The State of Cyber Fraud Defence

Finance leaders are in an unfair arms race. They’re under constant siege from cyber- criminals who – with unlimited time and vast resources – only need to be successful once, whereas organisations’ internal controls and defences need to stop every attempt, despite limited resources  and time.

That’s why, in partnership with BrandHook, Eftsure sought to understand exactly how finance professionals are approaching this landscape and whether they’re equipped to fight a rising scourge.

We found reasons for optimism – but also some concerning vulnerabilities. Though 98% of Chief Financial Officers (CFOs) feel that cyber-crime is increasing globally, many respondents say they aren’t deploying critical anti-fraud controls and defensive measures. There’s also no clear authority for owning digital fraud prevention or reporting it if it does occur.

Fortunately, most professionals foresee anti-fraud investments and upgrades on the horizon. To make sure those investments pay off, leaders will need to bring accounting and cybersecurity approaches closer together under a unified cyber-crime strategy. Using collaborative approaches both inside and outside our organisations, we can make our business communities safer.

Despite bigger losses, bigger threats, and growing fears among finance professionals, financial process vulnerabilities and ambiguous ownership may be hampering organisations’ cyber-crime defences.

Almost all of these risks are even more pronounced in small business. However, many respondents say they’re already working with their IT and security teams to strengthen defences, and most anticipate increased investments in anti-fraud controls.

To maximise these efforts, finance leaders will likely need to communicate more explicit ownership over digital fraud prevention and drive a unified cyber-crime strategy.

1. Finance professionals see cyber-crime as a growing concern.

An overwhelming majority say they believe cyber-crime is increasing globally, while nearly half of respondents say their payment security concerns are more pronounced than last year.

More than half (60%) say they’re concerned about fraud going undetected in their business, while 10% say they’re aware of one or more fraud events actually occurring in their organisation within the past three years.

2. Most respondents say they have confidence in their anti-fraud controls despite process vulnerabilities.

In contrast to perceptions of growing threats, most (62%) say they have confidence in their current controls to protect against cyber-crime.

Yet sizeable portions of respondents say they’re not using critical anti-fraud measures, such as call-back controls (or
verbal verifications).

3. There is a lack of clarity around who is responsible for digital fraud prevention.

When it comes to owning digital fraud defences, the most common response is uncertainty (28% are unsure). While CFOs are more likely to see themselves as responsible for digital fraud prevention, the lack of clear responsibility may be compounding organisations’ weaknesses. Similarly, there was no clear authority for reporting cyber scams, which could be contributing to underreporting and scattered data.

4. Few are leveraging a dedicated technology solution but most anticipate greater anti-fraud investments.

While only 17% say they’re using dedicated B2B payment security software, two-thirds of finance professionals expect to upgrade existing their controls and 54% expect bigger investments in anti-fraud controls.

This report was developed in partnership with BrandHook.

It was administered through an online survey (10-12 minutes) designed to gather insights from those working in finance departments and their views on cybersecurity and anti-fraud practices.

Eftsure is publishing this report to draw attention to ongoing challenges in payment security and to better understand businesses’ security posture against payment fraud.

See appendix for sample demographics.

Market sample: N=500 AU (All work in finance / accounting department) recruited via external panel partner. Participation was incentivised.

Eftsure database sample: N=65 recruited via email. Participation not incentivised.

These perceptions and experiences are consistent with government data.

Cyber scams that target Australian and New Zealand businesses are indeed growing in both cost and frequency, as evidenced by the figures below.

$224M lost to payment redirection schemes in 2022 from Australian businesses, according to the ACCC.

73% increase in the reported number of business scams in Australia in the last year. The number of attacks is growing year-on-year.*

23% increase from Q4 2023 in NZ scam reports and a 66% increase in financial losses.* The number of scam reports are ticking upwards.

Instances of payment fraud appear to be underreported, and the lasting effects on a business are often underestimated.

