The Australian Signals Directorate (ASD) has released its latest annual threat report, warning that cybercrime in Australia is more frequent than last year and that an attack occurs every six minutes on average. The report reveals a 23% increase in cybercrime reports, totalling around 94,000 in the past financial year. There’s also been a 32% surge in calls to the ASD hotline compared to last year.
For businesses, the average cost of cybercrime per report has risen by 14% since last year’s report. The average cost is now roughly $71,600 for large businesses, $97,200 for mid-size businesses and $46,000 for small businesses.
Don’t have time to read the full report? Keep reading to get a snapshot of the most critical findings for finance and AP teams.
While scammers have been targeting Australian individuals through identity fraud and online shopping fraud, businesses are more likely to be targeted through other means.
Top 3 cybercrime types for businesses
This underscores that business email compromise (BEC) attacks and social engineering remain some of the most common tactics for swindling AP and finance teams. Malicious actors will target organisations and try to scam them out of money or information, often by impersonating trusted senders. BEC attacks may also involve a scammer infiltrating and weaponising a business email address, typically sending out spear-phishing emails to clients and customers for information or payment.
These risks are growing more frequent and more expensive. From 2022 to 2023, the self-reported BEC losses to ReportCyber totalled nearly $80 million. There were over 2,000 reports made to law enforcement through ReportCyber of BEC that led to a financial loss. On average, the financial loss from each BEC incident was over $39,000.
BEC and email fraud aren’t the only risks to AP teams, though. ASD has noted the prevalence of data breaches in the past financial year and warned that these still pose ongoing risks through fraud and scams, even after the initial breach. Data breaches were the third most common incident type, rising from 7% of all cybersecurity incidents to 13% compared to last year.
We’ve spoken previously about how data breaches make their way back to finance teams when scammers use stolen data to craft more efficient targeting and tactics. Although cybercriminals can do a lot of damage with surprisingly little information, the ASD report also lists financial data as the third most common type of information exposed in a breach.
“Data stolen by cybercriminals typically ends up on the dark web marketplaces where it can be shared, bought, and sold by other malicious cyber actors. Malicious cyber actors can also piece together seemingly innocuous information like an email address, a date of birth, or a phone number to target someone for spear phishing, fraud, or to leverage that person to gain other privileged accesses and information.
“Once exposed, some data can be used in perpetuity for future crime, particularly in cases of identity theft, blackmail, or extortion. A victim’s real name and home address can be difficult to change, unlike stolen credentials which are easily updated.”
As for ransomware, ASD has dubbed it “the most destructive cybercrime threat” this financial year. It recorded 118 ransomware incidents, which is around 10% of all cybersecurity incidents.
A quarter of these reports involved confirmed data exfiltration, where the cybercriminal extorts the target for both data decryption and a promise not to publish the data. In other words, it would be like if someone stole your passport and demanded you pay money to give it back – and also charged extra in exchange for their promise not to scan the passport and share it widely on the internet.
ASD emphasises that many businesses and individuals are at risk due to unpatched software, with some threat actors launching attacks within hours. It reiterates the importance of implementing the Essential Eight as part of your mitigation strategy.
The report also suggests a few other controls that could lower your risk of falling victim. For finance leaders, the most relevant of those controls are:
AP and finance professionals are frequent cybercrime targets since they tend to be the gatekeepers of an organisation’s finances. While strong security strategies and good cybersecurity hygiene can help protect your entire organisation, finance leaders also need to think of ways to establish or strengthen the final guardrails that can stop a scammer from stealing what most of them are after: your money.
To do this, finance teams should take the following steps.
Everything you need to know about the ClubsNSW data breach and how to protect yourself, your loved ones and your business.
How can you minimise insider threats without compromising culture? Find out 5 ways to do exactly that.
Crypto scams refer to any fraudulent practice in the cryptocurrency space aimed at tricking individuals into investing or giving away assets or …
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
