Payment Security 101
Learn about payment fraud and how to prevent it
As the threat of cybercrime continues to escalate in Australia, greater awareness and preventative measures are crucial. According to the latest Annual Cyber Threat Report 2021-2022, the Australian Cyber Security Centre recorded a staggering 76,000 cybercrime reports, representing a 13% increase from the previous financial year.
With an alarming rate of one cybercrime report made every seven minutes, it’s clear that the problem is only getting worse.
As a CFO, you understand the potential for cyber attacks to hurt your business, whether it’s financial losses or reputational damage. To mitigate those risks, it’s vital to implement robust security measures and educate your employees on best practices by promoting a strong anti-cyber-crime culture.
In our cyber-crime statistics, we delve into the current state of cyber-crime in Australia, along with cyber-criminals’ most common tactics. By staying informed on the latest trends and statistics, you can equip your business with the necessary tools to protect against potential cyber threats.
Over the 2021-2022 financial year, Australia saw an increase in the number of sophisticated cyber threats like extortion, corporate espionage, and fraud. The number of reports increased from receiving one report every 7 minutes compared to last financial year, every 8 minutes.
Over 67, 500 reports were filed from 2020 to 2021. This has increased by 13% percent compared to 2019. The cybercrime reporting equates to one cyber attack every 8 minutes compared to one every 10 minutes in 2019.
The highest average reported losses were by victims in the Northern Territory (over $40,000 per cyber crime report). Along with most targeted locations in Australia, the most frequently reported cyber crimes included online fraud (27%), online shopping (14%), and online banking (13%). Not to mention, the increased popularity of ransomware attacks.
Protecting a business against cyberattacks can impact the relationship between the company and its customers. Therefore, as cybercrime becomes more sophisticated, businesses will have to stay one step ahead, even if that means increasing defence mechanisms with employees and processes.
Cybercrime is becoming increasingly sophisticated, and Log4shell is a perfect example of this. This obscure but nearly ubiquitous piece of software can be found on millions of computers, and it is incredibly vulnerable to attack. The researchers who discovered this flaw have defined a cyberattack attempt as a single isolated cyber occurrence that could be at any point in the attack chain.
During the COVID-19 pandemic, cybercrime has increased drastically by 600% affecting all types of businesses. During this critical period for businesses, cybercrime has been amplified by targeting exposed employees who are currently remote working.
In the ACSC Annual Cyber Threat Report 2022, medium-sized businesses had the highest average loss per cyber crime. Small to medium businesses should follow the ACSC’s advice for ransomware, business email compromise, and other cyber threats. This will allow them to better understand and combat sophisticated cyber threats.
With an increase in cyber crime statistics reported in Australia, UNSW Canberra cyber security expert Mr Phair estimates that only about one-fifth of the actual amount of online crime. In 2022, the ACSC identified that one of the cyber security trends in the 2021-2022 financial year was Russia’s war against Ukraine. Russia had used malware designed to destory data and prevent computers from booting.
Mr Phair states the following “We spend so much of our time online, particularly via mobile smart devices, that the internet has become a fabric of our work and social lives,”. With so much cybercrime in the Australian economy, attackers are becoming more sophisticated making it challenging to prosecute.
The aftermath of a cybersecurity incident can have far-reaching and long-lasting impacts on a business. Other than financial losses, the cost of chaos includes reputational damages, legal liability issues, system repairs and more. It’s important for CFOs to understand the risks and have procedures in place to manage cybersecurity events.
This can include investing in cybersecurity infrastructure, having a comprehensive incident response plan and maintaining regular communications with stakeholders.
According to Cybersecurity Ventures, the global annual cost of cybercrime is predicted to reach $8 trillion USD in 2023. Compounding this is the rising cost of damages resulting from cybercrime, which is expected to reach $10.5 trillion by 2025.
Some of the reasons that explain the uplift of cybercrime are:
Nationally, the average loss per successful business email compromise (BEC) attack increased to over $64,000. Most BEC reports came from Queensland (389 reports), however, average self-reported financial losses were highest in Western Australia at approximately $112,000 per report.
The story is based on one real scam report received by the ACCC that was scammed by email through their supplier as the supplier’s email had been hacked. With updated details on the invoice, this led to the belief owners of the business were paying the correct supplier losing $190,000 in financial loss.
