The risk is high on the agenda of most organisations – in fact, cybercrime edged into the top 10 most severe risks over the next decade in this year's Global Risks Report by the World Economic Forum, now rated higher than the risk of geoeconomic confrontation.
But it’s a tough battle to stay ahead of the ever-inventive tactics and sophisticated tools used by bad actors.
In this Q+A, Westpac’s Head of Financial Crime Insights Ben Young, and Westpac Institutional Bank's Managing Director Client Engagement in Global Transaction Services Peta O’Brien, touch on some reasons for the financial scams boom, the evolving tactics gaining traction and tips on how to counter them.
What’s behind the jump in financial losses to cybercrime among Australian businesses?
Young: Scams went up across the board last year – the ACCC reported Australians lost more than AUD 3.1 billion to scams during 2022 – and that includes businesses. It’s frighteningly common to see single cases in which a business loses in the hundreds of thousands of dollars.
Scammers’ approaches are becoming more sophisticated as they adopt whatever new technology becomes available, and AI-driven bots are being widely used to proliferate the scale of activities.
O’Brien: It’s a volume game for criminals – they’ll bombard as many targets as possible expecting that a proportion will be successful – and the scale is growing.
Causing the highest losses to businesses last year were “business email compromise” scams. How have these evolved?
Young: A few different scams fall under this umbrella, and they keep evolving.
One is ‘spoofing’ or CEO impersonation, where an employee gets an email that looks like it's from their own CEO, CFO, or another senior manager, asking them to make a payment to a third party on behalf of the business and the employee feels compelled to act on it immediately.
Alternatively, an organisation’s payroll team may receive an email that looks like it's legitimately from an employee asking them to redirect their salary into a new account.
Bigger losses come from invoice fraud or false billing, where an expected invoice arrives by email that looks legitimate, but in fact the scammer has intercepted it and made small changes to the invoice – like editing the BSB and account number so payment will land in their own account. The reasons these scams work is because the invoice is expected, looks legitimate and comes from the correct email address.
The scammer will often have compromised the organisation’s email system and so it will come from the “real” email making it harder to spot as a scam, although sometimes it’s from an email very similar to the real one.
What are the most common mistakes opening businesses up to these scams?
O’Brien: Scams are typically most successful in organisations with the weakest defences – including those that don’t have robust upfront due diligence on their supplier or payee details, and those with people who react to urgent messages for payments from senior executives. Scammers rely on urgency to have victims take action without checking.
Young: Not following a new supplier call back process is a common mistake. Another is that the business actually becomes the source of the email breach. You need to be aware of the scam, both as someone paying invoices as well as someone sending invoices, and make sure that your emails are not being compromised so you unwittingly become the source of fake invoices.
What other scam tactics should businesses be alert to?
Young: We’ve recently seen an explosion in phone number spoofing, where a scammer sends a text message or makes a call and the number displayed for the target looks like it’s from a trusted organisation. But we’re also seeing quite positive movement in response, with the Federal Government bringing in anti-SMS scam rules, and tasking the Australian Communications and Media Authority to help set up an SMS sender ID register as a blocking list to stop bad actors from impersonating trusted brands.
Remote access scams are also affecting businesses – the second highest cause of financial losses – where employees are unwittingly convinced to give remote control of their computer to a scammer who then infiltrates business systems, including accessing corporate banking accounts.
O’Brien: Another big one relates to customer refunds, where a person buys a product or service, then a scammer impersonates them and asks the seller for a refund to a different account. One of the big tips here is to always refund to the account from whence they came – for example, if someone pays you with a credit card, refund them to that same credit card account.
BIN attacks are another one to watch, where a criminal will take the first numbers of a stolen credit card, known as the Bank Identification Number, and use AI to make small online transactions through a business’ website as they test various number combinations for the last digits to see which one’s work.
How else is artificial intelligence changing the dynamics?
Young: We’re starting to see more scams using ‘deepfake’ technology. A few years back, to create a fake video took quite expensive technology and sophisticated knowledge, but now they’re cheaper and much easier to produce, making it much more of a mass service for cybercriminals.
That means we’re seeing more videos impersonating prominent Australians who appear to be endorsing scam investment opportunities – this is by far the biggest scam type by dollar loss. Although investment scams tend to target individuals, we increasingly see people channelling funds from their business as well.
