25 March 2020

Unfortunately, world events like coronavirus present new opportunities for fraudsters to target the vulnerability of businesses, with email and phishing scams designed to steal personal and account information from your business and clients. As such, it’s more important than ever to remain vigilant. 

Here are some things to watch out for:

The changing face of fraud

Macquarie Group’s Jonathan Martin describes the many different ways criminals try to extract money from businesses – from phishing emails to malicious software including ransomware.   

He points to an increase in unauthorised payment modification, and more frequent reports of email compromise, particularly in times of social uncertainty. “It’s important to verify any new instructions – call the sender to check it’s really from them.”

There were over 230,000 new malware samples produced every day in 2019, with predictions to continue growing1.

Phishing and malware

“Phishing is where you receive an email that appears to be from a trusted source, asking you to do something such as ‘click to verify your details’ or ‘download an attachment’,” explained Jonathan. That attachment could contain malicious code which injects a new web page into your browser – it might look like your bank’s online banking portal, for example.

“We’re also seeing an increase in ransomware demands – especially in small and mid-sized businesses,” said Jonathan. “You click on a link or attachment from a ‘trusted’ sender, and it launches a code that encrypts your files or locks down your screens and servers so you simply can’t operate.”

Not all scams come through email. Social engineering, where hackers manipulate people for confidential information, can happen over the phone.

Phishing emails may feature a sense of urgency and expectation and can feel more genuine during times of global crisis or panic. Such emails will typically include requests for sensitive information or payment.

An exponential effect on business bottom line

“Fraud can cause significant damage. You could lose revenue, but there are also long-lasting damaging effects to reputation and morale,” Martin said.

With Australia’s new data breach laws now in place, any organisation with revenue exceeding $3 million must comply by ‘promptly notifying individuals at likely risk of serious harm’ of any breach in their personal data.

Otherwise, you could face fines of up to $2.1 million. Even when you do comply, there is the cost of notifying thousands of clients and mitigating any reputational damage.

Check your internal controls

Many businesses believe their third-party providers, such as cloud services or web hosting platforms, are taking care of this issue. But the cloud is just as vulnerable as a data centre. “We see increasingly reliance on third-party services,” said Martin. “Do some due diligence to make sure they’re covered.”

And then how do you protect yourself from the risk of cyber fraud?

First, it’s important to get your business systems and protocols in place. Get your systems checked by a reputable IT company to make sure there are no trojans, malware or viruses. Educate your team on what a phishing email looks like, any red flags to watch out for, and how to report an issue if they spot something.

“Staff can be particularly vulnerable to attacks when they work from home or remotely, so make sure they understand the importance of having access to secure, password-protected wi-fi,” noted Jonathan.

Outsource your cyber response

Most smaller businesses don’t have the skills to negotiate with hackers or set up a data breach response team. But if you have cyber insurance, your insurer will set up a panel of experts to mitigate the loss and take immediate action.

“They know the first six to 12 hours of response are critical,” said Curley.

You can expect your cyber policy to also take care of the costs of credit card monitoring (if that data is lost) and crisis management, as well as potential third party costs such as litigation, penalties, and notification costs. For more information, go to the Australian Cyber Security Centre website at https://www.cyber.gov.au/publications/small-business-cyber-security-guide.

Additional information

This material has been prepared by Macquarie Bank Limited ABN 46 008 583 542 AFSL & Australian Credit Licence 237502 ("Macquarie") without taking into account your personal objectives, financial situation or needs. Before acting on this general information, you must consider its appropriateness having regard to your own objectives, financial situation and needs. The information provided is not intended to replace or serve as a substitute for any accounting, tax or other professional advice, consultation or service.