Scammers’ Australian windfall bodes poorly for cybersecurity’s human defences

Surging losses to online scammers are posing new dangers for Australian CISOs working to build effective security cultures, with scammers taking $851 million from Australians in 2020 and with several successful scams posing particular risks to corporate security.

The cybercrime that is so effective in people’s personal lives are also effective in breaching corporate security. The human factor and the company culture around it is perhaps the weakest defence at most organisations.

The costs of scams only keep increasing

Scammers extracted $7.2 million in computer takeover scams during the first half of 2021 alone, the Australian Competition and Consumer Commission (ACCC) ScamWatch service warned as it reported half-year figures showing Australians were continuing to be fleeced by a range of campaigns.

For example, the ACCC received almost 6,500 reports from Australians who had been called by scammers trying to convince them to download remote-access software—usually under the guise of fixing purported problems with the internet, NBN broadband, or banking services.

Scammers trick victims into installing remote-access software like AnyDesk or TeamViewer—giving them direct access to the victim’s system and letting them watch as the hapless victims are directed to log into online banking or other sensitive services.

“Remote access scams are one of the largest growing scam types in Australia,” ACCC deputy chair Delia Rickard said in announcing the new half-year figures, which represented a 184% increase over the same period last year. “Scammers take advantage of the digital world and the fear of fraud and cybercrime to access people’s devices and steal their money.”

Similar exploitation was reported from people who identify as culturally and linguistically diverse (CALD)—a broad category including non-English speakers, who accounted for one in every eight dollars lost to scammers—as well as Indigenous Australians and those with disabilities.

Those groups collectively lost $34 million to scammers during 2020, the ACCC noted, with Rickard warning that members of CALD and other minority groups “by virtue of their background, disadvantage, language skills, or disability may experience vulnerability and be more likely to fall for their tricks.”

Strengthening the human firewall

Scams may have caused $851 million in losses to Australian scam victims last year, but the implications of the losses are far more than financial.

Most of the scammed Australians are employees of some company, after all—and if they can be convinced to give complete strangers access to their systems, they represent a clear and present danger to those companies’ data, systems, and business continuity.

With the latest Notifiable Data Breach (NDB) statistics suggesting that 38% of security breaches reported by Australian companies during the second half of 2020 were due to human error—up 18% on the previous half-year—persistent exposure from human factors remains a significant risk vector that, unlike technical fixes such as the Essential Eight, does not always have a clear-cut solution.

With scammers continuing to use well-known brands for fraudulent activity—new Check Point Software Technologies figures suggest Microsoft-related fraud comprises 45% of all branded phishing attempts, with e-commerce-focused DHL (26%) and Amazon (11%) rounding out the top three—many people are still struggling to tell real prompts from malicious manipulation.

“We’re not talking about an insider threat, but a well-intentioned human factor who just didn’t do the right thing,” said Parkour Consulting managing director Emily Carr at the AISA Cyber Conference earlier this year. “The predominance of the human factor shows the importance of training, and making sure that our people are trained,” she said—adding that ”research shows that within 24 hours of competing a training course, people only remember 50% of what they learned—and by the end of the first month, only 10%.”

On average, that means attendees at a half-day cybersecurity training course might only remember 24 minutes of content a month later. “These courses take a lot of time to design and develop, and it takes a lot of time for people to complete them,” Carr said. “So you’re getting the most out of your investment when they’re only remembering 10% of it.”

Companies wanting to improve the security element of their organisational culture need to sit down and ask hard questions such as: Which parts of their culture are working to reinforce messages about security? Which aren’t? What could benefit from being changed? How might that change actually happen? How would an outsider perceive the company culture?

Given that ‘outsiders’ includes cybercriminals trying to compromise a company’s systems or processes, outside perceptions of company culture can be more important than many realise—since those perceptions will shape the way an outsider tries to penetrate security defences.

A company in which employees are well aware of scams and shut down fraudulent callers within seconds, for example, may soon be put in fraudsters’ ‘too hard’ basket—leading the cybercriminals to move on to easier pickings.

But if employees are seen to have little or no grasp of cybersecurity risks or privacy controls, they will be quickly flagged by fraudsters, who will—unless they are caught by Telstra antiscam defences that are blocking more than 13 million scam callers per month—keep calling, again and again.

A stressful company culture can predispose even careful employees to a breach, Carr said. “It’s important to think about what happens under stress. When we are in a crisis, when we are under pressure, we go back to our comfort zone. So while I might know the right thing to do, and I’ve taken the training and gone to the seminars and know the right behaviours—when I’ve had a really long day, under stress and under pressure, sometimes I go back to what’s easy and comfortable. And I don’t always show the right behaviours.”

To counter these human elements, she said, CISOs must take the time to evaluate their current culture and build “an actual, holistic picture” of the current and desired states. Decide what behaviours you want to celebrate, which to avoid, and what the consequences will be for breaches. “You want to make sure everyone knows what good looks like,” she said, “and sounds like and feels like. Make sure you’re systematically embedding it into the rewards process you have within your organisation—and considering how you deal with people who resist change. Decide if you’re serious enough about this to say that if someone is a top performer—but not living the right culture around risk and cybersecurity—would we hold them back from a promotion? Are we willing to be that tough on this?” The scammers hope you won’t.