Cyber Brief for CFOs: May 2024

Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all the essential stories in our cyber brief so your team can stay secure.

Firstmac hack exposes bank accounts, credit card info

Mortgage lender Firstmac has been warning customers about a data breach for several weeks, but the extent of the stolen data might be bigger than initially communicated. A cyber attack has exposed customers’ names, contact details, dates of birth, bank account information, driver’s licenses, Medicare numbers and credit card details. 

The breach affected former customers whose data was retained for years after leaving Firstmac. Like the Latitude Financial hack, the incident raises questions about data security and maximalist approaches to storing customer information – especially since financial services providers are often required by law to keep customer records for a certain amount of time. There’s always been a tension between seamless user experiences and mitigating cyber threats, but the regulatory aspect complicates that tension even more. 

For finance leaders, the issue is a little more straightforward: ill-gotten financial data can be a boon for scammers, so be on high alert for any suspicious messages or vendor requests. 

WPP CEO targeted in deepfake scam 

WPP, the world’s largest advertising firm, joins a growing list of organisations that scammers have targeted using deepfakes. 

Its CEO, Mark Read, was the target of a scam involving an AI voice clone and YouTube footage. Using a publicly available image, fraudsters created a WhatsApp account in Read’s name and set up a Microsoft Teams meeting with another WPP executive. They then impersonated Read off-camera via the meeting’s chat window. 

The scam aimed to solicit money and personal details. While ultimately unsuccessful, Read warned of the increasing sophistication of such attacks and WPP confirmed this attempt was thwarted thanks to staff vigilance.

Anti-scam highlights in the 2024-25 Federal Budget

There’s been plenty of chatter about the 2024-25 Federal Budget, especially with respect to cost-of-living relief efforts. But the government is also allocating $67.5 million over the next four years to combat scams and online fraud. 

A significant portion of this funding – $37.3 million, to be exact – will go towards establishing a Scams Code Framework. The framework will mandate codes of practice for different industries to address scams on their platforms and services. Much of the scrutiny will focus on digital platforms like social media and search engines, especially search advertising and direct messaging. 

The previous budget allocated similar funding, including the creation of the National Anti-Scam Centre. And efforts seem to be paying off, with the Australian Competition & Consumer Commission (ACCC) recently announcing a 13% decline in reported losses. However, those are losses across the entire Australian population – by contrast, businesses saw a 27% increase since 2022. 

Next steps for the government’s Digital ID

Speaking of the 2024-25 Federal Budget, it also contains a cool $288.1 million for the government’s Digital ID scheme. Enabling legislation has passed parliament and will be in effect in November of this year. 

The private sector can join within two years, and a digital wallet pilot will invite expressions of interest from businesses. Amendments ensure participation is voluntary, and deactivation of digital IDs is protected. The ACCC will be in charge of regulating Digital IDs, with the Information Commissioner overseeing privacy protections. 

Survey: cybercriminals likely to benefit more from generative AI than legitimate organisations

Only a third of firms have implemented safeguards against generative artificial intelligence (AI) threats despite widespread adoption, according to a survey by analytics giant Splunk. The bottom line? Some analysts are predicting that generative AI will likely favour attackers across the short-to-medium term. 

Surveying security executives in the US, Japan, the UK, France, Germany and four other countries, Splunk found that 93% say they use generative AI but 34% don’t have a generative AI policy in place. A worrying 65% of respondents admit to not fully understanding the implications of generative AI, while adoption outpaced best practices across 16 industries.