Cyber security is everyone's business

Businesses are often encouraged to pay attention to milestones recognising important events. While Scams Awareness Week may not elicit as many social media posts as other calendar dates, it’s an important reminder for all Australian businesses to protect themselves online.

Click image to zoom Tap image to zoom

We’re seeing certain scams becoming more prevalent across the small to medium business sector including business email compromise, ransomware, distributed denial of service and supply chain compromise. Our data show the value of scams is also increasing, with a 56 per cent increase in losses for businesses in the 2022 financial year.

“One of the most important things businesses can do to protect themselves is to ensure their staff remain up to date on the ever-changing and increasingly sophisticated scams targeting SMEs.”

Governments globally have recognised the increasing risks and are introducing or amending existing regulations to better protect essential services. For example, following recent breaches, changes are being introduced to the Privacy Act via the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 in Australia.

The definition of essential services is also being expanded to include more industries, increasing regulatory pressure on many Australian businesses to comply with legislation and ensure they have strong processes for safely collecting and storing data to avoid potential financial penalties and reputational damage.  

One of the most important things businesses can do to protect themselves is to ensure their staff remain up to date on the ever-changing and increasingly sophisticated scams targeting SMEs. ANZ’s Cyber Security for Business guide provides an overview of the most prevalent scams targeting businesses and tactics businesses can employ to mitigate risks.

Business email compromise

Business email compromise (BEC) attacks, which use email to abuse trust in business processes resulting in fraud and impersonation, continue to rise. Australian Competition and Consumer Commission data show Australian businesses lost $227 million to payment redirection scams in 2021, a 77 per cent increase compared with a year earlier.

Scammers are becoming more targeted in their use of emails and using additional channels to deceive including SMS, instant messaging and social media.

Business can protect themselves by ensuring workers are aware of the warning signs which  include an unexpected change of bank details, urgency in payment requests and threats of serious consequences if payment isn't made.

It’s also important to implement verification processes for financial requests, for example a phone call or in-person or two-person verification. Check details such as a sender's domain spelling and compare it with previous correspondence. Businesses should also enable multi-factor authentication.

The importance of employee education is true for large corporates as well. Last month one of our bankers received what looked to be an email from a Victorian-based construction company requesting a $289,500 bank transfer. It was similar in tone and content to previous transfer requests received from the customer.

Due to our team’s understanding of BEC risks, our banker called the customer to confirm the transfer and was informed it was fraudulent. In this instance fraud was prevented due to the banker’s understanding of the risks and ways to mitigate them.



Ransomware is a type of malicious software (malware) that encrypts files to make them unusable. Payment is then demanded to regain access to files. The 2022 Verizon data breach investigations report found the number of ransomware attacks worldwide increased by 13 per cent during 2020–21. The Australian Cyber Security Centre (ACSC) cites ransomware as the most serious cybercrime threat to Australia due to the enormity of its financial and community impacts.

While ransomware attacks can be situation specific, some consistent ways businesses can manage the risks include regularly backing-up data and developing a response strategy in the event of ransomware attacks.

There is no guarantee a ransom payment will lead to data being recovered. Also, the data may be on-sold or the business may be the subject of another attack. Regularly testing ransomware response plans with business stakeholders and technology teams can help identify gaps so businesses can quickly respond in the event of an attack.

Distributed Denial of Service (DDoS)

Like ransomware attacks, DDoS is often used for extortion. A business is threatened with an attack against its website unless it makes a payment. Using services such as a Content Delivery Network (CDN) or a DDoS mitigation provider is an important control against this threat.

Any traffic directed at your online service goes through the CDN or DDoS mitigation provider first, allowing any attack traffic to be dealt with before it hits your infrastructure. A good start is engaging your existing internet service providers for options.

Supply chain compromise

Cyber criminals will look for the easiest ways to exploit a target. As a result, a direct attack on an organisation may not be the most attractive option. Smaller third parties are increasingly being compromised as a way of gaining access to larger corporations.

Supply chain compromise occurs when a fraudster accesses a vendor’s network and modifies its software. The fraudster uses it to access the networks of the vendor’s customers and to conduct malicious activities, creating potentially serious reputational impacts.

It will be increasingly important for businesses to give customers confidence they have the right practices in place to prevent supply chain compromise. Conducting periodic assessments across a supply chain can help ensure third parties improve security controls.

A business should also establish a clear cyber incident reporting and response requirements in the case of a security or information breach and build in visibility of key third party dependencies.

Isaac Rankin is Managing Director of Commercial & Private Banking at ANZ

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

10 May 2022

Small business: thwarting cyber threats

Paul Presland | General Manager of Small Business Banking, ANZ

Cyber security threats are growing rapidly. Education and resources for small businesses will help avoid financial loss.

12 Oct 2022

Cyber attacks: beware of the five stages

Garrett O’Hara | APAC Field CTO, Mimecast

The average lifecycle of a data breach is 287 days with many attacks going unnoticed for months before it’s too late.