Australia’s $224 million reported losses in 2022 only include incidents reported to Scamwatch, ReportCyber and the AFCX. Survey responses in Section 3: Ownership & responsibilities shed some light on the issue, with little consensus among finance professionals regarding where to report scams.

While many scams target individual consumers, payment fraud is the most common business-related scam, according to the ACCC’s Scamwatch.

Payment fraud – also known as invoice redirection fraud or business email compromise (BEC) – is a type of scam in which fraudsters manipulate or deceive individuals into redirecting legitimate payments to the wrong account.

It often involves the following elements:

Like other types of cyber-crime, there are multi-faceted reasons behind the uptick in payment fraud.

Tech advances and power to steal identities

Scammers leverage technological advances to refine tactics and scale up. Generative artificial intelligence (AI) is playing an outsized role, with tools like ChatGPT
quickly producing professional-sounding messages and deepfake technology making impersonation harder and harder to detect.

Larger attack surfaces

Hybrid working and geographically dispersed teams have a huge amount of benefits, but they also result in larger attack surfaces for cyber-criminals to target. As ways of working become more digital, legitimate organisations’ cyber vulnerabilities will grow in tandem.

Ability to transcend geography

The benefits of digital working go both ways: organised cyber-criminals can target organisations from anywhere in the world. Not only does this make it easier to target advanced economies, but it makes investigation and prosecution notoriously difficult.

A growing pool of ill-gotten data

As cyber-criminals continue to use data breaches to demand ransom payments from organisations, there’s a growing amount of stolen data available on the dark for other cyber-criminals and scammers to weaponise.

Concerns about cyber-crime and data breaches are massive, with a whopping 90% of respondents – especially CFOs – saying they feel cyber-crime is increasing globally. This majority softens once respondents are asked about confidence in their own organisation’s defences, though it’s still noteworthy that six in 10 are worried about undetected fraud.

98% of CFO’s feel cyber-crime is increasing globally.

82% are very concerned about incidents like those at Medibank or Latitude.

Respondents also correctly identify threats like phishing and BECs as top threats, though there’s less awareness about emerging threats like AI-generated deepfakes.

60% agree/strongly agree with the statement “I am concerned about cyber-crime/fraud going undetected in my business”

62% have great confidence in the financial control systems we have in place to protect against cyber-crime/fraud

Responses reveal a lack of clarity when it comes to who is responsible for digital fraud prevention in their organisations. While some recognise the jurisdiction as belonging to both CFO and Chief Technology Officer (CTO), a quarter say they don’t know who is chiefly responsible for digital fraud mitigation.

This ambiguity extends to external authorities. Of those who say they experienced and reported fraud, there is no clear single authority for reporting, with most reporting to their bank and a large minority of respondents saying they were unsure.

Similarly, when asked “who in your company is chiefly responsible for accounting software integrity?” 27% of respondents said CFO while 23% said CTO.

We also asked our survey respondents to identify where fraud is reported, the top five responses among those who experienced fraud in the last 3 years were:

1. Our bank (51%)
2. State/territory police (30%)
3. Not sure (27%)
4. Australian Cyber Security Centre (ASSC) (24%)
5. Australian Securities and Investments Commission (ASIC) (19%)

Interestingly enough, although bank reports ranked highest, only 1 in 10 scam losses result in bank reimbursement. 

Banks are the first port of call for most respondents, but a variety of barriers can complicate banks’ support for scam victims.

Across three banks for whom data was available, ASIC found that banks provided reimbursement and/or compensation in roughly 11% of the cases where there was a scam loss.*

Despite more than half of respondents expressing confidence in their control procedures’ ability to prevent cyber-crime, many are not using critical controls. Less than half are using verbal verifications and one-third aren’t using segregation of duties procedures. Even among those using verbal verifications, many are skipping important steps such as sourcing a phone number from a third-party source

While larger organisations tend to have less visibility into whether these procedures are being followed, smaller organisations are even more vulnerable in that they’re significantly less likely to use a broad range of critical anti-fraud controls.

