Australians,” she says.
The Federal Government has committed $58m to ACCC for a National Anti-Scam Centre (NASC) which will bring together government, regulators, industry, and consumer groups. The collective expertise is expected to share intelligence, disrupt scams, empower consumers, and find real solutions to reduce the losses to scams.
“We have received strong feedback that increased coordination of anti-scam efforts across government, the finance and telecommunications sectors and digital platforms would make a significant impact on the fight against scams. This will be the NASC’s focus,” Lowe says.
“Put simply, we need solutions that stop scammers reaching consumers and makes it harder for them to get access to money from the bank accounts of ordinary Australians.”
Get your team trained with our eLearning course on Cyber Security Awareness.