Fraud & Cyber Crime
Fraud & Cyber Crime
Exposure overview
Cyber criminals use several fraudulent methods to steal money from a business, including Cyber Theft Loss (theft of funds without their knowledge) and Push Payment Loss (deceiving the business’s customer into paying a fraudulent invoice).
However, the most prominent cyber crime fraud is Social Engineering Loss, which is a type of cyber crime where attackers use email to trick businesses into transferring money. Here’s how it typically works:
- Spoofing or Hacking: Attackers either spoof an email address to make it look like it’s coming from a trusted source or hack into a legitimate email account.
- Phishing: They send emails that appear to be from a known source, such as a company executive, vendor, or partner, requesting urgent transfers of funds.
The emails often use social engineering tactics to create a sense of urgency or authority, making the recipient more likely to comply without verifying the request.
The Law
If the cyber-crime event also breached personal information, the Privacy Act may be applicable.
Fraud and cyber-crime is addressed in various legislation, including the Australian Criminal Code Act 1995. However, it is challenging to catch cyber criminals due to the anonymous nature of the internet. Unfortunately, if their initial attack was successful, criminals often target the same victim again.
Scale of the problem
Over 87,400 cybercrime reports were made in FY2023-24, a decrease of 7% from the previous financial year, an average of one report every six minutes. The top three cybercrimes reported by businesses were:
a) Business email compromise resulting in no financial loss = 20%;
b) Business email compromise resulting in financial loss = 13%;
c) Online banking fraud = 13%.*
Social Engineering Loss continues to significantly impact businesses, with an average financial loss of over $55,000 for each confirmed incident. Based upon their own data, Clyde & Co. advised the average Social Engineering Loss/Funds Transfer Fraud equals $135,000.
*Australian Government Annual Cyber Threat Report 2023 - 2024 *Clyde & Co. Under the Hood 2024
$55,000
33%
$300,000
11 days
Exposure Mitigation
To mitigate the risk of fraud and cyber crime scenarios, organisations should consider implementation of the following in conjunction with their wider security programme and the advice received from their IT security adviser:
- Employee Training: Educate directors and employees about fraud and cyber crime and signs and tactics to be aware of.
- Always verify payment requests: In particular, verbally confirm any changes to bank account information through a phone number, already held on file.
- Utilise Dual Authorisation: In excess of certain, defined amounts, all money transfers should be authorised by at least two members of staff. Most Australian banks offer dual authorisation features to enhance security for business accounts.
- Implement MFA: Implement MFA for any remote access.
Insurance Solution
All of the following:
i. Social Engineering Loss ii. Push Payment Loss iii. Cyber Theft Loss iv. Cryptojacking Loss v. Telephone Phreaking Loss
