Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) and security news. We bring you all the essential stories in our cyber brief so your team can stay secure.
Several major Australian superannuation funds suffered suspected cyber attacks, with malicious actors using “credential stuffing” – that is, stolen passwords and user details – to access approximately 600 AustralianSuper member accounts and attempt fraudulent withdrawals. Members have reported account access issues, while University of Melbourne Academic Centre of Cyber Security Excellence professor Toby Murray told the ABC that the incidents illustrated a need for “proper anti-fraud technologies” within superannuation. CyberCX’s Chief Strategy Officer, Alastair MacGibbon, agreed in his comments to the ABC.
“We’ve all seen the banks really radically improve security… we need to do the same thing for super accounts. There needs to be proper anti-fraud technologies used by these super funds, and that’s the wake-up call that I think Australians should have today.”
See a full breakdown of what we know so far.
According to the National Anti-Scam Centre’s recently released 2024 report, Australian scam losses exceeded $2 billion, with businesses accounting for a quarter of victims. Payment redirection scams surged 66.6% to $152.6 million, while false billing scams cost Australians $27.8 million.
The report also revealed that fraudsters primarily target finance departments through email impersonation, phone calls and fake websites. It’s another data point indicating that traditional controls are increasingly insufficient, with scammers honing tactics like exploiting time pressures on the AP staff responsible for processing vendor payments.
VikingCloud research reveals that nearly one-fifth of small to medium-sized businesses would close following a successful cyberattack, with almost a third shutting down after incidents costing under $10,000.
The survey also revealed that, despite 60% of surveyed SMBs recognising they’re prime targets for cybercrime, many have significant defence gaps – 74% self-manage security or rely on untrained contacts, 33% use outdated technology, and 20% lack access altogether. Common vulnerabilities include weak passwords, insufficient data backups, and absence of multi-factor authentication. Unfortunately, Eftsure found similar trends in our own research, with a significant portion of small businesses foregoing anti-fraud controls altogether.
What can we tell about the year ahead from the Australian Government’s 2025-26 Federal Budget? For starters, it emphasises cybersecurity and digital transformation, allocating $586.9 million to strengthen cyber resilience and $180.5 million for Digital ID implementation.
Other key developments include mandatory cyber incident reporting, enhanced e-invoicing infrastructure, and stricter ATO scrutiny of financial data. These measures signal a regulatory shift requiring finance leaders to prioritise secure payment controls, vendor verification and audit-ready processes to mitigate cyber risks. Learn more about how the federal budget intersects with finance and security.
It’s a common security misconception: if you’re informed and aware, you can always sidestep basic cybercrime and social engineering tactics. While awareness is certainly crucial and helps lower risks, the ugly truth is that anyone can fall victim to even the most basic tactics. It’s just a matter of being in the wrong place at the wrong time, since cybercriminals are playing a numbers game in which they have a massive advantage.
Case in point? Longtime internet security expert Troy Hunt fell victim to a phishing attack while jetlagged, resulting in the theft of approximately 16,000 records from his blog subscribers. The scammers sent a convincing email disguised as a notice from Mailchimp claiming his account had been flagged for spam. Sometimes expertise is no match for jetlag, but Hunt responded admirably, disclosing the breach just 34 minutes later.
Is AI finally taking cybercriminals’ jobs? Well, no, not really – but it might be making cybercriminals’ work even easier by helping them create autonomous phishing armies, which isn’t exactly comforting.
Symantec recently demonstrated how AI agents can automate phishing attacks by tasking OpenAI’s Operator with targeting someone in their organisation. Although initially refusing on ethical grounds, the AI complied when researchers claimed authorisation, exposing a significant vulnerability. Operator successfully located its target using public data, deduced a private email address, created a PowerShell script, and sent a reasonably convincing phishing email.
Discover key 2025–26 Budget updates on cyber, compliance & digital ID—what finance leaders need to know to protect payments and stay audit-ready.
Payment redirection scams surged 66.6% in 2024. What CFOs and finance teams need to know now to stop losses before they happen — insights from ACCC data.
Why NZ finance teams face growing payment fraud risks in 2025—and why manual controls like spreadsheets won’t protect you.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.
