“Dear Esteemed One, I am Prince Ahmed Zumar from the royal family of Nigeria. I have a proposition that may be of interest to you, greatly. My late father the King left behind a fortune…”
Ah, fond memories of the “Nigerian Prince” who generously promised unimaginable riches in exchange for just a small transaction fee. If only today’s hacker attempts were so wonderfully transparent. But armed with a little help from generative AI, today’s Nigerian Prince now speaks perfect English (and French… and Italian) and can craft highly targeted messages ingeniously tailored to specific profiles – with not a wayward apostrophe in sight.
Unfortunately, our Prince also now comes cleverly disguised as a CEO, supplier and fellow employee, and is devastatingly effective at running scams that are costing Australian businesses millions of dollars every year. And it’s no longer a straightforward plea for money either. Thanks to AI, we now have an abundance of deceptively authentic-looking content being used to ‘legitimise’ requests, like corporate websites, landing pages, social media accounts and LinkedIn profiles, complete with AI-simulated profile photo’s.
But technology alone isn’t to blame. In fact, according to Brian Hay, renowned Cyber Security expert and winner of McAfee’s international award for Cybercrime Fighter of the Year, up to 95% of all breaches are caused by people. He says that “96% – 99% of cyberattacks are directed at the person – not the network – why? Because we are the soft target – the vulnerability!”
Because scams essentially succeed when someone, somewhere, feels compelled to click on a link, unintentionally providing hackers with open access to data and setting in motion an unstoppable chain of events.
How big is the problem really?
Optus, Medibank Private, Latitude Financial, Woolworths, Pizza Hut and Dymocks are just some of the big businesses that reported significant cyber incidents between July 2022 to June 2023. In the first half of 2023 alone there were 23 data breaches, affecting more than 11 million Australians.
But despite the media storm, it was small businesses (0-19 employees) – which account for 97.3% of all Australian businesses – that bore the brunt of 92.6% of business cyberattacks.
The Australian government’s 2023 Cybercrime report found that 22% of small businesses were impacted by cybercrime in 2022 – which, according to the latest Targeting Scams report, equated to $13.7 million in losses – a 95% increase on the previous year. Across the total Australian business community, there was a 73% increase in losses, totalling $23.2 million.
And with 47% of Australians saying they would close their account or stop using a product or service provided by an organisation that experienced a breach, the impact could be catastrophic for the businesses involved.
Worryingly, the 2023 Cybercrime report also stated that most cybercrime went unreported, meaning official statistics significantly underestimate the size of the issue.
So how big is the problem? It’s big… and it’s getting bigger.
What does business cybercrime look like?
The 2023 Cybercrime report identified the biggest contributor as the payment redirection scam, also known as business email compromise (BEC) – basically phishing messages masquerading as legitimate communications, compelling its target to download a file, provide information or click a link.
It’s no coincidence that there’s been a 1,265% increase in those phishing emails since the launch of ChatGPT. And custom AI platforms like WormGPT and FraudGPT, which can create believable phishing scams and generate fake websites to support those campaigns, are also frighteningly adept at supporting criminal cyber activity.
Just think… if you received an email from a colleague or associate – correct sender address, correct email signature, company links in place and usual tone of voice – instructing you to review a relevant document… would you think twice about clicking on it?
In an even scarier turn of events, ex-hacker turned leading cyber security expert Bastien Treptel revealed in a recent ABC interview that you don’t even need to click on a malicious email or file now. He says, “If you use Outlook as a browser, or even Gmail, it’s got the option to automatically download pictures, if you turn that on, you’re at risk.” Frightening.
What can you do?
In response to growing concerns around cyber security, the Australian government has just announced an $18 million package as part of their new 2023–2030 Australian Cyber Security Strategy to help small and medium businesses prepare for and respond to cyber-attacks. The first phase of the rollout (between 2023 – 2025) will give businesses access to free cyber security ‘health checks’, supported by tailored guidance on improving their cyber security and dealing with cyber-attacks if they arise.
In the meantime, here are three relatively simple actions you can take to secure your devices and IT infrastructure, and strengthen your ‘human firewall’ against attack.
1. Employee training and culture
Cyber Intelligence Strategic Advisor Katherine Mansted believes that “Training and testing staff to ensure that cyber security remains an organisation-wide priority is critical to ensuring that gaps in your cyber defence are avoided, and to increase the likelihood that attacks are detected and disrupted.”
Conducting regular cyber security training sessions for all employees, and teaching them about the latest threats, phishing tactics and safe practices online, will help them understand their role in avoiding and reporting malicious activity. Try mixing it up with a combination of phishing simulations, online and face-to-face training, and consider bringing in a cyber security speaker – with expert knowledge and experience, they can really help transform behaviours and inspire a more security-conscious culture.
And that security-conscious culture, where everyone feels responsible for safeguarding sensitive data, is critical. As Cybersecurity expert and Shark Tank star Robert Herjavec says, “To establish a secure environment, it is crucial for employees to embrace a cyber security culture and prioritise security on a daily basis. This will help minimise the vulnerability caused by human error, which is often the weakest link in cyber security.”
2. Beef up your security
With remote work now commonplace, it’s more important than ever to add an extra layer of security to make it more difficult for hackers to gain access.
Enforce the use of complex passwords and multi-factor authentication (MFA) where possible, and provide guidelines and tools for securing home networks. Encrypted Wi-Fi networks and Virtual Private Networks (VPN’s) should be mandatory for accessing company resources remotely. Also, limit access to sensitive data and systems to only those employees who require them for their roles, and regularly review those user permissions to help prevent unauthorised access.
3. Update and back-up
Cybercriminals often exploit vulnerabilities in outdated software. So when your computer tells you it’s time to shut down so it can install updates, don’t click ‘ignore’! By ensuring all software, including operating systems, applications, firewalls and antivirus programs are regularly updated with the latest security patches, you’ll have the best chance of holding hackers at bay.
But if those hackers do get through? You’ll want to be able to recover your data without significant losses. So make sure you establish regular data backups and have a recovery plan in place. You’ll also want an incident response plan, outlining steps to take in the event of a cyber-attack, including who to contact, how to contain the breach and the steps for recovery.
And if your business has been targeted, don’t forget to report it to SCAMwatch or the Australian Cyber Security Centre. You can also contact the Australian Cyber Security Commission via email or through their Hotline on 1300 cyber1 (1300 292 371) for advice and assistance.
Former FBI Director Robert Mueller once famously said, “There are only two types of companies: those that have been hacked, and those that will be.” Whether your business is big or small, the evolution of the ‘Nigerian Prince’ has upped the ante when it comes to cybercrime – it’s no longer a question of if, but when. And while securing your IT infrastructure is critical to keeping those cyber crooks out of your systems, it’s even more important to strengthen the weakest link in your security chain – and that’s your staff. If you can train those who connect it to protect it, that Nigerian Prince may just have to find a new kingdom to conquer!
We have the most knowledgeable and captivating cyber security speakers in the business, including Jess Modini, Brian Hay, Robert Herjavec, Katherine Mansted, Matthew Miller, Susan McLean, Robert Potter, Bastien Treptel and David Leaney, ready to share their wisdom with your team and help your business stay cyber secure. If you’d like us to connect you, simply get in touch with us for a chat!