Scams Awareness Week
This week has seen the 2021 version of Scams Awareness Week take place. The week is an initiative from the Australian Competition and Consumer Commission (ACCC) to build knowledge and understanding within the Australian public about scams.
Raising awareness about scams is crucial to prevent them from taking place as quite logically, the best way to prevent a scam from taking place is to make sure the individual who is the subject of the scam, is aware that it is a scam from the start.
Scams, however, do not only impact individuals. Businesses are also susceptible to falling prey to scammers and other fraud or malicious related activities. These malicious activities towards businesses can be perpetrated by insider threats (i.e. employees), opportunist suppliers or customers, organised crime or even in certain circumstances, state actors.
The impact of scams in 2020
The ACCC, in its 2020 report on scams activity, found that the combined financial losses from scams in 2020 amounted to $851 million dollars. This figure represents losses as per scams reported to Scamwatch, the Australian Cyber Security Centre (ACSC), the Australian Securities and Investments Commission, other government agencies and financial institutions. 216,087 reports of scams, totalling $176 million in losses, were reported to Scamwatch alone in 2020.
Statistics from the ACCC 2020 report
According to the ACCC, in 2020, the top three scams were Investment Scams ($328 million), Romance Scams ($131 million) and Business Email Compromise (BEC) ($128 million). In addition, considering the spread of scams by age groups, 35 – 44-year-olds accounted for just under 20% of reported scams and 16% of losses from scams reported to Scamwatch. The age group bracket of 25 – 34 accounted for the highest number of reports of scams in 2020 (19.9%) and the age group bracket of 65 plus accounted for the biggest percentage of losses (23.9%).
In terms of the types of scams, the following were the most common types of scams perpetrated against individuals:
- COVID-19 scams
- Government impersonation scams
- Superannuation scams
- ‘Puppy’ (or other pet) scams
- Vehicle sale scams
- Bushfire scams
- Romance baiting
- Celebrity endorsement scams
Impact to businesses
According to the ACCC, scam losses reported by businesses in 2020 have increased by 260% from the 2018 figures, although this percentage is inflated by a single scam loss of $8 million reported in 2020. The most common type of scams against businesses are false billing and phishing scams. In addition, Scamwatch received approximately 1,300 reports of BEC scams in 2020.
ASCS Annual Cyber Threat Report 2020 – 2021
On 15 September 2021, the ACSC released its annual report on cyber threats. Unsurprisingly, the COVID-19 pandemic was a major influence on the types and extent of cyber threats recorded by the ACSC. Over the 2020 – 2021 financial year, the ACSC received over 67,500 cybercrime reports which constituted an increase of 13% from the previous year.
The ACSC identified the following key threats and trends:
- Exploitation of the pandemic by an increase in spear-phishing emails relating to COVID-19 information and services (i.e. information about vaccinations or grants).
- A quarter of all incidents reported to the ACSC related to disruption of essential services or critical infrastructure.
- There was a 15% increase in ransomware cybercrime reports in the 2020 – 2021 financial year. The sectors targeted were wide-ranging and included professional, scientific and technical organisations as well as health and social services.
- The impact of BEC was identified as a continued threat to both government and businesses alike. The ACSC reports that in the 2020 – 2021 financial year, the average loss per successful BEC was $50,600. This increase in average loss is associated to criminals being more sophisticated and organised.
Other key statistics from the report include that the self-reported losses from cybercrime totalled more than $33 billion for the financial year and there was an average of four malicious cyber activities a day relating, or connected to the COVID-19 pandemic.
What does this mean for businesses?
The statistics from the various agencies make it clear that the threat of scams and other cybercrimes is on the rise and an ever-present threat. Businesses should not think that such scams and crimes are limited to individuals who fall foul of traditional scams such as investment and romance scams (to name a few).
The report from the ACSC highlights that ransomware and BEC are not only on the rise but are becoming more sophisticated and can be potentially crippling for a business. Further, critical infrastructure continues to be targeted by state and other malicious actors.
Businesses need to ensure that they are constantly reviewing their protective security frameworks to ensure that such frameworks are up-to-date and suitable for the business needs and current threat landscape. Importantly, it is crucial that businesses realise that these security frameworks need to address not only cyber-attacks from third-party malicious actors but insider threats as well. This means that businesses need to implement adequate physical, as well as cyber, security practices to ensure the business is properly and holistically protected from threats and attacks.
The other key component of a security framework involves the business educating its staff and contractors on the:
- key threats faced by the business; and
- steps that the business is taking to prevent and protect its key data and people.
Elements of a protective security framework
Core Integrity’s Integrity Lifecyle™ methodology provides a good baseline for businesses to build out (or review) their protective security framework:
This lifestyle covers the following key elements:
- PREVENT – Taking proactive steps to ensure that issues of all sorts are prevented from occurring through training, risk assessments and other processes.
- DETECT – Implementing the right processes for the business model to detect issues as early as possible if they do occur to minimise their impact.
- RESPOND – Unfortunately, sometimes things do go wrong, and if they do, the business needs to make sure it has internal subject matter experts or an external partner on hand that helps it respond the right way, the first time.
- OPTIMISE – A strong business is one that learns from its mistakes. Periodically reviewing the physical and cyber security risks and incidents assists in ensuring that the business optimises its processes to safeguard from attacks from happening again.