ACCC report 2
May 2019

Key takeaways for businesses from the ACCC’s latest scam report

Cybercrime is more prevalent than ever in Australia, with a range of techniques used to extract information and money from victims. The Australian Competition and Consumer Commission (ACCC) recently released a report into cybercrime, with the 10th annual Targeting Scams report analysing scam trends and their impact on the business world. Small and medium-sized businesses (SMEs) need to be aware of these trends in order to stay vigilant, protect their data, and safeguard critical business resources.

Cybercriminals use a range of techniques in order to gain entry to secure systems and extract information. From false social media accounts and automated phone calls through to fraud and impersonation attempts, much of this activity is designed to disrupt critical business systems and extract valuable resources. While private individuals and large corporations are also affected by digital scams and hacking, SMBs are particularly vulnerable due to their combination of quick turnover and reduced security.

Modern businesses rely on computer networks and digital systems for every aspect of their operation, making them ideal targets for criminal activity. From communications and order processing through to marketing and payroll, scammers can affect how a business functions at every level. With technology changing and cybercriminals developing new techniques all the time, it’s important to stay educated about current scam trends and engage directly with security experts by outsourcing critical IT services.

Scam trends in 2018

According to the ACCC using data reported to Scamwatch, the number, and type of scams is growing in Australia. 177,516 scams were noted in 2018, which is a 10 percent increase from the 161,528 reports from 2017. The amount of money lost was the highest ever recorded at $107 million, an 18 percent jump from the $90.9 million recorded in 2017.

Not only are there more scams taking place, but they are also more successful. According to Scamwatch, 10.1 percent of reports included a financial loss in 2018, compared to 8.7 percent in 2017. Scammers have access to more sophisticated technology than ever before, which means you have to be aware, alert, and capable of dealing with an intrusion if it occurs.

Scamwatch is just one of many reporting mechanisms in Australia, and the true cost of online scams is much higher than these statistics would suggest. Scamwatch, ACORN and other federal and state-based government agencies received more than 378,000 reports over the year, with a total of $489.7 million a more reliable loss estimate over a single 12 month period.

While the average financial loss reported to Scamwatch was slightly down from 2017 at $5,997, businesses often face more significant financial losses along with potential damage to their reputation. Identity theft and other criminal activity can cause ongoing problems, which is why it’s so important to protect yourself and get help when needed.

Scam trends in 2018 for Australian businesses

In 2018, there were 5,846 people who made a Scamwatch report on behalf of an Australian business. This was an 8 percent rise from the year before, with $7.2 million in financial losses reported. The biggest category of scams affecting businesses are known as email compromise scams. This scam category includes false billing scams, which mostly involve forged or false invoices and other documents sent to businesses in an attempt to extract funds.

These scams account for losses of $3.8 million in Scamwatch reports, with real losses estimated to be much higher at $60 million when combined with losses reported to ACORN. This type of scam typically involves the hacking of a mass email system used to send marketing emails or invoices to customers. If someone takes over this system, they can send false invoices with legitimate and known letterheads combined with false bank accounts. SMBs in Australia are also affected by investment scams, hacking, phishing, and classified scams among others.

What this means for Australian businesses

The increasing number of scams affecting businesses raises several questions about digital security and information management. While it’s important to deal with intrusions quickly when they happen, truly robust and professional security demands a more pro-active approach. Scams target people of all ages and backgrounds, which means no-one can afford to leave themselves unprotected.

Australian businesses have a number of challenges to overcome when it comes to cybersecurity, including those posed by staff turnover, staff education, and the need to manage multiple systems with a limited skill set. Training and awareness programs are a great first step, but it’s also important to be aware of your limitations and apply third-party security solutions when needed. Outsourcing IT services is a practical and cost-effective way to integrate security solutions into the fabric of new and existing IT systems.

Reported scams by Australian businesses

According to the ACCC report using data from Scamwatch, email correspondence scams were responsible for $3.8 million in losses to businesses. The vast majority of these losses, or $3.1 million, were related to false billing scams. Investment scams were second in terms of reported losses, at $2.2 million over the course of 2018. General hacking losses were recorded at $807,364, followed by phishing at $241,911, and classified scams at $211,127.

  • False billing scams were reported 1,819 times, of which 170 reports or 9.3 percent resulted in losses.
  • Investment scams were reported 59 times, of which 16 reports or 27.1 percent resulted in losses.
  • Hacking was reported 304 times, of which 34 reports or 7.9 percent resulted in losses.
  • Phishing was reported 637 times, of which 13 reports or 2 percent resulted in losses.
  • Classified scams were reported 153 times, of which 41 reports or 26.8 percent resulted in losses.

According to the ACCC report, nine in 10 businesses in Australia are small businesses, which means the bulk of all scam reports submitted were from organisations who classify as SMBs.