What can businesses do to protect themselves?
Young: Get your cyber protection up as much as you can, including switching on two-factor verification if you’re using a system like Microsoft Office 365.
Staff education is paramount – train your employees on the risks of email compromise and phishing, and on how not to react to urgent payment requests. Taking time to check thoroughly will be worth it.
Also move away from providing standard BSB and account numbers on invoices in favour of a PayID. Having a PayID is more secure because it allows a payer to verify the payee before a payment’s made.
O’Brien: Have robust supplier and payee governance processes upfront, including independent follow-up checks, and develop processes for how payments are requested and authorised within your business – email should not be one of these options.
Always verify the payment details on an invoice – to do so, don’t use the phone number given on an invoice, rather locate it independently such as on the business’ official website.
If you’re sending or receiving documents with sensitive information, use a secure method – rather than a PDF attachment – to reduce risk if your emails are hacked.
Is cross-industry coordination helping slow the criminals?
Young: There’s always more to do, but good inroads have been made in working on scam and fraud management initiatives collaboratively across all parts of the ecosystem – including banks, social media platforms, telcos, and cryptocurrency providers.
Australian banks are also doing a lot behind the scenes, such as Westpac’s Verify feature that flags if there might be a name mismatch during a payment; and the industry’s fraud reporting exchange which will speed up communication around recovery of funds.
In the recent Federal Budget, it was great to see the Government announcing an AUD 58 million injection to set up the National Anti-Scam Centre, which will lift coordination even further.
©2023 Westpac Institutional Bank is a division of Westpac Banking Corporation ABN 33 007 457 141, AFSL233714 (‘Westpac’). References to the “Westpac Group” are to Westpac and its subsidiaries and includes the directors, employees and representatives of Westpac and its subsidiaries.
Things you should know
We respect your privacy: You can view our privacy statement at Westpac.com.au. Each time someone visits our site, data is captured so that we can accurately evaluate the quality of our content and make improvements for you. We may at times use technology to capture data about you to help us to better understand you and your needs, including potentially for the purposes of assessing your individual reading habits and interests to allow us to provide suggestions regarding other reading material which may be suitable for you.
This information, unless specifically indicated otherwise, is under copyright of the Westpac Group. None of the material, nor its contents, nor any copy of it, may be altered in any way, transmitted to, copied of distributed to any other party without the prior written permission of the Westpac Group.
This information has been prepared by the Westpac Institutional Bank and is intended for information purposes only. It is not intended to reflect any recommendation or financial advice and investment decisions should not be based on it. This information does not constitute an offer, a solicitation of an offer, or an inducement to subscribe for, purchase or sell any financial instrument or to enter into a legally binding contract. To the extent that this information contains any general advice, it has been prepared without taking into account your objectives, financial situation or needs and before acting on it you should consider the appropriateness of the advice. Certain types of transactions, including those involving futures, options and high yield securities give rise to substantial risk and are not suitable for all investors. We recommend that you seek your own independent legal or financial advice before proceeding with any investment decision. This information may contain material provided by third parties. While such material is published with the necessary permission none of Westpac or its related entities accepts any responsibility for the accuracy or completeness of any such material. Although we have made every effort to ensure this information is free from error, none of Westpac or its related entities warrants the accuracy, adequacy or completeness of this information, or otherwise endorses it in any way. Except where contrary to law, Westpac Group intend by this notice to exclude liability for this information. This information is subject to change without notice and none of Westpac or its related entities is under any obligation to update this information or correct any inaccuracy which may become apparent at a later date. This information may contain or incorporate by reference forward-looking statements. The words “believe”, “anticipate”, “expect”, “intend”, “plan”, “predict”, “continue”, “assume”, “positioned”, “may”, “will”, “should”, “shall”, “risk” and other similar expressions that are predictions of or indicate future events and future trends identify forward-looking statements. These forward-looking statements include all matters that are not historical facts. Past performance is not a reliable indicator of future performance, nor are forecasts of future performance. Whilst every effort has been taken to ensure that the assumptions on which any forecasts are based are reasonable, the forecasts may be affected by incorrect assumptions or by known or unknown risks and uncertainties. The ultimate outcomes may differ substantially from any forecasts.
