Social engineering and email compromise are on the rise

As businesses adopt increasingly advanced digital technology, the risks of doing business evolve. And while larger organisations have strengthened their cybersecurity systems and protocols, smaller firms become more vulnerable –cyber-criminals know their weak spots make them easier targets.

There are two types of businesses: those who have been hacked, and those that will be. The data paints a worrying picture. According to Scott Curley, Director - Professional Risks and Trade Credit, GSA Insurance Brokers, every 39 seconds, a hack occurs – with 43% of cyber-attacks targeting small and mid-sized businesses.

Many Australian small businesses don’t have cyber protection – or assume it’s already covered through their business insurance.

Curley said that’s a common myth. Professional indemnity, business and public liability insurance won’t cover things like cyber extortion, data loss through a hack, or third-party costs.

“We insure our office buildings, even though they have sprinklers and a back to base fire alarm. But 99% of your revenue might be generated online, and you don’t think to protect that aspect of your business,” he said.

The changing face of fraud

There are so many different ways criminals are extracting money from businesses, from ATO scams to fake documents and malware.

There has been a rise in fraudulent payment modification, and daily reports of email compromise. It’s important to verify any new instructions - if in doubt, call the sender to verbally confirm the changes have come from them.

There are now over 200 million forms of malware and they could be entering your business inboxes daily.

Phishing is where you receive an email that appears to be from a trusted source, asking you to do something such as ‘click to verify your details’ or ‘download an attachment’. That attachment could contain malicious code which injects a new web page into your browser, and it might look like your bank’s online banking portal.

We are also seeing an increase in ransomware demands, especially in small and mid-sized businesses. You click on a link or attachment from a ‘trusted’ sender, and it launches a code that encrypts your files or locks down your screens and servers so you simply can’t operate. With pressure to keep the business running, many business owners pay the ransom, often requested in bitcoin.

Not all scams come through email. Social engineering, where hackers manipulate people for confidential information, can happen over the phone.

Don’t make a payment on impulse. Take a step back if someone phones making urgent demands. 

An exponential effect on business bottom line

Fraud can cause significant damage. You could lose a month’s turnover, but there are also long-lasting damaging effects to reputation and staff morale.

With Australia’s new data breach laws now in place, any organisation with revenue exceeding $3 million must comply by ‘promptly notifying individuals at likely risk of serious harm’ of any breach in their personal data.

Otherwise, you could face fines of up to $2.1million. And even when you do comply, there is the cost of notifying thousands of clients and containing any reputational damage.

Check your internal controls

Many businesses believe their third-party providers, such as cloud providers or web hosting platforms, are taking care of this issue. But the cloud is just as vulnerable as a data centre. Ensure you do some due diligence to make sure your provider is covered.

How do you protect yourself from the risk of cyber fraud?

First, it’s important to get your business systems and protocols in place. Get your systems checked by a reputable IT company to make sure there are no trojans, malware or viruses. Educate your team on what a phishing email looks like, any red flags to watch out for, and how to report an issue if they spot something.

All this can also happen in their home if they work remotely, so make sure their home wi-fi is secure.

Outsource your cyber response

Most smaller businesses don’t have the skills to negotiate with hackers or set up a data breach response team. But if you have cyber insurance, your insurer will set up a panel of experts to mitigate the loss and take immediate action.

“The first six to 12 hours of response are critical,” said Curley. “If it’s a denial of service attack or ransomware, they’ll check how real the threat is and if necessary, pay the ransom.”

You can expect your cyber policy to also take care of the costs of credit card monitoring (if that data is lost) and crisis management, as well as potential third party costs such as litigation, penalties, and notification costs.

It seems that cyber insurance is the one risk tool your business can’t afford to operate without. But given it’s a relatively new product in Australia, it’s worth getting a broker’s advice first.

Related products


Subscribe to our monthly newsletter

We bring you technical updates, financial insights and industry expertise.



Wider View of Wealth newsletter preview
Thank you for subscribing.
Please try again.

Simply fill out your details below:

By submitting this enquiry, I acknowledge that I have read the Macquarie Group privacy policy, and understand that Macquarie will use my personal information to contact me in relation to my enquiry, and for other general marketing purposes.

You can change your marketing preferences by telephoning Macquarie on 1800 806 310 or customising your preferences with the unsubscribe link included in our marketing communications. Please note that all of our calls are recorded. If you do not want your call to be recorded, please advise the Macquarie staff member.

Contact us

Monday to Friday 8am – 6pm (Sydney time)

1800 174 945

Home loans

Compare our home loan offering.

Get in touch

Speak to our leading team.

Additional information

Any information on this page in relation to mortgages has been prepared by Macquarie Securitisation Limited (MSL) Australian Credit Licence (ACL) 237863 ACN 003 297 336.

Unless stated otherwise, this information has been prepared by Macquarie Bank Limited ABN 46 008 583 542 AFSL and Australian Credit Licence 237502.

This information is provided for the use of licensed and accredited brokers and financial advisers only. In no circumstances is it to be used by a potential client for the purposes of making a decision about a financial product or class of products.