Scams Awareness Week

Scams Awareness Week highlights the scale of scam harm in Australia and the rise of cybercrime affecting individuals and businesses. It draws on ACCC and ACSC reporting to show why organisations should review protective security frameworks, educate staff and contractors, and address both cyber and insider threats.

Scams Awareness Week is taking place this week. The week is an initiative from the Australian Competition and Consumer Commission (ACCC) to build knowledge and understanding within the Australian public about scams.

Raising awareness about scams is crucial to prevent them from taking place because, quite logically, the best way to prevent a scam from taking place is to make sure the individual who is the subject of the scam is aware that it is a scam from the start.

Scams, however, do not only impact individuals. Businesses are also susceptible to falling prey to scammers and other fraudulent or malicious activities. These malicious activities towards businesses can be perpetrated by insider threats, that is employees, opportunist suppliers or customers, organised crime or even in certain circumstances, state actors.

Key takeaways

• Scams affect both individuals and businesses.
• ACCC and ACSC reporting shows scam and cybercrime harm remains significant.
• Businesses face threats from insider actors, suppliers, customers, organised crime and state actors.
• Protective security frameworks should address cyber, physical and insider threats together.
• Training staff and contractors is part of an effective response.

The Impact of Scams in 2020

The ACCC, in its 2020 report, found that the combined financial losses from scams in 2020 amounted to $851 million. This figure represents losses from scams reported to Scamwatch, the Australian Cyber Security Centre (ACSC), the Australian Securities and Investments Commission, other government agencies and financial institutions. 216,087 reports of scams, totalling $176 million in losses, were reported to Scamwatch alone in 2020.

Statistics From the ACCC 2020 Report

According to the ACCC, in 2020, the top three scams were Investment Scams ($328 million), Romance Scams ($131 million) and Business Email Compromise (BEC) ($128 million). In addition, considering the spread of scams by age groups, 35 - 44-year-olds accounted for just under 20% of reported scams and 16% of losses from scams reported to Scamwatch. The age group bracket of 25 - 34 accounted for the highest number of reports of scams in 2020 (19.9%) and the age group bracket of 65 plus accounted for the biggest percentage of losses (23.9%).

In terms of the types of scams, the following were the most common types of scams perpetrated against individuals:

• COVID-19 scams
• Government impersonation scams
• Superannuation scams
• "Puppy" or other pet scams
• Vehicle sale scams
• Bushfire scams
• Romance baiting
• Celebrity endorsement scams

Impact to Businesses

According to the ACCC, scam losses reported by businesses in 2020 have increased by 260% from the 2018 figures, although this percentage is inflated by a single scam loss of $8 million reported in 2020. The most common type of scams against businesses are false billing and phishing scams. In addition, Scamwatch received approximately 1,300 reports of BEC scams in 2020.

ACSC Annual Cyber Threat Report 2020-2021

On 15 September 2021, the ACSC released its Annual Cyber Threat Report 2020-2021. Unsurprisingly, the COVID-19 pandemic was a major influence on the types and extent of cyber threats recorded by the ACSC. Over the 2020-2021 financial year, the ACSC received over 67,500 cybercrime reports which constituted an increase of 13% from the previous year.

The ACSC identified the following key threats and trends:

1. Exploitation of the pandemic by an increase in spear-phishing emails relating to COVID-19 information and services, such as information about vaccinations or grants.
2. A quarter of all incidents reported to the ACSC related to disruption of essential services or critical infrastructure.
3. There was a 15% increase in ransomware cybercrime reports in the 2020-2021 financial year. The sectors targeted were wide-ranging and included professional, scientific and technical organisations as well as health and social services.
4. The impact of BEC was identified as a continued threat to both government and businesses alike. The ACSC reports that in the 2020-2021 financial year, the average loss per successful BEC was $50,600. This increase in average loss is associated with criminals being more sophisticated and organised.

Other key statistics from the report include that the self-reported losses from cybercrime totalled more than $33 billion for the financial year and there was an average of four malicious cyber activities a day relating to, or connected to, the COVID-19 pandemic.

What Does This Mean for Businesses?

The statistics from the various agencies make it clear that the threat of scams and other cybercrimes is on the rise and an ever-present threat. Businesses should not think that such scams and crimes are limited to individuals who fall foul of traditional scams such as investment and romance scams, to name a few.

The report from the ACSC highlights that ransomware and BEC are not only on the rise but are becoming more sophisticated and can be potentially crippling for a business. Further, critical infrastructure continues to be targeted by state and other malicious actors.

Businesses need to ensure that they are constantly reviewing their protective security frameworks to ensure that such frameworks are up to date and suitable for the business needs and current threat landscape. Importantly, it is crucial that businesses realise that these security frameworks need to address not only cyber-attacks from third-party malicious actors but insider threats as well. This means that businesses need to implement adequate physical, as well as cyber, security practices to ensure the business is properly and holistically protected from threats and attacks.

The other key component of a security framework involves the business educating its staff and contractors on the:

• key threats faced by the business; and
• steps that the business is taking to prevent and protect its key data and people.

Elements of a Protective Security Framework

Core Integrity's Integrity Lifecycle methodology provides a good baseline for businesses to build out, or review, their protective security framework:

This lifecycle covers the following key elements:

• PREVENT - Taking proactive steps to ensure that issues of all sorts are prevented from occurring through training, risk assessments and other processes.
• DETECT - Implementing the right processes for the business model to detect issues as early as possible if they do occur to minimise their impact.
• RESPOND - Unfortunately, sometimes things do go wrong, and if they do, the business needs to make sure it has internal subject matter experts or an external partner on hand that helps it respond the right way, the first time.
• OPTIMISE - A strong business is one that learns from its mistakes. Periodically reviewing the physical and cyber security risks and incidents assists in ensuring that the business optimises its processes to safeguard from attacks from happening again.

FAQ

Why is Scams Awareness Week important?

It helps build public understanding of scams and reminds businesses that scams and cybercrime are not just consumer issues. Raising awareness is one of the most effective ways to reduce harm.

What do the ACCC and ACSC reports show?

They show that scam losses and cybercrime reporting remain significant, with business email compromise, ransomware and phishing all continuing to affect organisations and individuals.

What should businesses do next?

They should review protective security frameworks, address cyber, physical and insider threats together, and educate staff and contractors about the threats they face and the steps being taken to protect key data and people.