When a suspicious-looking email seeking payment for an invoice arrives at Brisbane’s Centenary Hire, staff know to ignore it rather than clicking on the link.
“Anything asking for payment, if it looks even a little bit dodgy, our first line of defence is just to ignore it because if it’s real, well, they’ll contact us another way,” says Matt Gordon, the managing director of the family-owned equipment hire business.
Other times, staff ask each other if they’re expecting an email and make sure that every purchase the business makes has an order number attached, which is needed to make a payment.
While the company hasn’t fallen victim to any scams, they are wise to be cautious: businesses lost almost $4.7 million, or an average $11,000, to scammers in 2017, up 23 per cent, according to The Australian Competition and Consumer Commission, with small businesses with fewer than 20 staff the most likely to be targeted.
But estimates vary and others put losses far higher.
Sam Crowther, founder and chief executive of cybersecurity company Kasada, says cybercrime is a growing problem for businesses and a lot of hackers are using automated tools downloaded from the internet, greatly increasing the chances a business will be attacked. “It means that they can hit a much larger number of businesses than they previously could at once because now, all of a sudden, the code does the work for them,” he says.
Phishing – where cyber criminals trick people into revealing confidential information – remains a problem and an emerging threat is social engineering.
This is where hackers first gain access to company information such as staff and customer names, emails and phone numbers, then use these to trick people into paying money.
For instance, they might send a fake email that looks as if it has come from a supplier that tells the accounts payable department their bank account details have changed, resulting in the invoice being paid into the scammers’ account.
Another scam involves a fake email coming from the chief executive telling an accounts person to urgently pay a large invoice to a bank account. Believing they are carrying out the orders of the CEO, the money is immediately transferred to the scammers’ account.
“It’s almost like phishing,” says Westpac Group digital security director Nigel Sanderson, adding that it’s effective because of the instinct to follow urgent instructions coupled with a natural hesitation to confirm if the legitimacy of the request with the CEO.
“When someone receives a phishing email, what the criminals are looking to do is elicit a quick emotional response to make you do something probably in hindsight that you wouldn’t normally do.”
According to the ACCC, false billing scams made up the bulk of reports to the regulator last year. “Scammers don’t discriminate…it can be very devastating to a business’s bottom line,” ACCC deputy chair Michael Schaper said last week.
Sanderson warns that businesses should be particularly vigilant as they prepare for the end of the financial year, as cybercriminals use the financial housekeeping time to send out social engineering lures, such as an email purporting to be seeking urgent tax information.
But he adds one of the more prolific lures in the past 12 months has been fake notices from the Australian Securities and Investments Commission requesting recipients to read an important message or click a link to renew their business name.
As for social engineering, Sanderson says it is growing because the security of online banking has improved significantly, therefore cybercriminals have begun targeting individuals such as company employees to make the fraudulent payments.
“The best and first line of defence is the initial human interaction,” he says.
Westpac asks customers that when they receive a request to make an urgent payment or change the destination account for a payment that they call that person and verify it verbally, says Sanderson.
While having conversations with other staff members about a suspicious email is a good practice, Sanderson adds that staff also need to be educated not to click on or open attachments they are not expecting or from unknown email senders. Malicious software (malware) is often hidden in links or attachments in emails seemingly from a reputable business or associate and can siphon off company data to be used in social engineering.
Sanderson also suggests businesses use token one-time passwords when making payments. A stand-alone token issues the passwords and they are only valid for 60 seconds, which means even if a hacker stole the one-time-password, they would have virtually no opportunity to use it.
Given the evolving risks, some banks offer various services, such as Westpac offering IBM Trusteer Rapport – specialised security software that targets the location and removal of financial-based malware – available free to customers.
Sanderson says his five tips for small businesses to avoid scams and protect themselves online are:
Be on the lookout for business scams – verbally confirm all emails and calls claiming to be from a supplier or someone in your company, before performing any account changes or urgent payment requests.
Ensure you have a multi-step review process for your online payments - set up multiple users to approve/authorise payments, and ensure your users are set up with multi-factor authentication (such as Westpac Protect™ SecurID® token or SMS Code), to provide an extra layer of protection.
Ensure your approvers review payee details before authorising and submitting payments and files, to ensure your payments reach the intended payee account.
Regularly verify the payee account details in your payee lists, or payment files/templates, to ensure your entries are current and that any changes have been validated.
Recommend your staff sign up to scam alert services – Scamwatch.gov.au or staysmartonline.gov.au provide alerts to advise when large scam campaigns are targeting Australians.