Australian businesses are facing increasing threats from scammers each year, and the financial impact can be significant. For medium-sized enterprises, the average cost of a targeted business scam has skyrocketed to nearly $100,000, with an incident reported nationwide roughly every six minutes.¹
Many businesses invest heavily in spam filters, two-factor authentication and firewalls, but the reality of modern scammers means it’s our own behavioural and psychological patterns that could leave us most exposed to threats. For many businesses, the biggest vulnerability is not just technology, but how staff respond to urgent messages that appear to come from someone in authority.
Data from the Australian Signals Directorate (ASD) reveals that business email compromise (BEC) that resulted in financial loss makes up 15 per cent of the top reported cyber attacks.
When it comes to helping better protect your business, here are some ways to start.
Always verify urgent payment
Picture this: an employee receives an email late on a Friday afternoon from a senior member of the team urging them to swiftly authorise a pay cycle that hasn’t gone through. The employee, wanting to complete the request in a timely manner, lands exactly where the scammers want them – flustered, rushed and keen to close the task to fulfill a request from their boss.
Urgency is one of the most powerful tactics in a scammer's toolkit. According to ACCC’s Scamwatch, creating a sense of immediacy activates our natural 'fight or flight' response, meaning individuals are far less likely to think through the validity of a request in favour of getting it done quickly.
To assist in combating this type of scam, businesses can implement a strict, no-exceptions verbal verification process for all financial transactions. Rather than relying on any details provided in an email or text, establish a protocol that requires staff to verbally confirm financial instructions through a trusted, known phone number.
For businesses that want to make changes in this space, consider two baseline rules:
- Independent callbacks: Never use the contact details or links provided within an unexpected invoice or incoming email. Always dial the supplier using a verified phone number stored internally.
- Dual signoffs: Establish a clear process where any change to vendor banking details, or any payment above a certain amount, requires a secondary verbal confirmation by another team member.
Destigmatise the 'near miss' in business security
If urgency is a scammer’s favourite tool, blame is easily their second. A particular danger area for businesses is the reaction from co-workers or management when a staff member either falls for a scam or experiences a near miss. Blame, embarrassment and staying silent may increase the risk of a scam succeeding – and prolong the time required to remedy damage done.
When leaders make it clear to their teams that reporting an error is viewed as a massive win for the business's security, rather than something to be punished, this usually means team members are more likely to quickly report a misstep. This then allows IT and security teams to step in at the right moment and help manage the issue.
Ultimately, a culture that rewards transparency encourages other team members to not only learn from their colleagues' experiences but actively manage their security habits as well.
Build scam awareness through regular practice
Another way to help normalise a culture of scam safety is through frequent scam awareness training. If approached thoughtfully, broad scams training can help prepare employees for a range of different threats.
In line with the Australian Signals Directorate (ASD) guidelines, the focus should be on building critical thinking and practical experience rather than creating compliance traps. When simulations mimic everyday Australian business hurdles - like unexpected changes to vendor banking details, IT support alerts, or executive impersonation attempts - they can help boost capability without introducing a culture of resentment or fear.
These kinds of simulations are often most effective in organisations that already have strong security awareness programs in place. Also keep in mind that if these exercises are run in a deceptive way or used to catch employees out, they have the potential to have a negative impact on the transparency you're trying to build within the business.