Scammers chasing lucrative corporate accounts
Scammers are increasingly looking beyond the savings accounts of individual victims and instead targeting their employers, investing months at a time to develop elaborate scams costing businesses as much as $US2.9bn ($4.65bn) per year.
Scammers are increasingly looking beyond the savings accounts of individual victims and instead targeting their employers, investing months at a time to develop elaborate schemes that are costing businesses as much as $US2.9bn ($4.65bn) per year.
Cyber criminals have found that the results were often worth the extra time spent crafting these scams and have begun to use AI to imitate emails from corporate partners, vendors and sometimes even managers within a company.
In 2023, $US2.9bn was fleeced from corporations in elaborate scams that cost the average business victim $US137,000, according to new data from Abnormal Security.
Business email compromises (BEC) have grown 7 per cent year-on-year in Australia, slightly more than the global average. They are part of a growing trend of “advanced” email threat tactics, which are up 22 per cent, according to Abnormal Security.
The cyber security vendor, which works with Microsoft 365 and Google Workspace as well as popular services including Workday, ServiceNow, Zoom and Slack, has described Australia as a “hotbed” for attacks, largely due to its use of English, the strength of the dollar and the “easygoing” nature of Australian workers.
Tim Bentley, the company’s Asia-Pacific and Japan vice-president, said in some instances, workers had been in conversation with scammers for months before the attack took place.
In one case, a Queensland law firm was targeted. .
“(A property developer who had gone into liquidation) had been compromised, which gave the actor information around who their bank was, who their accounting firm was, who their legal firm was,” he said.
The scammer then created websites to mimic the bank and the accounting firm and created a thread of emails between the three, eventually looping the law firm into the email chain. “These sorts of things are so well thought out and convincing, and audacious at the same time, that they can’t be left up to the human recipient to decide on whether to take action or not,” Mr Bentley said. “If you do that, there’s a very high chance of making a simple error that costs a huge amount of money.”
Artificially created threads that looked real were now a common tactic for scammers and often involved a “principles of authority” approach, a method where scammers make email chains appear as if someone with more authority than the victim had already questioned the action and approved it, Mr Bentley said.
Phishing attacks have increased over the past 12 months, spiking 37 per cent in Japan and Singapore and 30 per cent in Australia and New Zealand. Globally, there are now around 600 phishing attempts for every 1000 email addresses.
Daniel Greengarten, chief executive of cyber security outlet Orro, said BEC-style scammers often targeted smaller businesses that might not have the resources or time to train staff with cybersecurity skills.
“It ultimately exposes a key weakness in defences – the employees themselves. These types of cyber attacks target business processes rather than email systems and rely on human error and our natural sense to help to succeed,” he said.
“What this means for many small businesses is an inefficient use of resources to address these breaches and highlights why training and awareness is critical.”
BlackBerry secure communications vice-president David Wiseman said espionage and AI-powered misinformation campaigns were “significant causes for concern” in 2025.
“Recent reports of Chinese espionage groups allegedly targeting the cellphones of President Donald Trump, Senator JD Vance and Democrat staffers is one of many such examples this year of adversarial activity targeting the fabric of democracy globally,” he said.
BlackBerry had also noticed that telecommunications networks were increasingly being targeted by cyber criminals who were looking to disrupt supply chains, he said. Messaging apps were also under threat.
Identity spoofing is also on the rise, in part thanks to generative AI, including deepfakes, which allowed criminals to create realistic content, impersonating victims.
“Real-time information, metadata and access to sovereign networks could enable miscreants to tailor their attacks based on the call you just made, making their impersonations harder to detect,” Mr Wiseman said.
More Coverage
Hundreds protest Trump’s policies in Silicon Valley
As tech bosses cheered Donald Trump at his inauguration, people took to the streets to protest against the US President’s mass deportation policies.
Data centres will power tech gains forward, say E&P analysts
Data centres are expected to bring a significant return for investors in 2025 as AI workloads increase and hyperscalers demand more capacity, according to E&P analysts.