Conflicts of Interest: In the normal course of offering banking products and services to its clients, the Westpac Group may act in several capacities (including issuer, market maker, underwriter, distributor, swap counterparty and calculation agent) simultaneously with respect to a financial instrument, giving rise to potential conflicts of interest which may impact the performance of a financial instrument. The Westpac Group may at any time transact or hold a position (including hedging and trading positions) for its own account or the account of a client in any financial instrument which may impact the performance of that financial instrument.
Author(s) disclaimer and declaration: The author(s) confirms that no part of his/her compensation was, is, or will be, directly or indirectly, related to any views or (if applicable) recommendations expressed in this material. The author(s) also confirms that this material accurately reflects his/her personal views about the financial products, companies or issuers (if applicable) and is based on sources reasonably believed to be reliable and accurate.
Further important information regarding sustainability-related content: This material may contain statements relating to environmental, social and governance (ESG) topics. These are subject to known and unknown risks, and there are significant uncertainties, limitations, risks and assumptions in the metrics, modelling, data, scenarios, reporting and analysis on which the statements rely. In particular, these areas are rapidly evolving and maturing, and there are variations in approaches and common standards and practice, as well as uncertainty around future related policy and legislation. Some material may include information derived from publicly available sources that have not been independently verified. No representation or warranty is made as to the accuracy, completeness or reliability of the information. There is a risk that the analysis, estimates, judgements, assumptions, views, models, scenarios or projections used may turn out to be incorrect. These risks may cause actual outcomes to differ materially from those expressed or implied. The ESG-related statements in this material do not constitute advice, nor are they guarantees or predictions of future performance, and Westpac gives no representation, warranty or assurance (including as to the quality, accuracy or completeness of the statements). You should seek your own independent advice.
Additional country disclosures:
Australia: Westpac holds an Australian Financial Services Licence (No. 233714). You can access Westpac’s Financial Services Guide here or request a copy from your Westpac point of contact. To the extent that this information contains any general advice, it has been prepared without taking into account your objectives, financial situation or needs and before acting on it you should consider the appropriateness of the advice.
New Zealand: In New Zealand, Westpac Institutional Bank refers to the brand under which products and services are provided by either Westpac (NZ division) or Westpac New Zealand Limited (company number 1763882), the New Zealand incorporated subsidiary of Westpac ("WNZL"). Any product or service made available by WNZL does not represent an offer from Westpac or any of its subsidiaries (other than WNZL). Neither Westpac nor its other subsidiaries guarantee or otherwise support the performance of WNZL in respect of any such product. WNZL is not an authorised deposit-taking institution for the purposes of Australian prudential standards. The current disclosure statements for the New Zealand branch of Westpac and WNZL can be obtained at the internet address www.westpac.co.nz .
Singapore: This material has been prepared and issued for distribution in Singapore to institutional investors, accredited investors and expert investors (as defined in the applicable Singapore laws and regulations) only. Recipients of this material in Singapore should contact Westpac Singapore Branch in respect of any matters arising from, or in connection with, this material. Westpac Singapore Branch holds a wholesale banking licence and is subject to supervision by the Monetary Authority of Singapore.
U.S.: Westpac operates in the United States of America as a federally licensed branch, regulated by the Office of the Comptroller of the Currency. Westpac is also registered with the US Commodity Futures Trading Commission (“CFTC”) as a Swap Dealer, but is neither registered as, or affiliated with, a Futures Commission Merchant registered with the US CFTC. The services and products referenced above are not insured by the Federal Deposit Insurance Corporation (“FDIC”). Westpac Capital Markets, LLC (‘WCM’), a wholly-owned subsidiary of Westpac, is a broker-dealer registered under the U.S. Securities Exchange Act of 1934 (‘the Exchange Act’) and member of the Financial Industry Regulatory Authority (‘FINRA’). This communication is provided for distribution to U.S. institutional investors in reliance on the exemption from registration provided by Rule 15a-6 under the Exchange Act and is not subject to all of the independence and disclosure standards applicable to debt research reports prepared for retail investors in the United States. WCM is the U.S. distributor of this communication and accepts responsibility for the contents of this communication. Transactions by U.S. customers of any securities referenced herein should be effected through WCM. All disclaimers set out with respect to Westpac apply equally to WCM. If you would like to speak to someone regarding any security mentioned herein, please contact WCM on +1 212 389 1269. Investing in any non-U.S. securities or related financial instruments mentioned in this communication may present certain risks. The securities of non-U.S. issuers may not be registered with, or be subject to the regulations of, the SEC in the United States. Information on such non-U.S. securities or related financial instruments may be limited. Non-U.S. companies may not be subject to audit and reporting standards and regulatory requirements comparable to those in effect in the United States. The value of any investment or income from any securities or related derivative instruments denominated in a currency other than U.S. dollars is subject to exchange rate fluctuations that may have a positive or adverse effect on the value of or income from such securities or related derivative instruments.
