A calculated guess would say that 80-90% of businesses that have fallen victim to scams or fraud thought that their controls were up to scratch prior to the event. Looking back, they can likely see gaps that put them at risk. Hindsight is 20/20.
This is not a criticism – simply a warning that no organisation, no matter their size or their controls, is exempt from scams and fraud.
Due to the increasing volume and variation of scams and fraud targeting individuals and businesses across Australia, Satori ran a webinar to gain insight into the biggest risks, how we can implement better controls, and how we can better protect businesses, customers, and employees from these risks.
We spoke to a leading expert in financial fraud and scams, James Roberts, to get an inside look at what’s going on and how it’s being stopped. James currently oversees the Commonwealth Bank’s strategic approach to the prevention, detection and response to external fraud and scams.
Here, we recap our discussion with James about current scam trends, how they’re impacting business, how risk can be tackled, and the role AI is playing in perpetrating and detecting scams and fraud.
The current fraud and scam trends
Over the last 20 years working in financial scam and fraud investigation, James has seen firsthand how scams have changed and developed. Lately, there has been a huge growth in scams targeting affluent, English-speaking countries—predominantly the UK, US, New Zealand, and Australia.
Looking at recent ACCC data, scams in Australia have gone up over the last three years by 100%, 100% and 80% respectively.
Some of the most common and concerning scams right now include:
- Business email compromise (BEC): this is where a scammer intercepts a business email such as a supplier invoice or instruction to pay and amends the banking details to divert the payment to their own account.
- Phishing scams – these are the ones we’ve all seen and probably get every single day. Emails and SMS asking us to click links to pay fines, tolls, or collect deliveries.
- Investment scams – these are less common, but more profitable for scammers. These scams lure people in to fake investment opportunities.
- Cryptocurrency scams – this is a huge issue right now. Not just the stealing of cryptocurrency but using it to launder and quickly move stolen funds offshore.
- Card not present fraud is particularly common in retail markets and peaks after mass data breaches release card details onto the black market (like we saw last year with Medibank and Optus).
- Remote access scams – scammers impersonate insurance or bank employees to gain remote access to personal devices and accounts.
One silver lining that exists is that while scam volumes are up, values have gone down. Major organisations (like banks) and governments are focusing attention on preventing or intercepting large volume frauds, to reduce the financial impact on targets.
How are scams impacting corporate business environments?
Scams and fraud are becoming increasingly common in Australian businesses. Unfortunately, these can often be high-value frauds that result in high financial losses.
James gave an example of one of the simpler but more common and effective scams for businesses, where your suppliers are the ones who are compromised, but your business will pay the price. Fraudulent emails are sent updating account and/or payment details, which your Account teams then update.
Due to most businesses having 30-day payment terms, it gives scammers plenty of time to move the money before anyone realises invoices were paid into the wrong account.
This is just one example.
Frauds and scams like this one hit a lot of small and medium businesses that cannot sustain that type of financial impact. Even for larger businesses, replacing lost net profit means selling a disproportionate amount of product.
Not to be forgotten, there is also the emotional and mental damage caused to the person or people in the business who feel responsible for the mistake.
Data breaches continue to be the key concern
Polling the webinar attendees, it was overwhelmingly clear that data breaches are still front of mind for many business and finance leaders. And there’s a good reason for it.
Data breaches happen constantly, but we hear about only the highly publicised ones. Retail and e-commerce platforms are some of the most highly targeted businesses, but it can happen to any business in any industry.
Even with the best cyber security controls in place, the fact is, our data is out there – both in government and private sector databases. The best thing to do is to have your base model be Zero Trust and assume that, at some point, your data will be compromised.
Taking a horizontal approach to scam and fraud protection
The promising news is that the Australian government is leaning in more to try and regulate and protect businesses and individuals from scams and fraud. The intervention of governments is a positive move, as it will lift protections country-wide and not rely on individual industries to implement equal protections.
As James puts it, we need the entire team to be uplifted. If you rely solely on the goalkeeper, a ball will eventually get through – no matter how good they are.
From his work with the National Anti-Scam Centre, James has seen success in bringing together industries that historically have not worked well together to collectively fight the impact of scams, giving some hope for the future.
From what he’s seen through his work at the Commonwealth Bank, James says there’s probably only been a 20% growth in scams this year, and it’s the first year we’ve seen some reversal. He predicts that by the end of the financial year, customer losses will be half of what they were last year. There’s hope, but a lot of caution is still needed.
Three immediate ways businesses can mitigate risks
While it brings some comfort to know that governments and major organisations like banks are working hard to implement better protections and regulations, James shared three ways businesses can mitigate their risks internally:
- Implement monitoring controls: You want to ensure that any changes to payments, account details, suppliers, etc. are always double-checked to ensure they’re legitimate. Monitoring software (like Satori’s adoption of CBA’s NameCheck technology) can continuously monitor and flag any potential discrepancies.
- Implement multifactor authentication (MFA): You never know where scammers are coming from. It could be through business accounts, employee accounts or even customer accounts. MFA provides an extra layer of protection.
- Focus on employee awareness: Ensuring your employees are aware of risks and are behaving in ways that support your cyber security controls is essential. Employee training is one of the simplest yet most effective ways to protect your data.
Do we need to be worried about AI?
We can’t talk about scams without talking about AI. And just like in every other application, there is good and bad.
Deep fake impersonation scams are starting to pop up. These scams involve manipulating video and audio of a real person and using their image and /or voice to scam an individual or a business.
They are not overly popular at the moment – the quality of the ‘deep fakes’ being created by AI is still lacking. And there are currently much easier and quicker ways to create scams. But as technology and AI continue to improve and other scams start becoming less successful, we could see more AI-based scams like deep fakes popping up. One specific example highlighted by James resulted in a £20m loss to a business in Hong Kong – see details here.
On the other hand, AI is also being used to help prevent scams.
CBA has invested in a soft learning machine learning company that is deploying collections of machine learning models on top of the existing fraud system to sharpen decision-making.
The CBA fraud system detects an event every 30 to 70 milliseconds – an almost impossible amount of data to process. The goal is to improve the real-time performance of these machine-learning models to unlock the next generation of fraud prevention.
Right now, it’s a race between scammers and scam prevention teams to unlock AI’s benefits first.
What we’ve learnt (and what to do with it)
The discussion with James was insightful, cautionary, and hopeful. We learned that scams and fraud are a constant threat and that we are right to be concerned about them and their impact on our businesses.
We learnt that the work of governments, banks and other major organisations are moving in the right direction, and we are potentially seeing a downturn in scams and their financial impacts.
Finally, we learnt the importance of internal controls and being aware that there will always be gaps and you might just be the next data breach victim. But knowing this can help you better protect your business.
If you’re looking to implement better risk controls, gain better visibility over gaps and risks, and achieve early identification of potential frauds, we invite you to explore the Satori bank account verification capability or get in touch to chat to us about your specific needs.