BEC attacks are a popular technique that organisations face regularly. Cybercriminals use BEC to impersonate senior executives in order to deceive employees into revealing confidential information like financial information, login credentials, etc. The compromise of a single employee email can be a prelude to a major ransomware attack.
Any type of scam can be costly, both financially and emotionally. But some scams are more harmful than others. Business email compromise (BEC) scams, for example, caused the highest losses across all scam types in 2019, according to the ACCC’s Targeting Scams report. BEC scams occur when a scammer intercepts a legitimate invoice and changes the payment details to include their fraudulent information.
In 2020, scam victims reported the biggest losses in the Business Email Compromise. However, employees are not always aware of the scam in action. As the scam increases, becoming more consistent in business loss the ACCC reports that “real losses will be even higher”.
According to the State of the Phish report, 83% of survey respondents said their organisation experienced at least one successful email-based phishing attack in 2021, a 46% increase over 2020. Ransomware is a type of malicious software (malware) that can be used in these attacks.
According to the latest data from Scamwatch, Australians have been losing more than $100 million each month in financial scams. The number of reports remains low but at 16,446 schemes reported this March – down 10% on February’s total.
AP departments continue to be the most susceptible to BEC attacks in 2022. It’s critical that your AP team are equipped with knowledge around emails scams, how to identify them and respond. In 2023, cybercriminals now have the advantage use of AI tools to craft a sophisticated email scam. Without updating your employee security training program, your business could be at risk.
B2B payments fraud is on the rise in 2023 with more than 70% of firm experiencing fraud attacks compared to previous year. Since the pandemic cybercriminals have taken advantage of remote working employees by sending an email that appears to come from a known source like their manager or CFO.
This type of technique can be tricky to spot however, managers should look to improve their security awareness training through workshops and detection tools.
BEC attacks over they years have become harder to detect and increasing convincing, making it easier for attackers to deceive even the most diligent accounts payable teams. The psychology factor behind such attacks involve heavily on creating fear or a sense of urgency. It’s important that AP teams have clear procedures in place, such as verifying the authenticity of requests and avoid on clicking unknown links or attachments.
Identity crime is a major concern for governments around the world. The Australian Institute of Criminology released findings from an annual survey showing that identity theft and misuse remain high in Australia.
Identity theft is a serious issue that can lead to financial losses for victims. Identity theft is caused by criminals who steal personal information and use it to take over your finances or manipulate you into giving away sensitive data like passwords. In Australia, identity theft has resulted in major financial losses.
Financial loss from identity theft can be difficult for businesses to recover. The difficulty lies in determining how much they are owed, what expenses need to be paid and when those payments should happen relative to their income levels before the crime occurred.
According to the Australian Intelligence Commission, identity theft has cost businesses in Australia around $36 billion annually.
The use of personal information has been on an increase for years, and in 2019 it was identified as one of the top methods that cyber criminals used to obtain this sensitive data. Recent surveys found between 1-23 different types being misused by victims recently including mobile phones or email addresses.
According to cyber crime statistics, personal fraud was on the rise back in 2015 sitting at 8%. There are other common types of fraud, though. Card fraud was reported to be the most common type of fraud to be committed by criminals.
2020-21 was a prevalent year for personal fraud in Australia. Personal fraud is any activity that occurs between two individuals where one person uses the other for their own gain. Statistics reference that most of the reporting was towards a bank or financial institution.
Phishing is the act of using fake websites or malicious emails to gather personal information like passwords. This can be done in order for someone else, such as hackers who want to access your email account. In Australia 2021 there were 71,299 phishing scams reported.
When it comes to phishing, there’s no place safe. Email communications networks are now riddled with cybercrime as more people get their information from emails. The most common subject lines in emails for phishing were urgent, request, important, payment & attention.
Nearly all (96%) of fraudulent emails come as incoming messages, with 3% coming from malicious websites and just 1% from phone calls or text messages (vishing).
The scammers took advantage of the pandemic to con unsuspecting people, according to a new report from Australia’s ACCC. Australians lost over $851 million in 2020 alone. This forces businesses to tighten their security measures for employees who are remote working.
The latest research from Proofpoint shows that Australian organisations are being hit hard when it comes to cyber-attacks. Australians are more likely to be successfully phished than people in other countries like the United States, the United Kingdom, and Japan. 92% of Australians have experienced some form of phishing in the last year.
According to the ACCC, scammers are becoming more sophisticated and it only takes one click to fall victim to a phishing scam.
