Every eight minutes – that’s how often a cyber crime is reported to the Australian Cyber Security Centre at the moment.
Cyber crime incidents have evolved over the last few years to take advantage of transforming communication technologies, consumer behaviours and working arrangements. It’s clear we will need more trained cyber security experts to respond to these threats.
But to really understand how common cyber security incidents are in Australia, we need to think about what happens in those eight minutes.
How many people received an SMS, email or phone call that attempted to get them to hand over personal details or money? How many business networks or devices were accessed by unauthorised users? How many accounts were inadvertently exposed to cyber criminals without the account-holders even knowing that their information was available online?
While one cyber crime report is made in Australia every eight minutes, we know that cyber crime is under-reported, so we can confidently assume that there are actually many more cyber threats.
Let’s take a closer look at the frequency of cyber crime in Australia, the severity of attacks and the kinds of crime that are most common.
Is cyber crime increasing in Australia?
Yes, cyber crime is increasing in Australia. The Australian Cyber Security Centre (ACSC) issued its second annual report in 2021 and the numbers are most definitely on the rise.
Last year the ACSC’s ReportCyber line was receiving one report of cyber crime every 10 minutes – this year they’re receiving one every eight minutes. What that means is that in the year up to 1 July 2020 there were 59,806 reports of cyber crime and in the year up to 1 July 2021 there were 67,500 – an increase of 13 per cent.
The awareness of cyber crime and the resources to fight it has also risen. Calls to the ACSC’s cyber security advice line 1300 CYBER1 have increased 310 per cent.
The ACSC puts some of this increase down to the emergence of cyber crime commercialisation such as ransomware-as-a-service (RaaS). Cyber criminals are becoming more professional in their operations and offering RaaS services through the dark web.
DarkSide and REvil are cyber crime groups who have sold their services to carry out ransomware attacks on behalf of other hackers. They also offer training in how to combine distributed denial-of-service (DDoS) and ransomware attacks for greater impact on victims.
You might remember DarkSide’s name from the Colonial Pipeline incident in the United States, while REvil hit the global meat processing company JBS in 2021.
What are the most common types of cyber crime in Australia?
The ACSC reports that fraud-related cyber crime - where criminals use computers or online services to commit fraud - accounted for nearly 23 per cent of cyber crime reports between 2020 - 2021. Online shopping scams are the second most commonly reported cyber crime at 17 per cent, followed by online banking scams at 12 per cent. The remaining 48 per cent of cyber crime is spread fairly evenly between identity theft, business email compromise, investment, selling, bulk extortion and romance scams.
The ACSC’s 2019-20 report highlighted malicious emails such as phishing to be the greatest threat for cyber crime. In the following year it appears that SMS has become a more popular tool for cyber criminals seeking to part people from their money.
The Australian Competition and Consumer Commission’s (ACCC) ScamWatch website reports that the dollar value of losses to SMS scams almost doubled from just over $3 million last year to around $8.6 million this year. It’s a trend that’s being observed in the US and the UK as well.
The reason for the rise in SMS cyber crime, particularly in Australia, appears to be down to the lack of protections on SMS from phone companies. Compare that with email services, most of which now have some pretty decent spam filters built in.
As evolving organisms, cyber criminals put the greatest effort into the areas that offer the most rewards. With minimal spam protection, decreasing costs and access to sophisticated technology that generates spoof numbers, SMS scams are hard to stop.
Hackers have also noticed how many of us are waiting for online shopping deliveries, which often send tracking updates via SMS. That’s why it’s so common to receive a scam SMS purporting to be from a delivery service like Australia Post or DHL, whether you have a delivery on the way or not.
Most of these SMS cyber crimes fall into the largest type of cyber crime in Australia – fraud. In fact, almost a quarter of all reported cyber crimes involve a fraudster dishonestly gaining a benefit by deception.
How much money do Australians lose due to cyber crime?
Self-reported losses from cyber crime came to a relatively eye-watering figure of $33 billion in the 2020-21 financial year.
The Australian Consumer and Competition Commission (ACCC) revealed that almost 170,000 Australians reported $143 million lost to scams in the 2019-20 financial year. By combining that figure with additional data from government agencies and the big four banks, ACCC raised that financial loss figure to $634 million.
With some rough maths, we can see that over $30 billion of the self-reported losses from cyber crime come from business rather than individuals. However, there’s one problem with all of these figures – financial losses from scams and cyber crime are both under-reported.
According to the ABC, some businesses don’t report when they’ve experienced a cyber attack, or paid a ransom, because it might harm their reputation. What that means is we don’t have an accurate picture of the quantity or frequency of cyber attacks – or the amount of money being paid.
Of course, ransoms are only part of the cost of cyber crime. Even when they are unsuccessful, cyber crimes have a financial impact on businesses through downtime, data loss and damage to critical infrastructure. A cyber security incident can be especially devastating for small businesses.
Has the COVID-19 pandemic increased cyber crime?
One of the greatest impacts of the COVID-19 pandemic was the overnight shift to working and learning from home, and doing almost everything online. In the ACSC’s words, “this dependence has increased the attack surface and generated more opportunities for malicious cyber actors to exploit vulnerable targets in Australia.”
Many employees logged into their workplaces through virtual private networks (VPNs) which could expose those workplace networks to personal devices like printers with loose security settings, or running out-of-date software. Therefore, the attack surface of the business is likely increased.
The COVID-19 pandemic also gave cyber criminals more ways to exploit social engineering to get people to click on an unsafe link. One example was the ‘Flubot’ which was a text message about COVID-19 test results with a link to a voicemail that downloaded malware. Another SMS scam asked for payment to release test results.
Meanwhile, some people fell victim to cyber criminals without even doing a thing.
The Federal Government's early release superannuation scheme, which gave individuals access to their retirement savings for support if they’d lost work due to the pandemic, was a target for hackers. It was a program managed through the MyGov website.
It turns out that it was possible to create a second MyGov account for an individual, which cyber criminals did, using stolen identification data.
Some unlucky victims lost up to $10,000 each without any clue that the money was gone before the system was shut down for two days and security tightened to end the fraud.
"I was lucky I could see my superannuation balance in my banking app," Daniel Bunten told the ABC.
"But I can't imagine many 23-year-olds, like me, checking their superannuation balance."
How can Australians protect themselves from cyber attacks?
The resources for Australians to protect themselves from cyber attacks are increasing, but cyber security will only be achieved when all businesses, organisations and individuals adopt cyber safe behaviours.
One of the top tips for preventing cyber attacks is to update software and operating systems on all devices. Often those updates include patches for vulnerabilities that can be exploited by cyber criminals.
Use a password manager to create a strong, unique password for every digital account. You’ll only have to remember one password (for the password manager) and if your data is breached, then cyber criminals won’t have the key to your entire online world.
Implement multi-factor (MFA) authentication wherever possible to add an additional layer of security to your online accounts. MFA can be a code sent to your phone, or generated by an app, or a physical USB key.
Encrypt and backup your data with the 3-2-1 rule – three copies of your data, on at least two different mediums, with one located offsite. In the event of a ransomware attack, you’ll have multiple options to get back up without handing money over to cyber criminals.
Australian businesses, organisations and even individuals should develop a cyber security strategy and always keep cyber safety front of mind.
Join the fight against cyber crime with a Master of Cyber Security from ECU Online.