Cyber safety: New insights for countering threats
To maximise their cyber safety, businesses must learn to “drive defensively” in the face of ever mounting and evolving risks. Westpac experts highlighted critical actions to counter the most prevalent threats in a recent virtual forum.
By Cameron Cooper
The rising sophistication and frequency of cyber attacks is costing Australian businesses tens of billions of dollars a year.
Boards, CEOs and employees can take proven actions, however, to prevent or minimise the financial or reputational fallout from such incidents.
At a recent Westpac Institutional Bank virtual forum, titled Cyber Threats and Risk Resilience, two of the bank’s cybersecurity experts outlined the latest strategies to combat prevalent challenges such as business email compromise (BEC), whereby fraudsters use spoof emails to get victims to send funds to falsified accounts.
Westpac Head of Fraud Ben Young noted that small to mid-sized enterprises such as law firms, construction companies and property agencies are in scammers’ sights because they often process transactions involving significant financial outlays, or the transfer of valuable data. At the same time, they may not always be up to date on cyber-safety protocols.
“Most of these businesses have consumer-to-business payments, so while their accounts payable team may be aware of cyber risks, the average Joe is not – and if a client gets a scam email, they’ll take it on faith that it’s accurate,” Young says.
The forum follows the release of the Australian Cyber Security Centre’s Annual Cyber Threat Report 2020-21, which states that a cybercrime is being reported every eight minutes in Australia.
More than AUD 33 billion in financial losses were reported via the ACSC’s ReportCyber portal, with the top three problem areas being cybercrime involving fraud (about 23 per cent), shopping (about 17 per cent) and online banking (about 12 per cent).
During the reporting period, the ACSC issued 39 alerts and advisories to help combat urgent and critical threats. Nevertheless, most cybersecurity incidents it responded to in the 2020-21 financial-year period related to low-level malicious activity such as phishing and non-sensitive data loss.
To improve security, the ACSC advises measures such as being alert for phishing emails; understanding risks associated with social media and other online networks; and backing up important information to the cloud or an external hard drive.
Speaking at the forum, Simon Brown, Head of Cyber Strategy and Advice at Westpac, highlighted the challenges of ransomware and malware attacks that have increasingly tormented many businesses in recent times. Brown says simple errors such as employees clicking on unexpected attachments in emails and businesses operating unpatched systems can have debilitating impacts on an unprepared organisation.
“The call to action is for all of us to drive defensively. Don’t trust any system or any third party more than you need to in order to achieve your business goals,” he says.
To understand and improve their cyber resilience, Brown encourages organisations to consider five fundamental steps as a starting point:
- Understand the critical business processes and technology upon which your business relies – for example, your general ledger, CRM software, email platforms and so on. After making that assessment, consider what else those systems are dependent on, for example, if the business has an internal corporate network, you should consider the Active Directory system or similar system that manages users’ passwords. Having this list of critical technology then helps you focus your resilience efforts.
- Make sure you have backups of key technologies and data – ransomware attackers want to seize control of your critical technology and then try to extort the business for its return. “If you have great independent or off-site backups, it gives you more options in the case of an attack,” Brown says.
- Make things harder for attackers by requiring two-factor authentication to verify the identity of users – start by deploying this key control mechanism on everything that provides access from the internet, including virtual private networks and remote desktop access but also key cloud systems like Office 365 and Google Apps (including administrator accounts).
- Build a habit and a process around patching every system, every time there’s an update. That’s particularly important for anything internet-facing. Make sure you’ve got someone in your organisation receiving and responding to alerts from the ACSC.
- Get an independent assessment of your attack surface – an external expert can identify network weaknesses. “It’s difficult to maintain a complete inventory of all your technology, so getting an independent party to have a look is invaluable to understand your environment from an attacker’s perspective,” Brown says.
The Westpac Institutional Bank forum highlighted the insidious nature of BEC, with Young pointing to three common crime types:
- CEO impersonation – the criminals pose as the CEO or a senior executive and send emails to request money transfers to a fraudster’s account.
- actual email compromise – where a cyber criminal hacks into emails of the business or a supplier to try to get a bogus payment processed.
- salary redirection – where the hacker pretends to be an employee and tries to change a BSB and account number in an effort to divert payments.
Forum attendees were advised to be careful with the information and data they share online, and to pay attention to privacy settings. Creating strong, unique passwords for online accounts is also crucial, along with avoiding using the same password for social media, email or banking account services.
In addition, Young urges vigilance across a business in cases, for example, where there are requests from vendors, payroll processors, suppliers and customers for sudden changes to payment instructions.