Research conducted by Avast has reported that phishing scams can come in the form of email, phone, or text messages. With more and more people receiving their information through email, the risk of being tricked into giving up sensitive data increases daily.
Stephen Kho with Avast Cybersecurity Expert says that they have seen an increase in phishing attacks reaching almost 6 thousand per month on average:
In 2020, phishing scams made an incredible record in Australia affecting SMEs. Unfortunately, phishing emails are easy to create where fraudsters can pretend to be important individuals or business entities solely relying on users to click for a scam to succeed.
According to Newswire, phishing attacks climb to new record high in Q2 2022. The OpSec Security found that the financial sector including banks are hit the hardest with phishing attacks. John Wilson, senior fellow, threat research at HelpSystems said “Ninety-five percent of the threats found in enterprise user inboxes in Q2 were either credential threat or response-based attacks.”
The top 5 reporting sectors for ransomware attacks accounted for 47% of all ransomware-related cyber crime. This is a result of top-tier ransomware organised groups that are continuing to target large Australian organisations that are high profile or high value. Their tactic is a combination of data encryption and threats also known as ‘double extortion’.
In a recent study, it was found that ransomware victimisation was significantly higher among males in their lifetime. This is likely due to the fact that males are more likely to engage in risk-taking behaviour, such as downloading pirated software or clicking on malicious links.
Ransomware attacks can cause significant financial losses for victims, as they may be unable to access their critical files or data until the ransom is paid. In some cases, victims have also reported that their personal information has been stolen as a result of ransomware attacks.
Other than the education and training sector, other sectors targeted included information media and telecommunications (10%), professional, scientific, and technical services (10%), government (8%), and health care and social assistance (8%). It’s likely that ransomware remains significantly unreported due to public disclosure, embarrassment, or ignorance.
During the 2020-21 financial year the ACSC observed that ransomware attacks had a significant increase as there were almost 500 reports of the type of cyber attack. The high proportion of attacks was mostly due to the COVID-19 pandemic, especially in larger organisations starting to implement working from home.
Ransomware can be difficult to recover from because it often requires businesses to pay a ransom to get the decryption key. In addition, businesses may not be able to operate normally while their systems are encrypted. This can lead to lost productivity and breach cost.
Ransomware can also cause reputational damage to businesses. This damage can be difficult to repair, and it may make it difficult for businesses to attract customers and partners.
According to cyber crime statistics, not all businesses are reporting cyber security incidents, especially in relation to ransomware attacks. The advice given by the ACSC to businesses around paying a ransom is that you shouldn’t. Paying a ransom does not guarantee your files will be returned or restored, nor tides it prevent the publication or sale of any stolen data.
Ransomware is becoming increasingly prevalent around the globe. As ransomware attacks are becoming more and more sophisticated it is estimated that such attacks can happen every 11 seconds to businesses no matter the size. Businesses must take action in focusing on increasing their information security and security protocols to prevent ransom attacks.
The covid-19 pandemic has resulted in a sharp increase in ransomware attacks. The rise in ransomware attacks during the pandemic highlights the importance of having robust cybersecurity measures in place.
Organisations must make sure that their systems are regularly updated and that they have adequate backups in place so that they can recover from an attack quickly as well as their people, processes & technology.
Cybercrime is any criminal activity that involves using computers, mobile devices or other electronic devices for purposes such as fraud and theft. Cybercriminals use digital devices to attain access to a user’s personal information.
Cybercrime is a serious issue that individuals and businesses are still struggling to combat. There are many different types of cyber crimes and they all continue evolving, such as business email compromise, business identity theft, ransomware, malware, phishing, social engineering, phone scams & more.
According to the Australian Cyber Security Centre (ACSC), Australian organisations have reported a total loss of more than $33 billion from cybercrime from the 2020-21 financial year.
CFOs have a fiduciary duty to safeguard their organisation’s finances. With cyber-crime representing an increasingly significant risk to those finances, it’s important to implement digital controls. Not only are finances affected but also increase insurance premiums, impact credit rating & valuation, cost of business disruption, reputational costs and impact cash flow.
A sub-committee of the board should be established with all relevant executives to ensure comprehensive staff training programs, appropriate policies and internal controls, and technologies are adopted organisation-wide to help prevent losses from cyber-crime.
In most cases, cyber criminals’ objective is to attain financial gain from either individuals or businesses. This is achieved either by gaining access to types of data such as financial information (credit cards, invoices, bank details) company information (emails, usernames, passwords) and more.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.