One business lost $500,000 in a single transaction after its email system was hacked in what is becoming a growing cybersecurity threat in Australia.
Security firm CyberCX highlighted the issue in its incident response report on Monday, warning that business email compromise attacks had become the leading security issue in Australia and New Zealand and the threats were becoming more sophisticated.
The report also found data extortion attacks were on the rise and more companies were refusing to pay criminal ransoms to regain access to their data after it had been stolen.
The findings come as the federal government considers changes to strengthen cybersecurity laws and just weeks after public consultations into the changes closed.
The CyberCX Digital Forensics and Incident Response report analysed more than 100 significant incidents from 2023 and found business email compromise attacks had become the leading cyber threat, with cases rising by 37 per cent last year.
The attacks, which invade business systems using a phishing email, can get around some multi-factor authentication systems, the report warned, and had become the "silent scourge of the industry, affecting everyone from small to large organisations".
CyberCX digital forensics and incident response executive director Hamish Krebs told AAP that email-based attacks were popular with financially motivated attackers as they could use them to redirect payments.
"If you can re-route an invoice, you can definitely steal $100,000," he said.
"A while ago there was a spate of house deposits being re-routed so a single transaction can be very large... and it doesn't come with all the implications of ransomware in terms of getting government and law enforcement attention."
Mr Krebs said once compromised, hackers could use email account access to modify real documents, compromise other business accounts, and hide fraudulent invoices they had sent from the account holder.
In one case, $500,000 was lost in a single transaction, he said, and the losses were not often immediately spotted by victims, with the email hacks going undetected for more than 11 days on average.
"If you imagine an accounts receivable or an accounts payable mailbox in a business, there could be lots of payments going past," he said.
"It's not necessarily going to an offshore account that looks suspicious – it's going to a mule account in Australia or New Zealand that looks plausible."
The CyberCX report also found cases of data extortion alone tripled last year, while cases of ransomware deployed by itself fell.
The number of companies that paid criminal ransoms halved last year, it found, and 53 per cent of firms who refused to pay did not see their data leaked or published.
Mr Krebs said Medibank's actions played a role in the trend after it declined to pay a ransom to criminals to protect customers' stolen heath data in October 2022.
"It changed the landscape because that data was incredibly sensitive – the most sensitive information you could possibly hold about someone – and they didn't pay," he said.
"They did a really good job of setting a bar that allows everyone the space to think about it a little bit differently."
The findings come as the federal government considers making changes to the cybersecurity provisions in the Critical Infrastructure Act as part of its 2030 strategy.