He also suggests using callback practices to verify payment process changes via phone or outside of email to make sure you are still communicating with a legitimate business partner. “Callback on trusted numbers is the one thing you should do if you do nothing else,” he says.
Westpac on the front foot
To safeguard customers, Westpac has a team of fraud prevention experts who engage inaround-the-clock surveillance of clients’ accounts. They monitor about 25 million transactions daily as they seek to quell threats related to areas such as payment cards, merchant transactions and customer onboarding.
An increasing area of attention within banks relates to identity takeover crimes. Westpac and other financial institutions have successfully used Document Verification Service (DVS) checks to tackle synthetic-identity cases – a type of fraud where a criminal combines real and fake information to create a new identity.
The ongoing focus will be to target the ID theft of existing and onboarding customers using technology such as biometrics. “That’s the future for a lot of this onboarding and remote identification,” Young says.
At the same time, Westpac is urging businesses to educate their staff about cyber threats and to be vigilant. Young says it is important to quickly alert a bank if there is a suspicion that payments systems have been compromised, and to explicitly advise that a cyber fraud has occurred, rather than merely saying that a “mistaken payment” has been made.
“There is a separate protocol for mistaken payments and they’re not treated with the same level of urgency. And trust me, time is everything in this space,” he says.
Young believes many organisations have been too slow to embrace security measures such as PayID, an easy-to-remember identifier such as an ABN, mobile number or email address, that is linked to an eligible account.
Other measures such as penny credits and “waterproofing” of payments can also add additional layers of protection. The former involves depositing a small amount, even as low as 1c or 2c, into an account to quickly check its validity. The latter covers emails or SMSs that acknowledge changes or unusual activity on an account and ask users to confirm that any changes are valid.
“Waterproofing is pretty low-tech, but it can be quite effective in detecting some of those cases that you can’t detect yourself,” Young says.
To pay or not to pay?
In the Q&A section of the forum, one attendee asked the presenters to comment on what to do in the case of a ransomware attack.
Brown says the first action in such an instance should be to contact the ACSC to report that an attack has occurred. Containing the attack by turning off systems and enacting emergency responses with the assistance of internal IT teams or external specialists is often a valuable next step. Then the business should assess backups that are in place and consider the restoration of systems.
Organisations can make this easier by starting those assessments and making improvements now, before the attack. Ensuring that you’ve got great, independent backups in place and a runbook for how you would run your response to an incident are two key resilience improvements that you can start now.
For further information on how to avoid scams, visit . If your business identifies a potential Westpac themed scam, email firstname.lastname@example.org.
©2023 Westpac Institutional Bank is a division of Westpac Banking Corporation ABN 33 007 457 141, AFSL233714 (‘Westpac’). References to the “Westpac Group” are to Westpac and its subsidiaries and includes the directors, employees and representatives of Westpac and its subsidiaries.
Things you should know
We respect your privacy: You can view our privacy statement at Westpac.com.au. Each time someone visits our site, data is captured so that we can accurately evaluate the quality of our content and make improvements for you. We may at times use technology to capture data about you to help us to better understand you and your needs, including potentially for the purposes of assessing your individual reading habits and interests to allow us to provide suggestions regarding other reading material which may be suitable for you.
This information, unless specifically indicated otherwise, is under copyright of the Westpac Group. None of the material, nor its contents, nor any copy of it, may be altered in any way, transmitted to, copied of distributed to any other party without the prior written permission of the Westpac Group.
This information has been prepared by the Westpac Institutional Bank and is intended for information purposes only. It is not intended to reflect any recommendation or financial advice and investment decisions should not be based on it. This information does not constitute an offer, a solicitation of an offer, or an inducement to subscribe for, purchase or sell any financial instrument or to enter into a legally binding contract. To the extent that this information contains any general advice, it has been prepared without taking into account your objectives, financial situation or needs and before acting on it you should consider the appropriateness of the advice. Certain types of transactions, including those involving futures, options and high yield securities give rise to substantial risk and are not suitable for all investors. We recommend that you seek your own independent legal or financial advice before proceeding with any investment decision. This information may contain material provided by third parties. While such material is published with the necessary permission none of Westpac or its related entities accepts any responsibility for the accuracy or completeness of any such material. Although we have made every effort to ensure this information is free from error, none of Westpac or its related entities warrants the accuracy, adequacy or completeness of this information, or otherwise endorses it in any way. Except where contrary to law, Westpac Group intend by this notice to exclude liability for this information. This information is subject to change without notice and none of Westpac or its related entities is under any obligation to update this information or correct any inaccuracy which may become apparent at a later date. This information may contain or incorporate by reference forward-looking statements. The words “believe”, “anticipate”, “expect”, “intend”, “plan”, “predict”, “continue”, “assume”, “positioned”, “may”, “will”, “should”, “shall”, “risk” and other similar expressions that are predictions of or indicate future events and future trends identify forward-looking statements. These forward-looking statements include all matters that are not historical facts. Past performance is not a reliable indicator of future performance, nor are forecasts of future performance. Whilst every effort has been taken to ensure that the assumptions on which any forecasts are based are reasonable, the forecasts may be affected by incorrect assumptions or by known or unknown risks and uncertainties. The ultimate outcomes may differ substantially from any forecasts.
