This month in Cyber Insights we highlight payment redirection scams, latest breaches and tips for protecting your business from deepfake technology. Read full Cyber Insights here >>
Payment redirection scams cost Australian businesses $14 million
Australian businesses reported over $14 million in losses to Scamwatch due to payment redirection scams last year, and average losses so far in 2021 are more than five times higher compared to average losses in the same period last year.
Total losses are much higher as these scams are reported to a range of different organisations. In a payment redirection scam, also known as business email compromise scams, scammers impersonate a business or its employees via email and request that money, which usually is owed to the legitimate business, is sent to a fraudulent account.
“Payment redirection scams impact businesses across many industries, including real estate, construction, law, recruitment, and universities,” ACCC Deputy Chair Delia Rickard said. “Scammers tend to target new or junior employees, or even volunteers, as they are less likely to be familiar with their employer’s finance processes or the types of requests to expect from their supervisors.”
“We recommend organisations ensure their staff are well trained in the company’s payment processes and remain aware of payment redirection scams,” Ms Rickard said. Payment redirection scams can take several different forms. In some instances, scammers hack into a legitimate email account and pose as the business, by intercepting legitimate invoices and amending the bank details before releasing emails to the intended recipients. In one instance, a victim lost $16,500 in a single transaction after a scammer used a staff member’s email address to send an invoice to a customer with ‘updated bank details’, redirecting the payment to the scammer’s personal bank account.
Other times, payment redirection is done by spoofing, when scammers impersonate CEOs or other senior managers using a registered email address that is very similar to that of the genuine email address. The scammer will then request that staff transfer funds to them or make a payment to a third party on behalf of the business.
Latest Security Breaches
The Parliament of Western Australia
Western Australia’s parliamentary email network was infiltrated by suspected Chinese hackers in the fallout of the recent massive Microsoft Exchange incident. The intrusion was detected on 03/04 in the middle of the state election campaign and led to intervention from Australia’s cybersecurity watchdog. Email service was disrupted but an investigation by Western Australia’s Parliamentary Services Department concluded that no sensitive data was stolen in the attack.
In an especially audacious attack, hackers disrupted broadcast operations at Channel Nine, preventing the station from transmitting its popular Sunday morning news program, which runs from 7:00am to 1:00pm out of studios in Sydney as well as its 5pm evening news broadcast. The 6pm broadcast was facilitated by studios in Melbourne. The company acted quickly to restore operations.
Engaging with others through videos has become a standard part of our everyday lives. Whether you’re joining a video conference at work or watching your favourite celebrity on Instagram, videos are everywhere. However, can you really trust what you’re seeing? The rise of deepfake technology could make it difficult to know if what you are watching is real or fake.
What is Deepfake Technology?
Deepfake technology uses AI and machine learning to create realistic audio and video spoofs. These spoofs combine real footage of one person with the words or actions of another. While deepfake technology has been around for years, it is now easier to use and harder to recognize. For example, there are mobile apps that allow you to replace a celebrity’s face with your own to create surprisingly realistic videos.
How Could Cybercriminals Use This Technology?
There are a number of ways that the bad guys could use deepfake technology. One way cybercriminals are using this technology is to impersonate celebrities. Spoofing influential people could be used to spread false information designed to intentionally mislead you. This is a tactic known as disinformation. On a smaller scale, this technology could be used to impersonate executives in your organisation. Imagine receiving a phone call from your CEO asking you to send money or confidential information. However, it isn’t actually your CEO, but a cybercriminal spoofing their voice with deepfake technology!
What Can I Do to Stay Safe?
To stay safe from deepfake spoofs remember these tips:
- Always be suspicious of videos that contain shocking or controversial claims. This could be disinformation in action.
- Always check the source. For example, if you are watching a celebrity’s video on social media, make sure it was posted on their verified profile.
- Always verify before taking action. In the example of your CEO calling, you could ask to set up a meeting in person.