The pandemic has accelerated the digitisation of Australian businesses as organisations move their entire staff to remote working, have said goodbye to paper print outs and embraced video conference tools. With the increasing reliance on working remotely and utilising digital technologies comes a greater risk of businesses being exposed to cyber fraud.
Australians lost $77 million to scams in the first six months of 2020 alone as fraudsters took advantage of COVID-19, businesses lacking in proper IT security, social isolation and millions of employees working from home. This is up $19 million on the same period from 2019!
As the pandemic continues to change our day-to-day lives, we have seen organisations of all sizes, across a wide range of industries, experience increased rates of both internal and external fraud. In one instance, we even saw an Australian organisation experience at least one false billing scam attempt per week on a shared finance email account.
Small businesses are especially at risk as they often have inadequate cyber and information security protocols, low-to-no internal controls, no segregation of finance function duties, and a lack of employee training and awareness. According to CSO Australia, small businesses lost 42% more to business email compromise (BEC) scams in the first half of 2019 compared to that of 2018. This is just the tip of the iceberg as many scams and information security breaches go unnoticed or are not reported. We expect these figures to jump considerably when reporting is compiled in early 2021.
Current high-risk scams involve cyber criminals targeting businesses via sophisticated email compromise where they purport to be from a legitimate entity. The scammers then request the recipient to follow a link to reset a password, access an online file or track a postal shipment. These scams are easy entry points for cyber criminals with the objective of gaining access to the employee’s email account to watch their behaviour and strike at a moment of vulnerability.
Business email compromise scams rely heavily on human error achieved through social engineering and targeted phishing attacks. We often see fraudsters intercept legitimate invoices and change the payment details redirecting funds to their own accounts. Unsuspecting employees and businesses with unsophisticated internal controls are unaware their system has been compromised or that the cyber criminals are ‘living’ in their inbox.
Once a scammer has access to one account within an organisation, there is an increased risk the organisation’s network will be compromised further. In this scenario, the criminal can assume multiple identities within an organisation to perpetrate sophisticated fraud events.
We have seen a sharp increase in small to medium enterprises being targeted in this fashion. Whilst the first point of call for affected businesses is their internal or external IT provider, these providers can often lack the requisite skills to conduct a thorough forensic investigation to get to the bottom of the issue.
Regardless of your size or industry, no business is safe from cyber fraud. We have worked with clients with only two employees who have lost hundreds of thousands of dollars all the way through to government departments that have been exposed to sophisticated scams.
Business email compromise and other cyber fraud event can have serious consequences for businesses and employees and damage to your brand and reputation. To help protect against integrity risks, businesses need to have effective policies and procedures in place and ensure that employees understand and adhere to those policies and procedures. Often, policies are not up to date, difficult for their employees to access or have not been attested by their employees to confirm their understanding. This leaves businesses more vulnerable. Only after experiencing an integrity risk issue businesses realises the need to have an effective integrity risk program in place.
When it comes to the constantly evolving world of fraud and cyber risks to your business, the key is to be on the front foot.
At Corethix, we have developed an online and fully integrated software platform that allows businesses to quickly and easily create a centralised one-stop integrity risk program. The Corethix software platform includes up to date policy templates, pre-configured policy surveys and incident reporting tools. This enables businesses to quickly and easily create policies and configure surveys, registers and incident reporting functions, while providing a single, user friendly online source for employee access.
If your business experiences a cyber fraud event, take a moment to get the right advice about how your organisation will respond. Engage an experienced forensic investigation team who will coordinate your response and work closely with your internal or external IT team.
Thank you to Guest Author Dylan Bohnen