Despite the Australian business community’s efforts in the fight against online criminals, financial losses among businesses due to scams rose by a hefty 73 per cent last year, according to the competition and consumer regulator, the ACCC.
The risk is high on the agenda of most organisations – in fact, cybercrime edged into the top 10 most severe risks over the next decade in this year's Global Risks Report by the World Economic Forum, now rated higher than the risk of geoeconomic confrontation.
But it’s a tough battle to stay ahead of the ever-inventive tactics and sophisticated tools used by bad actors.
In this Q+A, Westpac’s Head of Financial Crime Insights Ben Young, and Westpac Institutional Bank's Managing Director Client Engagement in Global Transaction Services Peta O’Brien, touch on some reasons for the financial scams boom, the evolving tactics gaining traction and tips on how to counter them.
What’s behind the jump in financial losses to cybercrime among Australian businesses?
Young: Scams went up across the board last year – the ACCC reported Australians lost more than AUD 3.1 billion to scams during 2022 – and that includes businesses. It’s frighteningly common to see single cases in which a business loses in the hundreds of thousands of dollars.
Scammers’ approaches are becoming more sophisticated as they adopt whatever new technology becomes available, and AI-driven bots are being widely used to proliferate the scale of activities.
O’Brien: It’s a volume game for criminals – they’ll bombard as many targets as possible expecting that a proportion will be successful – and the scale is growing.
Causing the highest losses to businesses last year were “business email compromise” scams. How have these evolved?
Young: A few different scams fall under this umbrella, and they keep evolving.
One is ‘spoofing’ or CEO impersonation, where an employee gets an email that looks like it's from their own CEO, CFO, or another senior manager, asking them to make a payment to a third party on behalf of the business and the employee feels compelled to act on it immediately.
Alternatively, an organisation’s payroll team may receive an email that looks like it's legitimately from an employee asking them to redirect their salary into a new account.
Bigger losses come from invoice fraud or false billing, where an expected invoice arrives by email that looks legitimate, but in fact the scammer has intercepted it and made small changes to the invoice – like editing the BSB and account number so payment will land in their own account. The reasons these scams work is because the invoice is expected, looks legitimate and comes from the correct email address.
The scammer will often have compromised the organisation’s email system and so it will come from the “real” email making it harder to spot as a scam, although sometimes it’s from an email very similar to the real one.
What are the most common mistakes opening businesses up to these scams?
O’Brien: Scams are typically most successful in organisations with the weakest defences – including those that don’t have robust upfront due diligence on their supplier or payee details, and those with people who react to urgent messages for payments from senior executives. Scammers rely on urgency to have victims take action without checking.
Young: Not following a new supplier call back process is a common mistake. Another is that the business actually becomes the source of the email breach. You need to be aware of the scam, both as someone paying invoices as well as someone sending invoices, and make sure that your emails are not being compromised so you unwittingly become the source of fake invoices.
What other scam tactics should businesses be alert to?
Young: We’ve recently seen an explosion in phone number spoofing, where a scammer sends a text message or makes a call and the number displayed for the target looks like it’s from a trusted organisation. But we’re also seeing quite positive movement in response, with the Federal Government bringing in anti-SMS scam rules, and tasking the Australian Communications and Media Authority to help set up an SMS sender ID register as a blocking list to stop bad actors from impersonating trusted brands.
Remote access scams are also affecting businesses – the second highest cause of financial losses – where employees are unwittingly convinced to give remote control of their computer to a scammer who then infiltrates business systems, including accessing corporate banking accounts.
O’Brien: Another big one relates to customer refunds, where a person buys a product or service, then a scammer impersonates them and asks the seller for a refund to a different account. One of the big tips here is to always refund to the account from whence they came – for example, if someone pays you with a credit card, refund them to that same credit card account.
BIN attacks are another one to watch, where a criminal will take the first numbers of a stolen credit card, known as the Bank Identification Number, and use AI to make small online transactions through a business’ website as they test various number combinations for the last digits to see which one’s work.
How else is artificial intelligence changing the dynamics?
Young: We’re starting to see more scams using ‘deepfake’ technology. A few years back, to create a fake video took quite expensive technology and sophisticated knowledge, but now they’re cheaper and much easier to produce, making it much more of a mass service for cybercriminals.
That means we’re seeing more videos impersonating prominent Australians who appear to be endorsing scam investment opportunities – this is by far the biggest scam type by dollar loss. Although investment scams tend to target individuals, we increasingly see people channelling funds from their business as well.
What can businesses do to protect themselves?
Young: Get your cyber protection up as much as you can, including switching on two-factor verification if you’re using a system like Microsoft Office 365.
Staff education is paramount – train your employees on the risks of email compromise and phishing, and on how not to react to urgent payment requests. Taking time to check thoroughly will be worth it.
Also move away from providing standard BSB and account numbers on invoices in favour of a PayID. Having a PayID is more secure because it allows a payer to verify the payee before a payment’s made.
O’Brien: Have robust supplier and payee governance processes upfront, including independent follow-up checks, and develop processes for how payments are requested and authorised within your business – email should not be one of these options.
Always verify the payment details on an invoice – to do so, don’t use the phone number given on an invoice, rather locate it independently such as on the business’ official website.
If you’re sending or receiving documents with sensitive information, use a secure method – rather than a PDF attachment – to reduce risk if your emails are hacked.
Is cross-industry coordination helping slow the criminals?
Young: There’s always more to do, but good inroads have been made in working on scam and fraud management initiatives collaboratively across all parts of the ecosystem – including banks, social media platforms, telcos, and cryptocurrency providers.
Australian banks are also doing a lot behind the scenes, such as Westpac’s Verify feature that flags if there might be a name mismatch during a payment; and the industry’s fraud reporting exchange which will speed up communication around recovery of funds.
In the recent Federal Budget, it was great to see the Government announcing an AUD 58 million injection to set up the National Anti-Scam Centre, which will lift coordination even further.
Written by Emma Foster: firstname.lastname@example.org