The author of this communication is employed by Westpac and is not registered or qualified as a research analyst, representative, or associated person of WCM or any other U.S. broker-dealer under the rules of FINRA, any other U.S. self-regulatory organisation, or the laws, rules or regulations of any State. Unless otherwise specifically stated, the views expressed herein are solely those of the author and may differ from the information, views or analysis expressed by Westpac and/or its affiliates.
UK and EU: The London branch of Westpac is authorised in the United Kingdom by the Prudential Regulation Authority (PRA) and is subject to regulation by the Financial Conduct Authority (FCA) and limited regulation by the PRA (Financial Services Register number: 124586). The London branch of Westpac is registered at Companies House as a branch established in the United Kingdom (Branch No. BR000106). Details about the extent of the regulation of Westpac’s London branch by the PRA are available from us on request.
Westpac Europe GmbH (“WEG”) is authorised in Germany by the Federal Financial Supervision Authority (‘BaFin’) and subject to its regulation. WEG’s supervisory authorities are BaFin and the German Federal Bank (‘Deutsche Bundesbank’). WEG is registered with the commercial register (‘Handelsregister’) of the local court of Frankfurt am Main under registration number HRB 118483. In accordance with APRA’s Prudential Standard 222 ‘Association with Related Entities’, Westpac does not stand behind WEG other than as provided for in certain legal agreements (a risk transfer, sub-participation and collateral agreement) between Westpac and WEG and obligations of WEG do not represent liabilities of Westpac.
This communication is not intended for distribution to, or use by any person or entity in any jurisdiction or country where such distribution or use would be contrary to local law or regulation. This communication is not being made to or distributed to, and must not be passed on to, the general public in the United Kingdom. Rather, this communication is being made only to and is directed at (a) those persons falling within the definition of Investment Professionals (set out in Article 19(5) of the Financial Services and Markets Act 2000 (Financial Promotion) Order 2005 (the “Order”)); (b) those persons falling within the definition of high net worth companies, unincorporated associations etc. (set out in Article 49(2)of the Order; (c) other persons to whom it may lawfully be communicated in accordance with the Order or (d) any persons to whom it may otherwise lawfully be made (all such persons together being referred to as “relevant persons”). Any person who is not a relevant person should not act or rely on this communication or any of its contents. In the same way, the information contained in this communication is intended for “eligible counterparties” and “professional clients” as defined by the rules of the Financial Conduct Authority and is not intended for “retail clients”. Westpac expressly prohibits you from passing on the information in this communication to any third party.
This communication contains general commentary, research, and market colour. The communication does not constitute investment advice. The material may contain an ‘investment recommendation’ and/or ‘information recommending or suggesting an investment’, both as defined in Regulation (EU) No 596/2014 (including as applicable in the United Kingdom) (“MAR”). In accordance with the relevant provisions of MAR, reasonable care has been taken to ensure that the material has been objectively presented and that interests or conflicts of interest of the sender concerning the financial instruments to which that information relates have been disclosed.
Investment recommendations must be read alongside the specific disclosure which accompanies them and the general disclosure which can be found here. Such disclosure fulfils certain additional information requirements of MAR and associated delegated legislation and by accepting this communication you acknowledge that you are aware of the existence of such additional disclosure and its contents.
To the extent this communication comprises an investment recommendation it is classified as non-independent research. It has not been prepared in accordance with legal requirements designed to promote the independence of investment research and therefore constitutes a marketing communication. Further, this communication is not subject to any prohibition on dealing ahead of the dissemination of investment research.