  • Micro businesses with 0-4 staff members reported 1,826 scams and $1,920,514 in losses, with 206 reports or 11.3 percent involving actual financial losses.
  • Small businesses with 5-19 staff members reported 1,574 scams and $2,595,172 in losses, with 143 reports or 9.1 percent involving actual financial losses.
  • Medium businesses with 20-199 staff members reported 835 scams and $1,827,673 in losses, with 79 reports or 9.5 percent involving actual financial losses.
  • Large businesses with over 200 staff members reported 311 scams and $645,325 in losses, with 27 reports or 8.7 percent involving actual financial losses.

Challenges for SMBs

SMBs have to face a number of challenges that don’t affect private individuals or large corporations. While some wealthy individuals are targeted directly in hacking attempts, private citizens often control their finances tightly and don’t have access to ongoing liquidity.

Individuals can be targeted directly through social media and email applications, but don’t have the visibility or complex digital presence required for some hacking methods. On the other hand, while large corporations have a complex Internet presence and access to a large pool of funds, they’re also more likely to have implemented robust security measures, often through their own security department.

SMBs often lie in the middle ground, being visible enough for hackers to target but not large enough to have their own digital security team. In order to mitigate risk and stay secure in today’s digital world, SMBs need to engage directly with independent experts by outsourcing critical security and IT services.

False billing scams

According to Scamwatch data, losses due to false billing scams increased by 97 percent in 2018 to $5.5 million. A large proportion of these scams, or $3.8 million, were carried out on businesses, the vast majority of who were SMBs. Most of these losses, or $3.1 million, can be attributed to business email compromise scams. According to more accurate data using combined reports from ACCC and ACORN, email compromise scams accounted for $60 million in businesses losses in 2018.

In a typical case scenario, businesses are contacted by compromised third-parties who send invoices through email asking for payment. These scams can be simple or highly complex, with cybercriminals gaining access to single contractors, email lists, or entire IT systems. Sometimes all scammers need is a single business name, which they use to trawl the Internet and find out details about financial officers, payroll officers, and accountants.

Once a scammer has access to an organisation’s email system, they can impersonate the chief financial office to ask for a transfer of funds or send a fraudulent invoice with their own bank account. In a less typical third case scenario, the scammer may pretend to be an employee using email and ask to change their bank account information. In all cases, it’s important to be aware of unusual payment requests or changed account details.

Outsourcing your IT services is a great way to manage the threat of false billing scams and other security issues. While recognising the threat is a great first step, third-party solutions are the best way to cope with staff and software changes. Intrusions often happen after an upgrade or when a new system is put in place, which is why it’s important to integrate and adapt your security services as changes are made.

A managed IT solution can look at your system with fresh eyes and set up robust security measures based on multi-factor authentication and data alignment. By setting up specific channels and authorisation standards for all communications, managed IT services, like those provided by Productiv, can help you avoid false billing and other email correspondence scams.

Investment scams

Other than false billing, investment scams represent the biggest source of financial loss from cybercrime for Australian businesses. When combined with data from ACORN and WA Scamnet, investment scams exceeded $86 million in 2018. While this figure represents individual people as well as businesses, SMBs are often the targets of large and complex investment scams. Phone-based cold-calling is the most common way for scammers to attract victims, with business and trading forums acting as two other potential entry points.

Investment scams can and do include a wide range of assets and equities, including foreign exchange, binary options, company shares, cryptocurrencies, and initial investment opportunities for new business ventures. Awareness and education are key, so do your homework before entering into any kind of financial agreement. Always remember, if it sounds too good to be true, it probably is.

Working with a professional IT service is the best way to safeguard yourself against investment scams and other unwanted intrusions into your internal and external communications systems. From data loss and system outage scenarios through to penetration testing, outsourcing your IT services is the best way to ensure safety and control.

Actionable tips and immediate solutions

There are lots of things you can do immediately to mitigate risk and protect your business from harm. While migrating to the cloud or outsourcing your IT services can be a great long-term solution, being aware of current scams and remaining alert at all times will give you a great head start.

  • Subscribing to ScamRadar is a great way to stay ahead of the curve by keeping yourself informed of current threats.
  • Make every effort to know who you’re dealing with. Ask tough questions and do research if needed.
  • Never open suspicious pop-ups or documents, especially from unknown third-parties.
  • Keep important business documents safe and secure at all times, both online and offline.
  • Review security and privacy settings on business webpages, blogs, and social media accounts.
  • Be aware of unusual payment requests or alterations to account information.
  • Engage with a professional IT services team for the best security solution.

Long-term solutions through education, engagement, and outsourcing

Computers and digital networks continue to change the face of modern business. More business processes and systems are migrating online, and more internal networks are being developed to streamline business operations. While the evolution of business systems is mostly a good thing, Australian businesses also face a growing number of threats.

From false billing and investment scams through to hacking, phishing, and data loss, the risks facing your information are more numerous than ever before. Staying safe in this brave new world requires a multi-pronged approach, with employees needing to educate themselves about potential threats, develop methods of engagement with relevant people and systems, and outsource critical services to a third-party provider.

Outsourcing IT services is a great way to streamline your security operations, secure your business assets, and manage the growing threat of cybercrime in Australia. To learn more about keeping safe from scams and other such activity, get in touch with the Productiv team today.