Scams targeting businesses

Australian businesses are a common target for a range of scams, from the simple to highly targeted and sophisticated.

In 2016 Australian businesses lost more than $3.8 million to scams.  These are just the tip of the iceberg and only the scams reported to the Australian Competition and Consumer Commission.

Adversaries use advanced social engineering techniques to target staff members and enhance the legitimacy of scam attempts. They have also been known to research organisations and individuals on social media and through publically available industry information such as annual reports, shareholder updates and media releases.

Socially-engineered approaches can be so sophisticated that it can be impossible to distinguish them from legitimate communications. Robust technical controls are becoming increasingly important to protect networks from this kind of malicious cyber activity.

Case study: Wire fraud

Wire fraud is a pervasive threat to Australian businesses and cost one business more than US$500,000.

The adversary sent a spoofed email, purporting to be from the Chief Executive Officer (who was travelling at the time), requesting a large payment from the financial controller. A second email, purporting to be from the Chief Operating Officer, was then sent to the financial controller. This email contained a false email trail approving the CEO’s request for payment. Not realising the request was fraudulent, the business made two payments to the cybercriminal, one for over US$200,000 and one for almost US$300,000. Both payments were made to bank accounts in overseas jurisdictions.

How to protect your business from scams

Like all risks, the best approach to protecting your business is to use a multi-layered approach including technical controls, staff awareness, robust internal processes, and active monitoring of systems and networks and cyber security trends and threats.

CERT Australia works with other government partners to deal with scams, and recommends that you: