Hackers dial up data extortion, email attacks

One business lost $500,000 in a single transaction after its email system was hacked in what is becoming a growing cybersecurity threat in Australia.

Security firm CyberCX highlighted the issue in its incident response report on Monday, warning that business email compromise attacks had become the leading security issue in Australia and New Zealand and the threats were becoming more sophisticated.

The report also found data extortion attacks were on the rise and more companies were refusing to pay criminal ransoms to regain access to their data after it had been stolen.

The findings come as the federal government considers changes to strengthen cybersecurity laws and just weeks after public consultations into the changes closed.

The CyberCX Digital Forensics and Incident Response report analysed more than 100 significant incidents from 2023 and found business email compromise attacks had become the leading cyber threat, with cases rising by 37 per cent last year.

The attacks, which invade business systems using a phishing email, can get around some multi-factor authentication systems, the report warned, and had become the "silent scourge of the industry, affecting everyone from small to large organisations".

CyberCX digital forensics and incident response executive director Hamish Krebs told AAP that email-based attacks were popular with financially motivated attackers as they could use them to redirect payments.

"If you can re-route an invoice, you can definitely steal $100,000," he said.

"A while ago there was a spate of house deposits being re-routed so a single transaction can be very large... and it doesn't come with all the implications of ransomware in terms of getting government and law enforcement attention."

Mr Krebs said once compromised, hackers could use email account access to modify real documents, compromise other business accounts, and hide fraudulent invoices they had sent from the account holder.

In one case, $500,000 was lost in a single transaction, he said, and the losses were not often immediately spotted by victims, with the email hacks going undetected for more than 11 days on average.

"If you imagine an accounts receivable or an accounts payable mailbox in a business, there could be lots of payments going past," he said.

"It's not necessarily going to an offshore account that looks suspicious – it's going to a mule account in Australia or New Zealand that looks plausible."

The CyberCX report also found cases of data extortion alone tripled last year, while cases of ransomware deployed by itself fell.

The number of companies that paid criminal ransoms halved last year, it found, and 53 per cent of firms who refused to pay did not see their data leaked or published.

Mr Krebs said Medibank's actions played a role in the trend after it declined to pay a ransom to criminals to protect customers' stolen heath data in October 2022.

"It changed the landscape because that data was incredibly sensitive – the most sensitive information you could possibly hold about someone – and they didn't pay," he said.

"They did a really good job of setting a bar that allows everyone the space to think about it a little bit differently."

The findings come as the federal government considers making changes to the cybersecurity provisions in the Critical Infrastructure Act as part of its 2030 strategy.

License this article

What is AAPNews?

For the first time, Australian Associated Press is delivering news straight to the consumer.

No ads. No spin. News straight-up.

Not only do you get to enjoy high-quality news delivered straight to your desktop or device, you do so in the knowledge you are supporting media diversity in Australia.

AAP Is Australia’s only independent newswire service, free from political and commercial influence, producing fact-based public interest journalism across a range of topics including politics, courts, sport, finance and entertainment.

What is AAPNews?
The Morning Wire

Wake up to AAPNews’ morning news bulletin delivered straight to your inbox or mobile device, bringing you up to speed with all that has happened overnight at home and abroad, as well as setting you up what the day has in store.

AAPNews Morning Wire
AAPNews Breaking News
Breaking News

Be the first to know when major breaking news happens.

Notifications will be sent to your device whenever a big story breaks, ensuring you are never in the dark when the talking points happen.

Focused Content

Enjoy the best of AAP’s specialised Topics in Focus. AAP has reporters dedicated to bringing you hard news and feature content across a range of specialised topics including Environment, Agriculture, Future Economies, Arts and Refugee Issues.

AAPNews Focussed Content
Subscription Plans

Choose the plan that best fits your needs. AAPNews offers two basic subscriptions, all billed monthly.

Once you sign up, you will have seven days to test out the service before being billed.

AAPNews Full Access Plan
Full Access
  • Enjoy all that AAPNews has to offer
  • Access to breaking news notifications and bulletins
  • Includes access to all AAPNews’ specialised topics
Join Now
AAPNews Student Access Plan
Student Access
  • Gain access via a verified student email account
  • Enjoy all the benefits of the ‘Full Access’ plan at a reduced rate
  • Subscription renews each month
Join Now
AAPNews Annual Access Plan
Annual Access
  • All the benefits of the 'Full Access' subscription at a discounted rate
  • Subscription automatically renews after 12 months
Join Now

AAPNews also offers enterprise deals for businesses so you can provide an AAPNews account for your team, organisation or customers. Click here to contact AAP to sign-up your business today.

Download the app
Download AAPNews on the App StoreDownload AAPNews on the Google Play Store