Beware of EOFY scams and breaches: how Aussie businesses can stay safe

Over the past year, we’ve seen a multitude of phishing attempts impersonating government agencies, banks and well-known businesses. With the end of financial year approaching, we can anticipate seeing an increase in this type of scam. It’s a time when businesses can expect more contact from partners, banks and the Australian Taxation Office, and as such, their guard may be lowered.

According to YouGov research commissioned by the Commonwealth Bank, almost a third of respondents failed to spot a tax scam when multiple tax phishing scams were tested with Australians over the age of 18, with only 69% successfully identifying all of them. The research also showed around one in four Australians have been exposed to a tax-related scam.

We can expect scammers to be making more fake calls impersonating government employees. Robocalls will also be on the rise. Businesses should also be on their guard about receiving fake invoices or payment requests that will be used to commit financial fraud, targeting businesses during their busy end-of-the-year auditing periods. Additionally, for financial service firms and government agencies that are also busy during tax filing season, we’ve typically seen DDoS and ransomware attacks attempting to disrupt operations that are critical during the annual financial year to process both consumer and commercial tax activities.

Evolving attack tactics

Business email compromise is very common during tax season. Fraudsters impersonate financial executives requesting (fake) urgent transactions to be performed to meet tax requirements. Because everyone is rushing to meet accounting requirements in time, they may take less care with checking and verifying the authenticity of those requests.

What we’re also seeing are deep fake videos being used to conduct this kind of executive impersonation. Instead of an email request, scammers are creating fake videos for video conference calls, using generative artificial intelligence tools that spoof someone’s voice and appearance.

Human intelligence: the last line of defence

Cyber defences can only go so far. They simply can’t block every email and phone call. This means that the last line of defence is down to human intelligence and how people can safeguard themselves from being scammed.

Bear in mind that logos and content on a website can be replicated with near-perfect accuracy, so double-check the URL. In the US, we’ve seen fake US Postal Service sites get as much traffic as the genuine USPS domain.

Businesses need to ensure that their staff are well trained to handle suspected scams that are impacting customers, as well as not fall for scams themselves. They need to reconfirm activities like suspicious payment requests by calling the person to double-check it was genuine if needed.

It’s also helpful if organisations can establish some kind of check and control so it’s never just one person making the decision to authorise large financial transactions but requires a team of approvers instead. This helps to strengthen governance and oversight against frauds and scams as modern technologies that power deep fake videos and voice phishing have reached a point where it has become a major challenge for a human in trying to differentiate them.

Taking a page out of the zero trust cybersecurity approach, we should not always just trust but instead always verify the authenticity of the request and requestor.

Responding to scams

If the worst happens, or if you suspect that it has, speed will be of the essence.

Passwords should be quickly changed with multi-factor authentication set up, if not already. Devices should be scanned for malware, whether a computer, a mobile phone or tablet. Anti-malware software should also be installed and always updated. And lastly, monitor bank and government accounts for any suspicious logins or activity and report it as soon as it is seen. This is important because a scam may not take impact immediately after a breach, but days or weeks later.

Organisations affected by a breach or attack need to urgently activate their cyber incident response plans. These typically involve isolating impacted assets, such as a defaced website or compromised web application. The magnitude of the breach must also be assessed: what kind of data has been stolen? Is it external or internal data? In Australia there are also legal obligations to report Notifiable Data Breaches to affected individuals, partners and customers as well as to the Office of the Australian Information Commissioner.

Adopting the zero trust security approach, including implementing key technologies like micro-segmentation, can help mitigate a cyber attack and limit the damage. For example, micro-segmentation can isolate and contain breached systems from spreading the malware or ransomware to other systems on the network, substantially reducing the blast radius of the attack. We have also seen organisations benefit when implementing zero trust technologies like micro-segmentation to safeguard against digital supply chain attacks.

Lastly, we have observed how ransomware has become the new normal where every organisation in every sector is a potential target. Zero Trust Network Access (ZTNA) and micro-segmentation technologies play an effective part in enforcing zero trust policies at the north-south and east-west network traffic. ZTNA not only stops threats from being introduced into the network, micro-segmentation stops threats from moving laterally across the network.

Taking the necessary precautions, fostering a strong security posture, having good cyber hygiene and staying vigilant during this end of financial year period can help stave off potential scams or cyber attacks. Remaining vigilant during this period will be essential for all.

Image credit: iStock.com/ronniechua