Online banking fraud is among the top three cybercrimes being reported by individuals and businesses to law enforcement agencies via the Report Cyber service, data from the Australian Signals Directorate’s (ASD’s) latest Cyber Threat Report has revealed.

In line with data from the ASD’s 2021-22 report, online banking fraud represents around one-quarter of cybercrime reports made by individuals to law enforcement agencies, and remains the second most reported cybercrime – above online shopping and investment fraud, but below identity fraud.

For businesses, online banking fraud was the third most reported cybercrime, after email compromise and business email compromise.

Online banking fraud refers to cybercriminals gaining unauthorised access to an individual’s or a business’s banking accounts, leading to the theft of money, sensitive information or unauthorised transactions.

Overall, the ASD reported that it responded to more than 1,100 cybersecurity incidents from Australian entities over the 2022-23 financial year, requiring the digital security agency to step in to support an organisation’s recovery.

Separately, nearly 94,000 reports were made to law enforcement through ReportCyber, up 23 per cent on the previous financial year, and representing around one report every six minutes.

The financial services sector itself was the sixth highest cyber incident reporting sector, accounting for 4.7 per cent of, or more than 4,400, cyber incident reports. The list was topped by federal (31 per cent) and state and local governments (12.9 per cent).

Critical infrastructure under threat

Across FY 2022–23, the ASD responded to 143 cyber security incidents related to critical infrastructure, a category which includes financial services organisations, a more than 50 per cent jump on the total incidents reported in 2021–22.

These incidents were overwhelmingly the result of either compromised account or credentials, compromised networks or infrastructure, or denial of service (DoS) attacks.

The ASD itself had to tip off seven critical infrastructure providers of suspicious cyber activity, up from five notifications last year.

The number of severe breach incidents (rated C2, the second highest category out of six) affecting critical infrastructure entities or systems of national significance rose from two in FY 2021–22 to five in FY 2022–23. A C2 rating involves significant data breaches involving cybercriminals exfiltrating data from critical infrastructure for the purposes of financial gain.

The ASD responded to 127 extortion-related incidents, up eight per cent on the previous financial year: 118 of these incidents involved ransomware or other forms of restriction to systems, files or accounts.

Ransomware, recognised by the ASD as among the most “destructive cybercrime threat to Australians”, represents around 10 per cent of all incidents responded to by reporting entities.

Over 90 per cent of cybercrime incidents involved ransomware or other forms of restriction to systems, files or accounts.

Among the most common cybercriminal techniques include phishing, data-theft extortion, data theft and on-sale, business email compromise (BEC), and denial of service (DoS).

Over the last two financial years, the average self-reported cost of cybercrime to businesses has increased by 14 per cent each year.

The ASD also recorded 79 Denial of Service (DoS) and Distributed DoS cybersecurity incidents in 2022–23, more than doubled that in the previous financial year, with service availability partly or wholly denied for the victim in 62 of those incidents.

Business email compromise (BEC) – where cybercriminals compromise a genuine email account of a trusted sender or impersonate a trusted sender to solicit sensitive information, money or goods from business partners, customers or employees – was also recognised by the ASD as a key vector to conduct cybercrime.

In 2022–23, the total self-reported BEC losses to ReportCyber was almost $80 million.

More than 2,000 reports of BEC were made to law enforcement through ReportCyber which led to a financial loss. On average, the financial loss from each BEC incident was over $39,000.

An example of BEC cited by the ASD was a cybercriminal gaining access to the email account of a business and sending an invoice with new bank account details to a customer of that business.

The customer then pays the invoice using the fraudulent bank account details provided by the cybercriminal. A compromised business, it said, may only detect BEC once a customer has paid cybercriminals.

Threats from China, Russia increase

The ASD noted the increasing threat posed to critical infrastructure by state actors, including data theft and disruption of business.

“Globally, government and critical infrastructure networks were targeted by state cyber actors as part of ongoing information-gathering campaigns or disruption activities,” the ASD wrote, noting that “cyber operations are increasingly the preferred vector for state actors to conduct espionage and foreign interference.”

“In 2022–23, ASD joined international partners to call out Russia’s Federal Security Service’s use of ‘Snake’ malware for cyber espionage, and also highlighted activity associated with a People’s Republic of China state-sponsored cyber actor that used ‘living-off-the-land’ techniques to compromise critical infrastructure organisations.”

The ASD’s Critical Infrastructure Uplift Program (CI-UP), which works with local critical infrastructure suppliers to improve their resilience against cyberattacks and increase cybersecurity maturity, this year completed three uplifts covering six critical infrastructure assets.

At present, the ASD reports that three CI-UPs are currently in progress, with 20 CI-UP information packs sent to relevant entities.