The State of Cyber Fraud Defence
Cybercrime continues to rise around the globe and an organisation's finance team is often the primary target. While companies try to protect themselves on top of their day-to-day work, cybercriminals have unlimited time and resources to keep trying to find the cracks.
Foreword
A note from Mark Chazan, Chief Financial Officer, Eftsure
Finance leaders are in an unfair arms race. They’re under constant siege from cybercriminals who – with unlimited time and vast resources – only need to be successful once, whereas organisations’ internal controls and defences need to stop every attempt, despite limited resources and time.
That’s why, in partnership with BrandHook, Eftsure sought to understand exactly how finance professionals are approaching this landscape and whether they’re equipped to fight a rising scourge.
We found reasons for optimism – but also some concerning vulnerabilities. Though 98% of Chief Financial Officers (CFOs) feel that cybercrime is increasing globally, many respondents say they aren’t deploying critical anti-fraud controls and defensive measures. There’s also no clear authority for owning digital fraud prevention or reporting it if it does occur.
Fortunately, most professionals foresee anti-fraud investments and upgrades on the horizon. To make sure those investments pay off, leaders will need to bring accounting and cybersecurity approaches closer together under a unified cyber-crime strategy. Using collaborative approaches both inside and outside our organisations, we can make our business communities safer.
Executive summary
Despite bigger losses, bigger threats, and growing fears among finance professionals, financial process vulnerabilities and ambiguous ownership may be hampering organisations’ cyber-crime defences.
Almost all of these risks are even more pronounced in small business. However, many respondents say they’re already working with their IT and security teams to strengthen defences, and most anticipate increased investments in anti-fraud controls.
To maximise these efforts, finance leaders will likely need to communicate more explicit ownership over digital fraud prevention and drive a unified cyber-crime strategy.
1. Finance professionals see cyber-crime as a growing concern.
An overwhelming majority believe cyber-crime is increasing globally, while nearly half say their payment security concerns are more pronounced than last year. More than half (60%) are concerned about fraud going undetected, and 10% report fraud events occurring within the past three years.
2. Confidence in anti-fraud controls despite vulnerabilities.
While 62% express confidence in their current controls, many are not using critical anti-fraud measures, such as call-back controls or verbal verifications.
3. Lack of clarity around digital fraud prevention ownership.
Uncertainty (28%) is the most common response when asked who owns digital fraud defences, suggesting responsibility is unclear within many organisations.
4. Few leveraging dedicated tech solutions but expecting greater investment.
Only 17% are using dedicated B2B payment security software, but most expect increased investments and control upgrades in the coming years.
About this report
Eftsure + BrandHook
This report was developed in partnership with BrandHook.
The research was conducted via an online survey targeting finance professionals regarding cybersecurity and anti-fraud practices.
Market sample: N=500 AU (all working in finance/accounting), recruited via an external panel partner, incentivised participation.
Eftsure database sample: N=65 recruited via email, without incentives.
1. The threat landscape
Finance professionals share well-rounded fears: cyber-crime really is on the rise
These perceptions are supported by government data:
$224M lost to payment redirection schemes in 2022 from Australian businesses, according to the ACCC.
73% increase in reported business scams in Australia over the past year.
23% increase in New Zealand scam reports in Q4 2023, with financial losses rising by 66% (CERT NZ).
Instances of payment fraud appear to be underreported, contributing to underestimated business impacts.
What is payment fraud and why is it a growing threat?
Payment fraud—also known as invoice redirection fraud or business email compromise (BEC)—occurs when scammers trick organisations into making legitimate payments into fraudulent accounts.
Key contributing factors include:
- Advances in tech (e.g., AI-generated content, deepfakes)
- Larger attack surfaces due to hybrid working models
- Global accessibility for cybercriminals
- Increased availability of stolen data from breaches
2. Views of cyber-crime
Finance professionals see cyber-crime as a growing threat – but less so within their own organisations
90% of finance professionals believe cybercrime is rising globally, with 82% expressing concern about major breaches such as Medibank or Latitude events.
Key statistics:
- 98% of CFOs feel cybercrime is increasing globally.
- 60% are concerned about undetected cyber-fraud within their businesses.
- 62% have confidence in their internal control systems.
3. Ownership and responsibilities
There’s ambiguity around anti-cyber-crime responsibilities
Responsibility for digital fraud prevention is often unclear. While some respondents cite CFOs and CTOs, a large proportion are unsure.
Top authorities reported for fraud incidents:
- Bank (51%)
- State/territory police (30%)
- Not sure (27%)
- Australian Cyber Security Centre (24%)
- ASIC (19%)
Note: Only 11% of scam losses are reimbursed by banks (ASIC).
4. Defence: anti-fraud processes
Control procedures have key vulnerabilities
Less than half of respondents use verbal verifications, and many do not use segregation of duties. Visibility into control compliance remains limited, especially for smaller businesses.
5. Defence: strategy and investments
Current strategies are mixed but investments are expected to rise
Although fewer than half are using dedicated technology solutions, over half of finance professionals plan to upgrade anti-fraud controls in the next three years.
Top barriers to adopting payment security tech:
- 34% believe existing controls are sufficient
- 23% cite budget constraints
- 22% cite prioritisation of other security investments
Bigger risks for smaller businesses?
Small businesses often have fewer resources, making them more vulnerable. Respondents from companies with 2–19 employees were least likely to anticipate anti-fraud investments.
Conclusion
While progress is evident, vulnerabilities remain
Practical ways to strengthen anti-fraud defences now:
- Develop a unified cyber-crime strategy led by the CFO.
- Incorporate key anti-fraud controls like segregation of duties and call-back verification.
- Enhance security hygiene via MFA, strong passwords, and training.
- Continuously pressure-test existing controls to adapt to evolving threats.
Panel sample demographics
Australia sample (N=500)
- Accountants (28%)
- Finance managers (26%)
- CFOs (9%)
- Financial advisors (6%)
- Auditors (5%)
- Controllers (4%)
- AP managers (5%)
- Other (18%)
Company size:
- 500+ employees (33%)
- 200–500 employees (9%)
- 50–199 employees (18%)
- 20–49 employees (14%)
- 5–19 employees (17%)
- 2–4 employees (9%)
Region:
- QLD (16%)
- NSW/ACT (36%)
- VIC (27%)
- TAS (2%)
- SA (9%)
- WA (10%)
- NT (1%)
Gender: 57% female, 43% male.
