Businesses must account for EOFY scams

But the period also presents abundant opportunities for cyber criminals to launch scams.

"For most companies it's a question of when - not if - your organisation will experience a cyber attack.”

Busy professionals facing an influx of calls, messages and emails around EOFY are often under pressure to act on things quickly, potentially overlooking inconsistencies or unusual requests in correspondence. This creates the perfect environment for scammers to hijack communication and gain unauthorised entry to business networks and systems.

Ever growing reliance on technology and digitised business processes further increases the risk, despite the convenience and efficiency, expanding the digital ‘attack surface’ available to cyber criminals.

For most companies it's a question of when - not if - your organisation will experience a cyber attack.

In recent times, scammers have turned their attention to business email compromise (BEC), targeting transactions and payment systems due to the ease at which they can intercept business correspondence.

Many of these compromised emails appear to represent existing suppliers, customers and even professional advisors such as accountants or lawyers and request changes to account or payment details.

BEC is effective at evoking a response or call to action without including infected links or attachments which can be detected by antivirus software and spam filters and most observant recipients.

In 2022–23, the total BEC losses reported to the Australian Cyber Security Centre (ACSC) was almost $80 million with more than 2,000 reports made to law enforcement. On average, the financial loss from each BEC incident was more than $39,000.

BEC is one of the most common scam types targeting Australian businesses and can involve a range of email, instant message, SMS and social media tactics to exploit business processes and relationships to scam victims out of money or goods.

Some of the most common BEC scams include:

• Impersonation scams - scammers masquerade as lawyers, executives or even Australian Tax Office representatives, requesting changes to payment or account details.
• Invoice scams - fake or altered invoices for goods and services are delivered on behalf of trusted suppliers, exploiting the busy accounting period.
• Finance scams - official-looking correspondence regarding bank accounts, fees and fines, transactions, renewals, the Australian Securities and Investments Commission or myGov notifications.

Scammers also know they don’t need to target businesses directly and the impacts on businesses caught up in supply chain or third-party attacks can be just as debilitating.

Subcontractors and vendors in business supply chains present myriad opportunities for scammers looking to exploit legitimate business processes and relationships for financial gain.

Despite their best efforts to stay secure and protected against external threats, we often see business customers being caught out by BEC scams where criminals impersonate trusted business partners or long-term suppliers.

It doesn’t matter how robust an organisation’s security controls are, if they aren’t properly checking and validating email requests from all internal and external parties, they can easily fall victim to a BEC scam.

There are a few simple steps businesses can take to improve their security defences, including building a human firewall and making an organisation-wide “PACT” around security. PACT means:

Pause before sharing your sensitive information or actioning a request:

• Does your organisation have an information classification approach?
• Do employees understand what can be shared with whom and through which channels?
• Before making a payment, take steps to ensure that the request is genuine. Be particularly careful when asked to make payment to an account you haven’t used before.

Activate two or more layers of security:

• Turn on multifactor authentication (MFA) for important tools like remote access systems and resources including cloud services.
• Control access to systems and information.
• Apply checks and validation processes to accounts payable functions.
• Apply a Virtual Private Network (VPN) to create an encrypted network connection.

Call out suspicious messages:

• Staff need an easy way to report concerns so they can respond quickly to events.
• Make sure employees know what to do if their device is lost or stolen or they experience a cyber or information security incident.
• Consider reporting scams to Scamwatch to help the National Anti-Scam Centre disrupt scams, monitor trends and warn others about new and emerging scams.

Turn on automatic software updates:

• Ensure your systems and applications, including VPNs and firewalls, are up to date with the most recent security patches, including staff using Bring Your Own Devices (BYOD).
• Whitelist software – ensure staff only use approved software and applications.

Employees can be a company’s most important defence in blocking cyber threats, so it’s important for people to be able to identify and act on cyber threats and stay vigilant at work and home environments.

Cosi De Angelis is Head of Transaction Banking at ANZ

ANZ is committed to supporting customers to better understand security risks and help them defend against cyber threats. The ‘Simplifying Cyber for Business’ guide, available to commercial and private banking customers, refocuses cyber security at a business level and relates it back to customers in their everyday business operations. It is suitable for all levels of business customers and provides a range of tips to help detect and protect against key cyber threats.