Conflicts of Interest: In the normal course of offering banking products and services to its clients, the Westpac Group may act in several capacities (including issuer, market maker, underwriter, distributor, swap counterparty and calculation agent) simultaneously with respect to a financial instrument, giving rise to potential conflicts of interest which may impact the performance of a financial instrument. The Westpac Group may at any time transact or hold a position (including hedging and trading positions) for its own account or the account of a client in any financial instrument which may impact the performance of that financial instrument.
Author(s) disclaimer and declaration: The author(s) confirms that no part of his/her compensation was, is, or will be, directly or indirectly, related to any views or (if applicable) recommendations expressed in this material. The author(s) also confirms that this material accurately reflects his/her personal views about the financial products, companies or issuers (if applicable) and is based on sources reasonably believed to be reliable and accurate.
Further important information regarding sustainability-related content: This material may contain statements relating to environmental, social and governance (ESG) topics. These are subject to known and unknown risks, and there are significant uncertainties, limitations, risks and assumptions in the metrics, modelling, data, scenarios, reporting and analysis on which the statements rely. In particular, these areas are rapidly evolving and maturing, and there are variations in approaches and common standards and practice, as well as uncertainty around future related policy and legislation. Some material may include information derived from publicly available sources that have not been independently verified. No representation or warranty is made as to the accuracy, completeness or reliability of the information. There is a risk that the analysis, estimates, judgements, assumptions, views, models, scenarios or projections used may turn out to be incorrect. These risks may cause actual outcomes to differ materially from those expressed or implied. The ESG-related statements in this material do not constitute advice, nor are they guarantees or predictions of future performance, and Westpac gives no representation, warranty or assurance (including as to the quality, accuracy or completeness of the statements). You should seek your own independent advice.
Additional country disclosures:
Australia: Westpac holds an Australian Financial Services Licence (No. 233714). You can access Westpac’s Financial Services Guide here or request a copy from your Westpac point of contact. To the extent that this information contains any general advice, it has been prepared without taking into account your objectives, financial situation or needs and before acting on it you should consider the appropriateness of the advice.
New Zealand: In New Zealand, Westpac Institutional Bank refers to the brand under which products and services are provided by either Westpac (NZ division) or Westpac New Zealand Limited (company number 1763882), the New Zealand incorporated subsidiary of Westpac ("WNZL"). Any product or service made available by WNZL does not represent an offer from Westpac or any of its subsidiaries (other than WNZL). Neither Westpac nor its other subsidiaries guarantee or otherwise support the performance of WNZL in respect of any such product. WNZL is not an authorised deposit-taking institution for the purposes of Australian prudential standards. The current disclosure statements for the New Zealand branch of Westpac and WNZL can be obtained at the internet address www.westpac.co.nz .
Singapore: This material has been prepared and issued for distribution in Singapore to institutional investors, accredited investors and expert investors (as defined in the applicable Singapore laws and regulations) only. Recipients of this material in Singapore should contact Westpac Singapore Branch in respect of any matters arising from, or in connection with, this material. Westpac Singapore Branch holds a wholesale banking licence and is subject to supervision by the Monetary Authority of Singapore.
