Social engineering and email compromise are on the rise

As businesses adopt increasingly advanced digital technology, the risks of doing business evolve. And while larger organisations have strengthened their cybersecurity systems and protocols, smaller firms become more vulnerable –cyber-criminals know their weak spots make them easier targets.

There are two types of businesses: those who have been hacked, and those that will be. The data paints a worrying picture. According to Scott Curley, Director - Professional Risks and Trade Credit, GSA Insurance Brokers, every 39 seconds, a hack occurs – with 43% of cyber-attacks targeting small and mid-sized businesses.

Many Australian small businesses don’t have cyber protection – or assume it’s already covered through their business insurance.

Curley said that’s a common myth. Professional indemnity, business and public liability insurance won’t cover things like cyber extortion, data loss through a hack, or third-party costs.

“We insure our office buildings, even though they have sprinklers and a back to base fire alarm. But 99% of your revenue might be generated online, and you don’t think to protect that aspect of your business,” he said.

The changing face of fraud

There are so many different ways criminals are extracting money from businesses, from ATO scams to fake documents and malware.

There has been a rise in fraudulent payment modification, and daily reports of email compromise. It’s important to verify any new instructions - if in doubt, call the sender to verbally confirm the changes have come from them.

There are now over 200 million forms of malware and they could be entering your business inboxes daily.

Phishing is where you receive an email that appears to be from a trusted source, asking you to do something such as ‘click to verify your details’ or ‘download an attachment’. That attachment could contain malicious code which injects a new web page into your browser, and it might look like your bank’s online banking portal.

We are also seeing an increase in ransomware demands, especially in small and mid-sized businesses. You click on a link or attachment from a ‘trusted’ sender, and it launches a code that encrypts your files or locks down your screens and servers so you simply can’t operate. With pressure to keep the business running, many business owners pay the ransom, often requested in bitcoin.

Not all scams come through email. Social engineering, where hackers manipulate people for confidential information, can happen over the phone.

Don’t make a payment on impulse. Take a step back if someone phones making urgent demands. 

Check your internal controls

Many businesses believe their third-party providers, such as cloud providers or web hosting platforms, are taking care of this issue. But the cloud is just as vulnerable as a data centre. Ensure you do some due diligence to make sure your provider is covered.

How do you protect yourself from the risk of cyber fraud?

First, it’s important to get your business systems and protocols in place. Get your systems checked by a reputable IT company to make sure there are no trojans, malware or viruses. Educate your team on what a phishing email looks like, any red flags to watch out for, and how to report an issue if they spot something.

All this can also happen in their home if they work remotely, so make sure their home wi-fi is secure.

Outsource your cyber response

Most smaller businesses don’t have the skills to negotiate with hackers or set up a data breach response team. But if you have cyber insurance, your insurer will set up a panel of experts to mitigate the loss and take immediate action.

“The first six to 12 hours of response are critical,” said Curley. “If it’s a denial of service attack or ransomware, they’ll check how real the threat is and if necessary, pay the ransom.”

You can expect your cyber policy to also take care of the costs of credit card monitoring (if that data is lost) and crisis management, as well as potential third party costs such as litigation, penalties, and notification costs.

It seems that cyber insurance is the one risk tool your business can’t afford to operate without. But given it’s a relatively new product in Australia, it’s worth getting a broker’s advice first.

Related products

Subscribe to our monthly newsletter

We bring you technical updates, financial insights and industry expertise.


WVOW newsletter
Thank you for subscribing.
Please try again.

Simply fill out your details below:

By submitting this enquiry, I acknowledge that I have read the Macquarie Group privacy policy, and understand that Macquarie will use my personal information to contact me in relation to my enquiry, and for other general marketing purposes. If you have previously unsubscribed from receiving our marketing communications, submitting your details will opt you back into receiving Macquarie marketing communications.

You can change your marketing preferences by telephoning Macquarie on 1800 806 310 or customising your preferences with the unsubscribe link included in our marketing communications. Please note that all of our calls are recorded. If you do not want your call to be recorded, please advise the Macquarie staff member.


Additional information

This information is provided for the use of licensed and accredited brokers and financial advisers only. In no circumstances is it to be used by a potential client for the purposes of making a decision about a financial product or class of products. This information does not take into account any person’s objectives, financial situation or needs. Before making any financial investment decision or a decision about whether to acquire or continue to hold any products mentioned on this page, a person should obtain and review the offer documents relating to that product and also seek independent financial, legal and taxation advice.

Unless stated otherwise, this information has been prepared by Macquarie Bank Limited ABN 46 008 583 542 AFSL and Australian Credit Licence 237502 (MBL).

Any information on Macquarie Wrap products has been prepared by Macquarie Investment Management Limited ABN 66 002 867 003 AFSL 237492 RSEL L0001281 (MIML). The Macquarie Separately Managed Account is issued by Macquarie Investment Services Limited ABN 73 071 745 401 AFSL 237495 (MISL). In deciding whether to acquire or continue to hold a product, a person should consider the PDS, IDPS Guide, or other relevant offer document(s) available on the Macquarie website. Our Target Market Determinations are available at

Funds invested on your behalf by MIML, or investments in the SMA other than cash on deposit with MBL, are not deposits with or other liabilities of MBL or any other entity of the Macquarie Group and are subject to investment risk, including possible delays in repayment and loss of income and capital invested. None of MBL, MIML, MISL or any other member of the Macquarie Group guarantees any particular rate of return or the performance of the investments, nor do they guarantee the repayment of capital.

Any information on this page in relation to mortgages has been prepared by Macquarie Securitisation Limited ABN 16 003 297 336 AFSL and Australian Credit Licence 237863 (MSL).