Companies could avoid payment diversion fraud, an increasingly common cyber-attack, using a guide being developed at Western’s School of Social Sciences.
Last year, Australian businesses reported more than $14 million in losses to payment diversion fraud via the Australia Competition and Consumer Commission’s Scamwatch; between January and March 2021, the average losses were more than five times higher than the same period last year.
A team led by Alana Maurushat has spent the last two years identifying the most frequent features of payment diversion fraud via anonymous surveys with affected companies. This is now being further explored through a quantitative study in which they hope to canvass more than 100 victims.
“A typical target could be a supermarket, and the regular payments it makes to a supplier,” explains Maurushat. “The supermarket will receive an email with features, such as previous correspondence, and a request for payment to an updated bank account.”
The amount requested will usually correspond with previous payments, Maurushat says — which suggests surveillance of a victim’s computer system via malware for six months or more. “Today’s scammers seem to be able to understand when payments are made, to whom payments are made, and the company’s payments processes.”
Need to know
- Digital surveillance enables cybercriminals to impersonate trusted suppliers.
- Verifying bank detail changes and training staff to spot phishing emails mitigates risk.
- Multi-factor authentication and quantum encryption could safeguard companies in future.
Ken Gamble, head of Sydney-based international cybercrime investigation company IFW Global, where Maurushat acts as an advisor, is sometimes called upon to help recover assets, as authorities are hampered by jurisdictional barriers.
Gamble says that it’s important stakeholders are aware of evolving patterns in cybercrime. “Alana’s research has been presented to law enforcement, regulators, corporates and the banking industry,” he points out. Payment diversion fraud is mostly handled by state authorities, adds Maurushat, but due to the global nature of the crime, she believes it would be better dealt with by the Australian Federal Police.
The guide, due to be released next year by Western, will include suggested protections such as verifying changes in bank details with suppliers. Maurushat says training staff to spot phishing emails and calls also helps reduce risk. In the future, Maurushat sees the use of multi-factor authentication, as well as advanced quantum encryption, as vital safeguards. But there’s little room for complacency. Her team has already come across one example of AI mimicking a person’s voice. Maurushat’s
research also found that victims who changed their payment processes, invariably believe they are no longer vulnerable. “Cybercriminals are quicker to adapt than companies are to defend,” she says. “Being secure on email has not stopped companies being attacked again via text messages or calls.”
Meet the Academic | Professor Alana Maurushat
Alana Maurushat is Professor of Cybersecurity and Behaviour at Western Sydney University where she holds a joint position in the School of Computers, Data and Mathematical Sciences, and in the School of Social Sciences. She is the Director of the world's first university embedded live cyber incident response centre providing where students provide free cyber incident response to vulnerable small enterprises, the Western centre for Cybersecurity Aid and Community Engagement (Western CACE). She is currently researching on payment diversion fraud and ransomware, behaviour and cognitive aspects of cybersecurity, cyber risk management, neuromorphic approaches to edge computing, crypto-tracing, and ethical hacking. She is the Cyber-Ambassador for the NSW Cybersecurity Node with AusCyber and sits as an expert reviewer in cybersecurity and big data with the Australian Research Council. She is Special Advisor for the cybercrime investigation company IFW Global who investigate the people and organised syndicates behind cybercrime.
She lectures and researches in Cybersecurity, Cybercrime, Privacy and Security by Design, Cybercrime, Cyber Risk Management, and Artificial Intelligence across the disciplines of law, criminology, business, political science and information communications technology. She has done consultancy work on cyber security, cryptocurrency, online drug markets, open data, data sharing, big data, technology and civil liberties for both the Australian and Canadian governments, industry and NGOs.
Alana has done media with 60 Minutes, the New York Times, Insight, ABC, and 730 Report, and is the author of many books and articles. Her cybersecurity behavioural research has recently been highlighted in the Wall Street Journal and will feature in the sequel to the award winning international podcast, Hackable Me.
Alana sits on many cybersecurity and privacy risk advisory boards with government and industry, and spends her spare time with family and her spare minutes writing a new cybercrime comedy tv series.
© agung fatria/iStock /Getty Images Plus © Glenn Carstens Peters/unsplash © Kaur Kristjan/unsplash
Future-Makers is published for Western Sydney University by Nature Research Custom Media, part of Springer Nature.