Australian businesses are a common target for a range of scams, from the simple to highly targeted and sophisticated.
In 2016 Australian businesses lost more than $3.8 million to scams. These are just the tip of the iceberg and only the scams reported to the Australian Competition and Consumer Commission.
Adversaries use advanced social engineering techniques to target staff members and enhance the legitimacy of scam attempts. They have also been known to research organisations and individuals on social media and through publically available industry information such as annual reports, shareholder updates and media releases.
Socially-engineered approaches can be so sophisticated that it can be impossible to distinguish them from legitimate communications. Robust technical controls are becoming increasingly important to protect networks from this kind of malicious cyber activity.
Case study: Wire fraud
Wire fraud is a pervasive threat to Australian businesses and cost one business more than US$500,000.
The adversary sent a spoofed email, purporting to be from the Chief Executive Officer (who was travelling at the time), requesting a large payment from the financial controller. A second email, purporting to be from the Chief Operating Officer, was then sent to the financial controller. This email contained a false email trail approving the CEO’s request for payment. Not realising the request was fraudulent, the business made two payments to the cybercriminal, one for over US$200,000 and one for almost US$300,000. Both payments were made to bank accounts in overseas jurisdictions.
How to protect your business from scams
Like all risks, the best approach to protecting your business is to use a multi-layered approach including technical controls, staff awareness, robust internal processes, and active monitoring of systems and networks and cyber security trends and threats.
CERT Australia works with other government partners to deal with scams, and recommends that you:
- Educate employees at all levels about identifying and managing suspicious emails, including link safety, confirming legitimacy and notifying information security staff. Further information on the types of scams is available on the SCAMwatch website.
- Ensure your company’s mitigation strategies are up-to-date for cyber security. The Australian Signals Directorate has some helpful resources.
- Ensure you have processes in place to check and confirm financial instructions to ensure wire fraud or false billing attempts will not be successful.
- Report any scams to the Australian Cybercrime Online Reporting Network, Australian Competition and Consumer Commission, or the Australian Communications and Media Authority.
- Sign up to the Stay Smart Online Alerts services for the latest cyber news.
- Contact IDCARE for support and advice on identity crime concerns.