Advice for brokers, customers on fighting costly threat
Australian businesses lost almost $100 million to email compromise scams last financial year and the danger is growing. Brokers can assist their clients by staying on top of cybercrime and scams and educating them on the simple steps they can take to protect their business.
The financial fallout from cybercrime continues to rise at an alarming rate. Australian businesses lost $98m to email compromise last financial year, according to the Australian Cyber Security Centre (ACSC). Business email compromise is a form of phishing which impersonates trusted relationships to get access to information or finances.
The latest research from the Australian Competition and Consumer Commission (ACCC) reveals that Australians lost 76% more to scams in 2022 than 2021, with losses reported to Scamwatch totalling $569m.
“Impersonation scams and other cyber-crimes are growing at a rapid rate,” says Erica Hardinge, Product Area Lead Staff & Customer Security Education for ANZ (pictured below).
“At ANZ, our customer protection team has reported a 104% increase in scams [so far] in 2023 compared to the year prior, and across the industry reports of cyber events continue to increase.”
Business email compromise (BEC) scams pose a particular challenge for business, but there are simple steps people can take to protect themselves and their business, says Hardinge.
“BEC scams tend to target high-value transactions, and the availability of personal information on the internet means that details about individuals or businesses are both easy to find and used to create convincing or compelling stories.
“This is why [criminals that use BEC scams] are so successful. It’s because they have the ability to establish a sense of trust, authority or personal relevance with the potential victim.”
Hardinge says that criminals will investigate who a victim works for and what important relationships might be exploited. They might impersonate an executive, or target communications by impersonating an important business partner or adviser, such as a legal representative or broker.
Recognising a business email compromise scam
BEC scams come in many guises, but all involve a criminal infiltrating a legitimate conversation or impersonating a known and trusted contact to have payments redirected to the criminal’s own account.
These scams are similar to bank impersonation scams, which are also on the rise. In this case, the criminal assumes the identity of a person from a bank or financial institution to request access to business accounts or for funds to be transferred to “safe accounts”.
Often, they exploit the victim’s trust in the bank and their concern for security by claiming that a transaction is suspicious or that an account has been compromised.
The scale of loss per business can be significant
The impacts of a cyber-related incident can be disastrous for any business, says ANZ General Manager Transaction Banking & Asset Finance Solutions Cosi De Angelis (pictured below).
“The reputational impacts of losing your customers’ data, [as well as any financial losses] can have devastating consequences,” De Angelis says.
He says most incidents occur when a victim is busy and not concentrating 100% on an interaction, leaving them more vulnerable to a criminal and easily caught out.
“We had one business customer who received a call from someone they believed to be from ANZ, who told them that there was a problem with their fortnightly salaries to their staff,” says De Angelis.
“The criminal convinced the customer to provide their passwords so they could ‘fix the issue’. Once granted access to the business accounts, the criminal went into the salary file and changed all the account numbers. The business lost over $300,000.”
De Angelis encourages customers to stop, hang up and check the origin of the call before acting on requests such as this one. These simple steps could prevent situations like this in the future.
Defending business against criminals
Towards the end of the financial year, criminals increase their activities to take advantage of the influx of communications that businesses typically experience from May to June.
Avoiding cybercrime and scams comes down to being ready to pause and verify all requests – particularly those for personal information or involving payments, says Hardinge.
“Especially at this time of year, criminals target businesses,” she says. “They know our minds are elsewhere. They know we might be willing to skip steps in a process to make deadlines, or that we’re under increased pressure to get budgets in on time. They try to capitalise on that.”
Hardinge emphasises it’s critical for business owners and employees to keep basic scam precautions front of mind.
“Pause before you share sensitive information. Pause before you click on that link. Use other communication channels to verify that it truly is the ATO, your bank or other trusted organisation contacting you. And manually navigate to banking websites and log in yourself, [that’s all] really, really important.”
Hardinge suggests businesses use two-factor authentication to protect business accounts and information, and to also segregate duties so more than one person is necessary to authorise a transaction.
Anecdotally, De Angelis says he “doesn’t see anywhere near the level of cyber incidents in businesses where two-person payment processes and two-factor authentication is set up”. The majority of scams succeed where there is only one person authorising payments.
Criminals are an ever-evolving threat
De Angelis says it’s important not to underestimate criminals, who he describes as intelligent and adaptable and able to pivot quickly.
Hardinge notes that this, plus the fact they work in organisations (albeit underground, criminal ones) means they innovate at considerable speed.
“They’re able to buy technology kits or employ the right people with the right skills to make their activities really impactful,” she says. “They’re able to change quickly. Across the industry banks, telcos and government work together continuously to implement new ways of protecting against scams, but people also play a critical role.”
How you can help your customers protect against scams
“I’d encourage brokers to speak with their customers about never sharing banking information or identity documents without first being absolutely certain that they’re providing it to the legitimate organisation and that that organisation truly needs it,” says Hardinge.
She also suggests that individuals begin calling out suspicious requests via email, phone, text message, or social media, and sharing them with family, friends and colleagues so others can hear about new scams – keeping it front of mind.
“Thirdly, I strongly suggest using tools and processes to help protect your finances, like two-factor authentication, secure payment options like PayID, BPAY, secure file exchange options like Document Exchange and clear processes to validate any changes to banking or payment requests.”
Brokers may find that because customers have great trust in them, customers might approach them first if they believe they have been scammed. De Angelis says that in this event it is essential that the broker advise the client to call their bank immediately and report the incident.
“The sooner your client calls their bank, the sooner the bank can commence potential recovery procedures with the other banks,” he says. “They can also establish if the customer can still access their banking platforms and services, and perhaps reset everything for the customer.”
De Angelis says that it is also important to report the incident to the ACSC who will report the incident to the police, if necessary.
Both the ACSC and ANZ provide advice to customers at no charge and have a wealth of information on their websites for businesses seeking advice on protecting against cybercrime and scams.
Criminals are constantly changing their techniques, so it’s important to educate yourself on the most common types of scams. That way, you’ll know what to look out for. Use the following resources to stay up to date.
- Learn about the different types of scams, how to protect yourself from them and sign up for alerts from Scamwatch and the Australian Cyber Security Centre.
- ANZ has lots of information you can use to educate yourself.
- Click here to download the ACCC’s Little Black Book of Scams.
This article is brought to you by ANZ
This is general information. ANZ is not giving advice or recommendations, and we haven’t taken into account your customers’ needs, financial circumstances or objectives. You and your clients should carefully consider which ANZ products are appropriate for them. Terms and conditions, fees and charges, and credit approval and eligibility criteria apply to ANZ products.