See if your information has been exposed in a data breach with our latest free tool Check Now
Cyber crime

Australians face cyber attacks every six minutes, says ASD

Shanna Hall
4 Min
anonymous figure at laptop

The Australian Signals Directorate (ASD) has released its latest annual threat report, warning that cybercrime in Australia is more frequent than last year and that an attack occurs every six minutes on average. The report reveals a 23% increase in cybercrime reports, totalling around 94,000 in the past financial year. There’s also been a 32% surge in calls to the ASD hotline compared to last year.

For businesses, the average cost of cybercrime per report has risen by 14% since last year’s report. The average cost is now roughly $71,600 for large businesses, $97,200 for mid-size businesses and $46,000 for small businesses.

Don’t have time to read the full report? Keep reading to get a snapshot of the most critical findings for finance and AP teams.

Businesses continue to haemorrhage money thanks to email fraud and BEC

While scammers have been targeting Australian individuals through identity fraud and online shopping fraud, businesses are more likely to be targeted through other means.

Top 3 cybercrime types for businesses 

  1. Email compromise
  2. Business email compromise (BEC) fraud
  3. Online banking fraud


This underscores that business email compromise (BEC) attacks and social engineering remain some of the most common tactics for swindling AP and finance teams. Malicious actors will target organisations and try to scam them out of money or information, often by impersonating trusted senders. BEC attacks may also involve a scammer infiltrating and weaponising a business email address, typically sending out spear-phishing emails to clients and customers for information or payment.

These risks are growing more frequent and more expensive. From 2022 to 2023, the self-reported BEC losses to ReportCyber totalled nearly $80 million. There were over 2,000 reports made to law enforcement through ReportCyber of BEC that led to a financial loss. On average, the financial loss from each BEC incident was over $39,000.

Data breaches create risks that can last indefinitely

BEC and email fraud aren’t the only risks to AP teams, though. ASD has noted the prevalence of data breaches in the past financial year and warned that these still pose ongoing risks through fraud and scams, even after the initial breach. Data breaches were the third most common incident type, rising from 7% of all cybersecurity incidents to 13% compared to last year.

We’ve spoken previously about how data breaches make their way back to finance teams when scammers use stolen data to craft more efficient targeting and tactics. Although cybercriminals can do a lot of damage with surprisingly little information, the ASD report also lists financial data as the third most common type of information exposed in a breach.

“Data stolen by cybercriminals typically ends up on the dark web marketplaces where it can be shared, bought, and sold by other malicious cyber actors. Malicious cyber actors can also piece together seemingly innocuous information like an email address, a date of birth, or a phone number to target someone for spear phishing, fraud, or to leverage that person to gain other privileged accesses and information.

“Once exposed, some data can be used in perpetuity for future crime, particularly in cases of identity theft, blackmail, or extortion. A victim’s real name and home address can be difficult to change, unlike stolen credentials which are easily updated.”

ASD Cyber Threat Report 2022-2023

Ransomware is increasingly common (and devastating)

As for ransomware, ASD has dubbed it “the most destructive cybercrime threat” this financial year. It recorded 118 ransomware incidents, which is around 10% of all cybersecurity incidents.

A quarter of these reports involved confirmed data exfiltration, where the cybercriminal extorts the target for both data decryption and a promise not to publish the data. In other words, it would be like if someone stole your passport and demanded you pay money to give it back – and also charged extra in exchange for their promise not to scan the passport and share it widely on the internet.

How to mitigate cybercrime risks

ASD emphasises that many businesses and individuals are at risk due to unpatched software, with some threat actors launching attacks within hours. It reiterates the importance of implementing the Essential Eight as part of your mitigation strategy.

The report also suggests a few other controls that could lower your risk of falling victim. For finance leaders, the most relevant of those controls are:

  • Use multi-factor authentication (MFA)
  • Enforce strong password policies
  • Mandate training to help staff recognise phishing or social engineering tactics

AP and finance professionals are frequent cybercrime targets since they tend to be the gatekeepers of an organisation’s finances. While strong security strategies and good cybersecurity hygiene can help protect your entire organisation, finance leaders also need to think of ways to establish or strengthen the final guardrails that can stop a scammer from stealing what most of them are after: your money.

To do this, finance teams should take the following steps.

  • Develop or refine a unified cybercrime strategy. In a recent survey, we found that only half of organisations employ a cybercrime strategy developed in collaboration with IT or security. A CFO-led strategy can align your financial controls and cybersecurity strategy, ensuring there are no gaps for criminals to exploit.
  • Strengthen and test your financial controls. Eftsure has found that over 40% of organisations aren’t using segregation of duties policies, and even fewer are using call-back controls. Update these critical controls and then regularly pressure-test them to see how they stand up against evolving cyber threats.
  • Cultivate a security culture. Staff need to be regularly updated on the latest in cyber risks and scam tactics, but you also need a culture in which people feel comfortable speaking up when something doesn’t look right. That means encouraging them to come forward if they think they might have already clicked the wrong link or given information to the wrong person.
Your free guide to strengthening controls and lowering cyber risks
As cybercrime evolves and adapts, so must your financial controls. Download the free guide to start building stronger defences today.

Related articles

Cyber crime

Where does cybercrime come from?

Where does cybercrime originate? A private investigator, along with a world-first study into cybercrime origins, reveals who is behind common types of cyber attacks.

Read more

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.