How to protect your small business from scammers

Australian businesses reported cyber-crime losses of more than $33 billion last financial year. That's one cyber attack every eight minutes, according to the Australian Cyber Security Centre (ACSC). Yet most small businesses are grossly ill-prepared to defend themselves against cyber crooks.

Business Australia confirms a high level of awareness of cyber risks but low readiness to do much about it.

"Research shows that business owners are aware of cyber crime, but they are just not prepared - 90% of attacks are still successful due to human error," says Phil Parisis, general manager, products at the ACSC.

"We often hear from businesses that 'I'm just a small law firm, a building company, why would anybody target me?'

"The reality is the cyber criminals don't necessarily target you. Mostly you become an accidental victim of a large, broad-scale phishing attack. Then all it takes is one employee to make a mistake and it triggers an interest in your business."

As a SME owner myself, I know small businesses have many competing priorities such as providing quality customer service, speedier and more agile processes, cashflow management, recruitment  and staff retention - all of which often need to be managed with limited resources.

Murray Goldschmidt, executive director of cyber capability, education, and training at CyberCX, agrees that small businesses typically face competing priorities. Nonetheless, he cautions that "by the time a cyber event has occurred and alarm bells start ringing, considerable damage may already have been done to the business".

Exploitation during COVID

According to the ACSC, scammers were quick to exploit the pandemic, during which many small businesses launched or expanded their online activities.

"Spear-phishing emails" were regularly associated with COVID-related topics, encouraging recipients to enter personal credentials to access information or services. A variety of scams continue to target the small business community.

Spear-phishing (also called whaling) scams are often sophisticated, using company-specific details the criminals have accessed elsewhere.

They typically involve sending a personalised email to a group of employees or a business owner. The subject is usually a fake "critical" business matter, perhaps a legal subpoena or a customer complaint. The common thread is that it creates a sense of urgency.

The email may seem to be from a trustworthy source, such as the employer or other employees within the organisation. But on closer inspection (such as hovering a mouse over the email address), it becomes clear that the source is far from authentic.

Attacks are increasing

Malware is pitched at getting business owners to install software that allows scammers to access files and track activity. The ACSC reports that ransomware, a form of malware that blocks access to your computer or files, now poses one of the greatest threats to Australian organisations.

Ransom demands can range from thousands to millions of dollars. The catch, according to the Australian Competition and Consumer Commission's Scamwatch website, is that paying up won't guarantee your computer is unlocked.

The Cyber Security Centre recorded a 15% increase in reported ransomware cyber crime in 2020-21. It's an uptick that reflects increased appetite among criminals to extort money from particularly vulnerable and critical elements of society.

It also highlights their growing ability to access "dark web" tools and services that improve their capabilities.

Ransomware has disrupted a variety of sectors, including professional, scientific and technical organisations and those in healthcare and social assistance.

If you think you have provided account details or other confidential business information to a scammer, contact your bank or financial institution immediately.

Extra funds for SMEs

The latest federal budget has acknowledged the threat of cyber crime through the introduction of the Technology Investment Boost.

It allows more than 3.6 million small businesses with annual turnover below $50 million to claim a bonus 20% tax deduction for spending on IT, including installing cybersecurity systems, up to $100,000 annually.

CyberCX has developed the "Cyber123 for SMEs" program, backed by federal government funding, to assist small- and medium-sized businesses to improve their cyber resilience.

The program includes on-demand online training, DIY guides and templates, and expert-led workshops. Cyber123 is free to a limited number of small businesses that sign up for the pilot program.

Get stories like this in our newsletters.