The rapid rate of technology uptake offering new and exciting avenues for customer engagement, reach and market opportunities, makes this a pivotal time for small and medium businesses.
With 69 per cent of businesses reporting the use of information technology, the increasing digitisation and indeed reliance on technology brings great opportunity. But the risks from this must be managed. At ANZ, we see first-hand the impact of these risks being realised as cyber security incidents unfold for individuals and businesses of all sizes.
"The guide is a great way for smaller businesses to start to understand the cyber security basics and steps to better protect themselves from cyber security threats.”
In Australia alone, ANZ estimates potential customer losses to scams are 37 per cent higher than this time last year. In fact, the Australian Government reports individuals and businesses have lost more than $A167,187,343 to cyber scams in 2022 – so far. This figure is expected to increase as the year goes on, with record scam losses reported in Australia in 2021, an increase of 84 per cent from 2020. Similarly, small businesses made more reports to the Australian Cyber Security Centre in 2020 and medium businesses experienced the highest rate of financial losses.
With time pressures increasing, owners and operators of small businesses may feel they don’t have the resources to dedicate to cyber security. However, there are a number of simple measures small businesses can introduce to help prevent cyber security incidents.
The Australian Cyber Security Centre (ACSC) and ANZ have collaborated to produce the Small Business Cyber Security Guide, specifically designed for small businesses to understand, take action and increase their cyber security resilience.
The guide is a great way for smaller businesses to start to understand the cyber security basics and steps to better protect themselves from cyber security threats. In fact, the Small Business Cyber Security Guide may have already helped to prevent a cyber security attack against one ANZ customer.
Managing a cyber attack
The secretary of an ANZ customer received an email from a well-known file sharing service requesting they login to their Office 365 account.
This was a sophisticated attack and involved a number of techniques to defraud the ANZ customer, including malicious phishing emails and credential theft through a fraudulent log-in page.
The email directed users to what appeared to be a legitimate login page. This wasn’t an uncommon request given the organisation's use of this software to share files. The secretary entered their business login credentials.
This led to both the secretary’s email account and the account of their manager being compromised due to them having shared access. The attacker proceeded to create mail rules to hide legitimate correspondence from one of the company's clients.
The attacker monitored the mailbox activity and when the secretary was sent a legitimate email from their manager requesting they call a client to confirm bank details, the attacker sent another email pretending to be the manager, claiming they had received the bank details during a separate conversation and requested payment. Consequently, a large sum of money was transferred to the fraudulent account details provided by the attacker.
The ANZ customer notified their banker as soon as they became aware of the incident and the banker was able to call the receiving bank and report the account as fraudulent. Thanks to quick reporting and response, ANZ was able to retrieve the majority of the transferred funds through the intermediary bank, which were then returned to the customer.
Although a good outcome was achieved in this instance, money lost to scams is not always retrievable. In this case, speed to response helped the recovery efforts.
This customer had been targeted by phishing emails previously and was wary of cyber security threats, however they didn’t expect something so sophisticated and tailored. This experience served as a stark reminder that nothing should be taken on face value and every communication should go through rigorous validation.
How to protect yourself
It’s important to check the legitimacy of emails before clicking on links or attachments, particularly before sharing sensitive information like login details. Providing regular training to employees can help increase awareness. There are free resources available for organisations to use on the ACSC website.
Everyone – both business and individuals – should enable multi-factor-authentication (MFA) where available to protect access to systems such as Office 365. Refer to the Small Business Cyber Security Guide for more information.
Don’t forget to act fast and get help as soon as a cyber incident is suspected. Contact your bank straight away if there is monetary involvement.
After an incident, conduct a full investigation to assess the impact of the attack and apply lessons learned such as checking mailbox rules of all employees for signs of modification post-attack.
ANZ is committed to supporting customers to better understand security risks to help them defend against cyber threats. The Small Business Cyber Security Guide is just one way we are helping small business customers to improve their cyber security resilience.
Simple actions can make a big difference.
Paul Presland is General Manager for Small Business Banking at ANZ
The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.
01 Apr 2022
03 Dec 2021