Online banking fraud remains among the top cybercrimes reported by Australians, representing around one in seven cybercrime incidents reported to the Australian Signals Directorate (ASD) last financial year.

Online banking fraud was the third-most reported cybercrime by individuals, and the second-most reported by businesses over the FY2023-24 period.

The data, outlined in the ASD’s latest annual cyber update, catalogued more than 87,400 instances of commercial cybercrime last financial year, representing one report lodged with the agency every six minutes.

Financial and insurance services organisations were among the top reporters of cybercrime over the period, representing around one in 12 reporting entities to the ASD’s ReportCyber service.

Business email compromise (BEC) and fraud were also among the top self-reported cybercrimes, while ransomware and data theft extortion were recognised by the ASD as “pervasive and costly [threats]”.

In FY2023-24, Australians reported losses of nearly $84 million as a result of BEC, with 1,400 victims reporting a financial loss.

Averaged out, the financial loss from each confirmed BEC incident was more than $55,000.

BEC involves the use of email to trick someone into sending money or revealing confidential information about a company.

Ransomware made up 11 per cent of all incidents responded to by the ASD, an increase of three per cent on the previous year.

Small businesses reported the biggest increase in financial losses to cybercrime, upwards of eight per cent over the previous year, with incidents costing an average of $49,600.

Bigger businesses, however, saw an overall drop in losses from reported cyber incidents.

Medium-sized businesses recorded a 35 per cent fall in the average cost of reported incidents, down to $62,800, while the cost to large businesses declined 11 per cent to $63,600.

Overall, the number of self-reported business cybercrimes fell by seven per cent. However, these losses remain significant, with the ASD observing the “persistent and disruptive threat” of cybercrime to businesses, particularly with the emergence of new technologies.

“Cybercriminals are adapting to capitalise on new opportunities, such as artificial intelligence, which reduces the level of sophistication needed for cybercriminals to operate.”

The ASD added: “Cybercriminals may leverage AI-enhanced social engineering, as it is accessible to low-capability actors and can be used to circumvent network defences.

“Cybercriminals may also use AI to create new methods of social engineering attacks, such as imitating a target’s voice based on an audio sample.

“Using AI in social engineering attacks means cybercriminals can maximise their success rates with little additional effort, increasing the potential for network compromise and the overall threat posed.”

Critical infrastructure under threat

The ASD responded to more than 1,100 cyber security incidents over the FY23-24 period following a surge in calls (totalling 36,700) to the Australian Cyber Security Hotline – up 12 per cent on the previous year.

This, the agency said, highlighted “the continued exploitation of Australian systems and ongoing threat to our critical networks”.

Critical infrastructure, which includes financial services entities, made up 11 per cent of all cyber security incidents over the FY23-24 period. The ASD notified critical infrastructure organisations more than 90 times of potential malicious cyber activity.

“Critical infrastructure networks are an attractive target due to the sensitive data they hold and the widespread disruption that a cyber security incident can cause on those networks,” the ASD wrote.

The three most common activity types leading to critical infrastructure-related incidents were:

• phishing (23 per cent)
• exploitation of a public-facing application (21 per cent)
• brute-force activity (15 per cent).

The ASD also proved proactive in its prevention efforts, notifying entities more than 930 times of potential malicious activity on their networks.