21 May 2024
Annual tax reporting, quarterly business activity statements, contract renewals, budget updates and meetings with accountants and advisors - the frenzy of business activity around the end of the financial year (EOFY) requires a great effort from professionals and businesses.
But the period also presents abundant opportunities for cyber criminals to launch scams.
"For most companies it's a question of when - not if - your organisation will experience a cyber attack.”
Busy professionals facing an influx of calls, messages and emails around EOFY are often under pressure to act on things quickly, potentially overlooking inconsistencies or unusual requests in correspondence. This creates the perfect environment for scammers to hijack communication and gain unauthorised entry to business networks and systems.
Ever growing reliance on technology and digitised business processes further increases the risk, despite the convenience and efficiency, expanding the digital ‘attack surface’ available to cyber criminals.
For most companies it's a question of when - not if - your organisation will experience a cyber attack.
In recent times, scammers have turned their attention to business email compromise (BEC), targeting transactions and payment systems due to the ease at which they can intercept business correspondence.
Many of these compromised emails appear to represent existing suppliers, customers and even professional advisors such as accountants or lawyers and request changes to account or payment details.
BEC is effective at evoking a response or call to action without including infected links or attachments which can be detected by antivirus software and spam filters and most observant recipients.
In 2022–23, the total BEC losses reported to the Australian Cyber Security Centre (ACSC) was almost $80 million with more than 2,000 reports made to law enforcement. On average, the financial loss from each BEC incident was more than $39,000.
BEC is one of the most common scam types targeting Australian businesses and can involve a range of email, instant message, SMS and social media tactics to exploit business processes and relationships to scam victims out of money or goods.
Some of the most common BEC scams include:
Scammers also know they don’t need to target businesses directly and the impacts on businesses caught up in supply chain or third-party attacks can be just as debilitating.
Subcontractors and vendors in business supply chains present myriad opportunities for scammers looking to exploit legitimate business processes and relationships for financial gain.
Despite their best efforts to stay secure and protected against external threats, we often see business customers being caught out by BEC scams where criminals impersonate trusted business partners or long-term suppliers.
It doesn’t matter how robust an organisation’s security controls are, if they aren’t properly checking and validating email requests from all internal and external parties, they can easily fall victim to a BEC scam.
There are a few simple steps businesses can take to improve their security defences, including building a human firewall and making an organisation-wide “PACT” around security. PACT means:
Pause before sharing your sensitive information or actioning a request:
Activate two or more layers of security:
Call out suspicious messages:
Turn on automatic software updates:
Employees can be a company’s most important defence in blocking cyber threats, so it’s important for people to be able to identify and act on cyber threats and stay vigilant at work and home environments.
Cosi De Angelis is Head of Transaction Banking at ANZ
ANZ is committed to supporting customers to better understand security risks and help them defend against cyber threats. The ‘Simplifying Cyber for Business’ guide, available to commercial and private banking customers, refocuses cyber security at a business level and relates it back to customers in their everyday business operations. It is suitable for all levels of business customers and provides a range of tips to help detect and protect against key cyber threats.
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
21 May 2024
29 Nov 2023