“We have no future because our present is too volatile. We have only risk management. The spinning of the given moment’s scenarios. Pattern recognition.”
— William Gibson, “Pattern Recognition”
Remember, you’re the target
Some timely reminders
If you’re an AFS Licensee, you’ll no doubt already appreciate that s912A(1)(a) of the Corporations Act requires you to ensure that the financial services covered by your licence are provided efficiently, honestly, and fairly.
In addition ASIC require Licensees to ensure the records are kept for 7 years after the day the personal advice was provided to the client. These records have to be accessible to, and able to be produced by, the Licensee during this period.
In these challenging times, your licence is under attack from two non-regulatory threats, fraud and data theft.
Managing fraud and securing your valuable client data goes to the heart of your licensee obligations. History shows that with every crisis, we see a spike in fraud and cybercrime.
Not a day goes by where we’re not presented with an authentic looking email that’s really masking malware; phishing for information or harvesting our credentials.
The headlines are prolific in reporting these types of crimes.
It’s an appropriate time to discuss these issues, share insights and help you manage these existential threats.
When a crisis occurs, fraud follows.
In a recent article, the Global Banking and Finance Review highlighted that fraud in times of crisis is usually driven by need rather than greed.
It’s a conclusion well supported by data.
After the last financial crisis in 2008, UK’s office for National Statistics (ONS) identified that fraud offences increased by 21% in the two years after the GFC.
As anyone who has tried internet dating knows, fraud is perhaps more common than you might imagine.
In fact, the Australian Institute of Criminology estimate that 1 in 4 Australians have been a victim of identity fraud at some point in their lives.
According to the ACIC, The main categories of fraud in Australia include:
- superannuation fraud,
- serious and organised investment fraud,
- mass marketed fraud,
- revenue and taxation fraud,
- financial market,
- card, and
- identity fraud.
The more sophisticated licensees typically have certain anti-fraud and corruption procedures in place, which includes fraud procedures; codes of conduct; training employees and a whistle-blower hotline.
But, regardless of the nature, scale and complexity of your business, you need to be alert to these risks.
So, what are some of the red flags?
- Employees who might be working longer hours;
- unusually overly inquisitive about the companies payment system;
- staff that avoid having others assist or relieve them; resign or leave suddenly;
- employees with have a large number of transactions;
- lifestyle changes;
- history of debts;
- recreational or frequent gambling;
- a spike in complaints;
- increased invoice volume or multiple payments.
Effective fraud and corruption management (like any effective review methodology) needs to be risk-based.
As a Licensee you need to understand what your risks are and where those risks lie and deploy your limited resources to those higher risk areas.
A typical high-risk area might relate to third-party partners and individuals who may be committing a fraud upon your clients.
Some useful tips discussed in the Global Banking and Finance Review article include:
- Prepare for the worst: update, communicate and test your fraud response plan
- Make your employees aware of the increased threat (including cyber)
- Encourage whistle-blowers to step forward
- Do not ignore your sixth sense
- Do not make emotional or hasty decisions
- Keep an open mind
- Discuss the issue with as few people as possible
- Plan a course of action
The Australian Federal Police provide some practical guidance and recommend:
- Develop clear policies
- Provide strong consistent supervision of employees
- Regularly review and monitor transactions
- Establish strong audit procedures
- Maintain security of information
- Establish strong human resource management procedures
download afp tips
In addition, the Attorney General’s Office also provides some guidelines that you may find useful.
Privacy and Data Security
“I’m out of ideas on what to do
If it can happen to me, it can happen to you”
— The Chats, “Identity Theft”
Just like fraud risk, privacy and data security requires more attention in challenging environments.
The Australian Cyber Security Centre (ACSC) has seen a significant increase in reporting in the past few months of COVID-19 themed phishing scams, using all sorts of lures to try and trick people into handing over personal details.
Since the pandemic’s outbreak, the Government’s Scamwatch has received over 3,060 coronavirus-themed scam reports with over $1,371,000 in reported losses.
The Australian Criminal Intelligence Commission (ACIC) suggest Australia is an attractive target for serious and organised crime syndicates due to our nation’s relative wealth and high use of technology as well as social media, online banking, and government services.
While regulators and legislators have leapt into action to ease the compliance burden, we haven’t seen any similar concessions made in relation to data and data security. However, we have seen a staggering increase in cyber-attacks.
As a business, the law requires that you implement appropriate technical and organisational measures to protect and secure data.
The ACSC conducted a survey across small to medium businesses (SMBs) in Australia and they found that:
- Only 3% of sole traders outsource their own cyber security, compared to 35 per cent of businesses with 5-19 employees
- One in five small businesses that use Windows have an operating system that stopped receiving security updates in January 2020
- Nearly half of SMBs spend less than $500 dollars annually on cyber security, which suggests that many SMBs take a DIY approach
- 62% had experienced a cyber incident
- Incidents are more common among businesses with five or more employees, affecting around three quarters of small (5-19 employees) and medium (20-199 employees) businesses
- For sole traders and micro businesses, over half of those surveyed had experienced a cyber incident
Cybercrime and cyber-threats
There are two forms of cybercrime:
- Crimes where computers or other information communications technologies are an integral part of an offence (i.e. online fraud)
- Crimes directed at computers or other technologies (i.e. hacking)
According to the ACSC the most common cyber threats to small to medium businesses include:
Malware – malicious software which includes viruses, spyware, trojans and worms. Their object is to disrupt, damage and deceive and facilitate theft, pranks, espionage, and other serious crimes. Credential harvesting malware harvest a user’s credentials when they are logging onto a website, and is covert, so that the users is unaware their credentials are being stolen. This type of malware is usually delivered via an email with a malicious attachment.
Phishing – scam emails designed to trick recipients out of money and data. They can be emails, SMS, instant messaging, and social media.
Ransomware – malware that locks down your computer and files until a ransom is paid.
What to do
- Your operating system is the most important piece of software on your computer, so make sure you regularly update; back; and maintain it.
- Ensure you stay up to date with software updates as they improve online security, improve protection, and enhance features and efficiencies. Turn on auto-updates especially for operating systems; install updates as soon as possible and use anti-virus software and ensure they are automatically updated
- A backup is a digital copy of your business’ most important information. Disconnect and remove your back up and storage device after each backup to ensure it is not impacted during a cyber incident.
Multi-Factor Authentication (MFA)
- Multi-factor authentication only provides access if a user successfully presents two or more pieces of evidence (or factors) to an authentication mechanism. It typically requires a combination of something the user knows (pin, secret question etc), physically possesses (i.e. card, token) or inherently possesses (i.e. fingerprint, retina).
People and Procedures
- Access control: consider a process to regulate who can access what within your business’ computing environment.
- Passphrases: use a phrase or sentence, not one word, as your password. Did you know that the use of the word “password123” is one of the most commonly used passwords on the planet!
- Employee training: teach your staff how to recognise, avoid, report, remove and recover from cyber-attacks.
Think before you click
- Be cautious of requests for money, especially urgent and overdue messages
- Be wary about bank account changes
- Do not open attachments automatically unless you can verify it’s from a reliable source
- Be cautious about requests to check or confirm login details
If you are under attack
Report all cybercrime activity to the Australian Criminal Intelligence Commission (ACIC) and the ReportCyber website. The website also provides advice on how to protect yourself online and frequently asked questions that provide information regarding cybercrime trends.