U.S.: Westpac operates in the United States of America as a federally licensed branch, regulated by the Office of the Comptroller of the Currency. Westpac is also registered with the US Commodity Futures Trading Commission (“CFTC”) as a Swap Dealer, but is neither registered as, or affiliated with, a Futures Commission Merchant registered with the US CFTC. The services and products referenced above are not insured by the Federal Deposit Insurance Corporation (“FDIC”). Westpac Capital Markets, LLC (‘WCM’), a wholly-owned subsidiary of Westpac, is a broker-dealer registered under the U.S. Securities Exchange Act of 1934 (‘the Exchange Act’) and member of the Financial Industry Regulatory Authority (‘FINRA’). This communication is provided for distribution to U.S. institutional investors in reliance on the exemption from registration provided by Rule 15a-6 under the Exchange Act and is not subject to all of the independence and disclosure standards applicable to debt research reports prepared for retail investors in the United States. WCM is the U.S. distributor of this communication and accepts responsibility for the contents of this communication. Transactions by U.S. customers of any securities referenced herein should be effected through WCM. All disclaimers set out with respect to Westpac apply equally to WCM. If you would like to speak to someone regarding any security mentioned herein, please contact WCM on +1 212 389 1269. Investing in any non-U.S. securities or related financial instruments mentioned in this communication may present certain risks. The securities of non-U.S. issuers may not be registered with, or be subject to the regulations of, the SEC in the United States. Information on such non-U.S. securities or related financial instruments may be limited. Non-U.S. companies may not be subject to audit and reporting standards and regulatory requirements comparable to those in effect in the United States. The value of any investment or income from any securities or related derivative instruments denominated in a currency other than U.S. dollars is subject to exchange rate fluctuations that may have a positive or adverse effect on the value of or income from such securities or related derivative instruments.
The author of this communication is employed by Westpac and is not registered or qualified as a research analyst, representative, or associated person of WCM or any other U.S. broker-dealer under the rules of FINRA, any other U.S. self-regulatory organisation, or the laws, rules or regulations of any State. Unless otherwise specifically stated, the views expressed herein are solely those of the author and may differ from the information, views or analysis expressed by Westpac and/or its affiliates.
UK and EU: The London branch of Westpac is authorised in the United Kingdom by the Prudential Regulation Authority (PRA) and is subject to regulation by the Financial Conduct Authority (FCA) and limited regulation by the PRA (Financial Services Register number: 124586). The London branch of Westpac is registered at Companies House as a branch established in the United Kingdom (Branch No. BR000106). Details about the extent of the regulation of Westpac’s London branch by the PRA are available from us on request.
Westpac Europe GmbH (“WEG”) is authorised in Germany by the Federal Financial Supervision Authority (‘BaFin’) and subject to its regulation. WEG’s supervisory authorities are BaFin and the German Federal Bank (‘Deutsche Bundesbank’). WEG is registered with the commercial register (‘Handelsregister’) of the local court of Frankfurt am Main under registration number HRB 118483. In accordance with APRA’s Prudential Standard 222 ‘Association with Related Entities’, Westpac does not stand behind WEG other than as provided for in certain legal agreements (a risk transfer, sub-participation and collateral agreement) between Westpac and WEG and obligations of WEG do not represent liabilities of Westpac.
This communication is not intended for distribution to, or use by any person or entity in any jurisdiction or country where such distribution or use would be contrary to local law or regulation. This communication is not being made to or distributed to, and must not be passed on to, the general public in the United Kingdom. Rather, this communication is being made only to and is directed at (a) those persons falling within the definition of Investment Professionals (set out in Article 19(5) of the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (the “Order”)); (b) those persons falling within the definition of high net worth companies, unincorporated associations etc. (set out in Article 49(2)of the Order; (c) other persons to whom it may lawfully be communicated in accordance with the Order or (d) any persons to whom it may otherwise lawfully be made (all such persons together being referred to as “relevant persons”). Any person who is not a relevant person should not act or rely on this communication or any of its contents. In the same way, the information contained in this communication is intended for “eligible counterparties” and “professional clients” as defined by the rules of the Financial Conduct Authority and is not intended for “retail clients”. Westpac expressly prohibits you from passing on the information in this communication to any third party.
This communication contains general commentary, research, and market colour. The communication does not constitute investment advice. The material may contain an ‘investment recommendation’ and/or ‘information recommending or suggesting an investment’, both as defined in Regulation (EU) No 596/2014 (including as applicable in the United Kingdom) (“MAR”). In accordance with the relevant provisions of MAR, reasonable care has been taken to ensure that the material has been objectively presented and that interests or conflicts of interest of the sender concerning the financial instruments to which that information relates have been disclosed.
Investment recommendations must be read alongside the specific disclosure which accompanies them and the general disclosure which can be found here. Such disclosure fulfils certain additional information requirements of MAR and associated delegated legislation and by accepting this communication you acknowledge that you are aware of the existence of such additional disclosure and its contents.
To the extent this communication comprises an investment recommendation it is classified as non-independent research. It has not been prepared in accordance with legal requirements designed to promote the independence of investment research and therefore constitutes a marketing communication. Further, this communication is not subject to any prohibition on dealing ahead of the dissemination of investment research.