In a business email compromise (BEC) attack, or “payment redirection schemes,” scammers use email to impersonate an employee or other trusted contact and manipulate an AP officer into making a fraudulent payment.

This vulnerability is significant because banks do not reconcile the names of the recipients to the account and bank state branch (BSB) number. Plus, most cybersecurity measures are not panaceas because this type of payment fraud leverages:

1. AP staff error, and/or
2. The weaponisation of a different organisation’s email accounts or systems, which your IT or security team cannot control.

Protecting against this tactic requires two especially vital controls.

Segregation of duties, used by only 59%:

Segregating duties ensures that no single employee has total control over any process, mitigating an organisation’s risks of internal fraud, external fraud and human error.

Call-back controls, used by only 46%:

Also called verbal verifications, call-back controls involve calling and verbally confirming bank details with a supplier before authorising an EFT payment. This reduces fraud risks, even if a malicious actor has breached a supplier’s email account or manipulated an invoice.

Since hackers can also intercept phone calls, there are a few ways to maximise this control’s efficacy, but fewer than half of respondents are using them.

• 41% independently sourced phone numbers
• 38% calls initiated via outbound line
• 37% open-ended questions during calls

Finance professionals are using a variety of anti-fraud strategies but fewer than half are using dedicated technology solutions. Despite the gaps in existing control procedures, many respondents cite these controls as “sufficient” to forego a dedicated payment protection solution.

These approaches leave room for improvement but, hearteningly, over half say they’re planning to make larger investments in anti-fraud controls and two-thirds plan to upgrade their controls within the next three years.

Survey respondents said the top 3 barriers to using dedicated payment security software include:

• 34% believe their existing controls are sufficient
• 23% noted budget constraints
• 22% stated it’s not a top priority compared to other security investments

However, 54% said they plan to invest in anti-fraud controls in the next 3 years.

With fewer resources and smaller teams, emerging businesses are often stretched thin.

This can make them softer targets for cyber-criminals and fraudsters – especially since respondents from small organisations (2-19 employees) were the least likely
to strongly anticipate investments or upgrades for current anti-fraud controls.

Luckily, there are practical ways to build anti-fraud defences right now.

1. Develop a unified cyber-crime strategy, driven by the CFO. Even if this is already part of an organisation’s anti-fraud approaches, most organisations will benefit from tighter alignment with cybersecurity strategies. This strategy should encompass people, processes and technology. 
2. Incorporate key anti-fraud controls. Control procedures like segregation of duties and call-back controls are some of the best defences against scammers. Standardising and automating parts of these processes helps ensure that staff don’t cut corners, intentionally or unintentionally.
3. Double-down on security hygiene. Implement multi-factor authentication (MFA) on all accounts whenever possible, and ensure passwords are never duplicated or shared. Passwords should also be complex. Regular staff training can keep your team alert and aware of security best practices. 
4. Pressure-test existing controls. Fraudsters tend to be highly organised and aware of internal processes. Even if you already have existing controls in place, they need to be continuously pressure-tested to see how they stand up against evolving cyber threats.

AUSTRALIA (N=500)

We surveyed a total of n=59 AU and n=6 NZ Eftsure contacts, recruited without bring incentivised.

We surveyed a total of n=500 AU respondents, externally recruited via BrandHook’s independent panel partner. Respondents were incentivised for their participation.

Respondents roles:

• Accountants (28%)
• Finance Manager (26%)
• CFO (9%)
• Financial Advisor (6%)
• Auditor (5%)
• Controller (4%)
• AP Manager (5%)
• Other (18%)

Company size:

• 500+ (33%)
• 200-500 (9%)
• 50-199 (18%)
• 20-49 (14%)
• 5-19 (17%)
• 2-4 (9%)

Region (Australia only):

• QLD (16%)
• NSW/ACT (36%)
• VIC (27%)
• TAS (2%)
• SA (9%)
• WA (10%)
• NT (1%)

Gender:

• Female (57%)
• Male (43%)