Australia, like many other countries, has seen a worrying increase in phishing scams. According to the recent Annual Cyber Threat Report 2021-2022, the Australian Cyber Security Centre received over 76,000 cybercrime reports, which is a 13% increase over the previous financial year. With one cybercrime report being filed every seven minutes, it’s evident that the situation is simply getting out of hand. The average cost per cybercrime report has increased to more than $39,000 for small organisations, $88,000 for medium businesses, and over $62,000 for large businesses – that’s a14% rise on average.
Phishing attacks in Australia can take many different forms from emails, phone calls, text messages to even social media messages, and they can target individuals, businesses, and organisations. Cybercriminals are continually adapting their tactics, so it’s crucial to recognise these scams by staying informed, taking precautions, and employing security best practices. Here are some of the most common forms of phishing attempts reported in Australia:
Email Phishing
According to the most recent Proofpoint research, email phishing scams are a serious problem in Australia. These scams mostly target individuals, banking and financial institutions, government agencies, healthcare groups, and telecommunications businesses. In 2022, over 71,299 phishing scams were reported in Australia, with over 96% of phishing attempts arriving by email, another 3% via malicious websites, and only 1% via phone. Scammers send fraudulent emails impersonating reputable businesses or individuals in order to appear legitimate to gain recipients’ trust. During tax season in Australia, phishing attempts typically imitate the Australian Taxation Office (ATO), with the intention of acquiring personal and financial information or initiating fraudulent tax refund claims. Phishing emails frequently use social engineering techniques to trick recipients into taking immediate action. These approaches often involve creating a sense of urgency, panic, or interest in recipients in order to convince them to click on malicious links or provide critical information.
Spear Phishing
In spear phishing, scammers collect personal information about specific individuals or groups to make their phishing attempts appear more credible. They include customised details such as the recipient’s name, job title, or corporate information to boost their chances of looking legitimate. Every year, over 88% of businesses face spear phishing attempts, according to Norton statistics. According to Symantec’s 2019 Threat Report, spear phishing accounts for 65% of cyber-attacks and targets 22% of CEOs. For generating a sense of urgency, scammers act as CEOs, COOs, or CFOs and send fraudulent emails to employees asking for sensitive information or granting scammers access to certain platforms and accounts such as an ERP system, a Microsoft account, or a banking portal.
Business Email Compromise (BEC)
According to the Australian Competition and Consumer Commission (ACCC), businesses in Australia reported losses of more than $132 million in 2020 due to BEC scams. BEC attacks are designed to trick employees into transferring payments or providing sensitive information. The impact of BEC extends beyond financial losses, resulting in businesses reputational harm, lost data, and disrupted business operations. In 2022, Accounts Payable (AP) departments remain the most vulnerable to BEC scams. In 2023, with the introduction of AI tools, cybercriminals have the benefit of using AI tools for creating a clear and sophisticated email scam, so it’s vital to educate your AP team on how to spot email scams and how to respond to them.
Smishing Scam
Smishing is a type of phishing scam in which the message is delivered via SMS text message rather than email. Smishing SMS attempts to trick you into providing sensitive information such as credit card details and account passwords, or into granting access to your phone and/or computer. According to ACCC Scamwatch data, financial losses from SMS scams have climbed by 188% in 2022, rising from roughly $2.3 million to more than $6.5 million. SMS scams accounted for around 32% of all reported scams in 2022. The SMS could resemble a bank or government organisation, such as Centrelink or the Australian Tax Office, or it could resemble a communication from Australia Post concerning a package delivery. You may receive an SMS text that your account has expired or been locked due to suspicious activity, and you must provide personal information or click on a link to reactivate it by entering your personal information such as card numbers, NetBank client numbers, banking passwords, and NetCodes.
Vishing Attack
According to a Commonwealth Bank research, Australians receive 4.98 scam calls/emails/SMS/social media communications every week (or nearly one per day, or 258.96 messages per year). Vishing, also known as “voice phishing,” includes cybercriminals calling individuals and impersonating official entities such as financial institutions, government authorities, or technical support personnel. Scammers use deceptive tactics to trick victims into disclosing personal information, granting access to their accounts, or initiating financial transactions.
Malware-Based Phishing
According to the State of the Phish report, 83% of survey respondents reported at least one successful email-based phishing attempt in 2021, representing a 46% increase over 2020. Through emails or text messages, these scams trick people into downloading malware by giving them malicious attachments or links. The malware can compromise security, obtain data, or give the attacker unauthorised access once it has been activated on the victim’s device. These phishing attempts also make use of deceptive pop-up windows or warnings that indicate the user’s system needs to be updated immediately. By clicking on these prompts, you risk having malware put on your computer or mobile device.
Preventive Measures
Protecting businesses from phishing scams is crucial to safeguard sensitive information, maintain trust with customers, and preventing financial losses.
📚 Educate employees: Provide comprehensive training to help employees recognize suspicious emails, links, and attachments. Teach them to scrutinise sender addresses, identify grammatical errors, and avoid clicking on unfamiliar links.
🔐 Strong passwords and authentication: Encourage employees to create unique, strong passwords and regularly update them. Implement two-factor authentication (2FA) or multi-factor authentication (MFA) for added security.
🔎 Email filters and spam protection: Implement filters and mechanisms to reduce phishing emails in employees’ inboxes and block suspicious messages.
🛡️ Ongoing security awareness training: Conduct regular training sessions to reinforce best practices, inform employees about emerging phishing techniques, and keep security protocols up to date.
🚩 Cultivate a reporting culture: Foster an environment where employees feel comfortable reporting suspicious emails or incidents promptly. Establish clear reporting channels and investigate reported incidents promptly.
