Cyber Brief for CFOs: February 2024

Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all the essential stories in our cyber brief so your team can stay secure.

AI scams ramp up as control procedures lag

In countries like the US and India, there’s been an increase in media reports of AI-enabled scams – particularly voice conversion scams, in which a fraudster clones a real person’s voice to deceive a target. Not only are Australia and New Zealand already common targets for scammers, but a recent McAfee study revealed that nearly half (47%) of Aussies admitted they would not be able to differentiate an AI-generated message from one created by a human. While McAfee’s findings were focused on romance scams and the results were self-reported (we’d wager that 47% would be much higher if they weren’t self-reported), it speaks to a huge vulnerability.

Yet many businesses still rely on financial control procedures that predate widespread access to generative AI, raising the question: are Australia and New Zealand about to become even softer targets for international scammers in the new era of AI-enabled scams?

Five telcos called out for facilitating scam messages

The Australian Communications and Media Authority (ACMA) has censured five telecommunications companies for allowing millions of SMS messages to be sent without proper scam checks. The regulator says these companies – including Message4U, SMS Broadcast, DirectSMS, Esendex Australia, and MessageBird – failed to comply with anti-scam regulations, enabling scammers to impersonate reputable brands and government services. 

Collectively, these breaches contributed to Australians losing over $25 million to SMS scams last year. Additionally, ACMA says the telcos failed to supply customer data to the Integrated Public Number Database, crucial for emergency services. ACMA has directed these companies to adhere to industry codes, with potential penalties of up to $250,000 for non-compliance.

HWL Ebsworth injunction may offer breach blueprint

After the massive HWL Ebsworth data breach, which impacted 62 government agencies, the firm’s unusual request for an injunction may offer a blueprint for future breaches at professional services firms. 

The move suppressed reporting on the leaked data, mitigating (but not eliminating) some of the worst consequences for clients whose sensitive and confidential information was included in the breach. As part of its review of the hack, the National Office of Cyber Security noted that the step enabled “better support to impacted clients,” suggesting it might be one avenue available in the office’s forthcoming playbook for future breaches. 

Booking.com scams jumped 580% in last year

Scams involving Booking.com swelled by over 580% last year, causing losses above $337,000, as reported by the Australian Competition and Consumer Commission (ACCC). 

The ACCC recorded 363 scam reports related to Booking.com in 2023, a significant rise from 53 the previous year. Booking.com acknowledged that phishing emails targeting their accommodation partners led to unauthorised account access, allowing fraudsters to impersonate accommodations. Despite this, Booking.com assures that its backend systems remain secure and that impacted accommodations represent a minor portion of its platform. The ACCC advises users to verify suspicious emails independently and use two-factor authentication for added security. 

Consumer advocates (again) call for scam loss compensation

Not for the first time, consumer advocacy groups in Australia are urging the federal government to mandate banks to reimburse customers scammed through no fault of their own, mirroring upcoming regulations in the UK. The calls come amid a significant rise in scam losses, which soared to over $3 billion in 2022, marking an almost 80% increase from the previous year according to the Australian Competition and Consumer Commission (ACCC). 

A joint submission by Choice, the Consumer Action Law Centre, and the Australian Communications Consumer Action Network argues for stringent measures against banks to preempt scams. It calls for a “presumption of reimbursement” for victims, including financial penalties for non-compliance. The Australian Banking Association has expressed concerns, suggesting that such a model could attract even more criminal activities to Australia and arguing that the UK model has made it a target for international fraudsters. 

Two-thirds of QLD councils have serious cyber vulnerabilities, says report

A 2023 report by the Queensland Auditor-General says there are significant cybersecurity weaknesses across two-thirds of the state’s 77 councils. It found 113 security system deficiencies, including 47 unresolved from previous audits and 66 new issues. Forty-five councils have at least one IT system deficiency, and 14 have had significant, unresolved deficiencies for over a year. Plus, a quarter of councils have not provided the mandatory cybersecurity training from previous recommendations.

The report stresses the urgent need for councils to address these vulnerabilities to reduce the risk of cyber-attacks, personal information loss, service disruptions and reputational damage. However, our guess is that QLD councils are hardly the only organisations with major vulnerabilities – both public and private organisations often struggle to rally the appropriate amount of resources and energy needed to truly fortify their cyber defences.