Digital Business

ASBFEO backs banking industry pledge to head off scammers crippling small businesses

THE Australian Small Business and Family Enterprise Ombudsman (ASBFEO), Bruce Billson, has welcomed the significant commitment announced today by the banking industry to "better support small businesses to combat scams".

Mr Billson said a $100 million upgrade across the banking sector to confirm who money is being paid to by matching names with account numbers will particularly benefit small businesses who too often fall victim to the invoice substitution scam. 

“Nefarious cyber criminals can wreak havoc for a small business but sadly the number of scams and the size of the losses for small and family businesses is growing,” Mr Billson said.

“When a criminal impersonates your business, it not only costs you and your customers money but can damage your brand and lead to a loss of consumer trust and confidence and the ability to operate. Too often, it can be an enterprise-ending event for a small business.”

Scamwatch data shows small businesses lost $13.7 million to scams last year, a 95 percent increase compared with the previous year. The biggest contributor to these losses were payment redirection scams.

Mr Billson said small businesses had been particularly vulnerable to the invoice substitution scam – also called payment redirection scams or business email compromise – where cyber criminals get into their computer system and intercept emails to customers and insert different bank account details.

“A small business sends an invoice to somebody and the criminal changes the banking details," Mr Billson said. "When it lands in the customer's inbox, it looks legit and is a bill they were expecting so they pay it. The money goes to the criminal’s bank account and is quickly shifted, usually to crypto currency, and is gone.

“These jokers run off with the money, the customer has done their dough, and the small business hasn’t been paid," he said.

“ASBFEO has been highlighting the urgent need for a ‘confirmation of payee’ scheme to be introduced in Australia, noting similar programs operate in other countries offering a really practical safeguard. This ensures people can confirm they are transferring money to the person intended and that names are matched to BSB and account numbers.

“Today’s pledge by the banking industry to roll out a new confirmation of payee system will go a long way to stopping scammers being able to divert invoice payments by simply and silently changing a bank account number.”

Mr Billson noted the package of measures announced by the Australian Banking Association and the Customer Owned Banking Association will apply to commercial banks, customer owned banks, mutual banks, building societies and credit unions.

It will include more use of biometric checks and other controls to prevent scammers opening fraudulent bank accounts in other people’s names by using stolen information from driver’s licences, passports and other identity documents.

There will also be increased warnings and payment delays for suspicious transactions, limits on high-risk payment channels, which can include crypto platforms, and greater intelligence sharing across the banking sector using the Australian Financial Crimes Exchange.

However, Mr Billson said beating the scammers relied upon everyone being at their best by doing what they can to tackle the scourge of cyber crime and to “listen to our Spidey senses if something doesn’t seem right”.

“Business owners wouldn’t leave the door open with the light on at night when there's no one there, so they must take the right steps and safeguards in the digital world,” Mr Billson said.

“Telecommunication companies are trying to do their bit via what's called a ‘clean pipes’ initiative, where they cut off a lot of cyber threat traffic through the telecommunications infrastructure.

“And just last week the Australian Government announced two programs offering small businesses practical help to minimise the chance of falling victim to a cyber attack and to better prepare them to bounce back."

Mr Billson said next week is Scam Awareness Week and an ideal time for small business owners to take a few extra moments to check they have appropriate safeguards in place.

“Scamwatch says three in every four scam reports involve criminals pretending to be people we should trust,” Mr Billson said.

The new National Anti-Scam Centre said small business owners who feared they had fallen victim should contact the Report a Scam website ( and dedicated resources to combat scams can be found at

The Australian Cyber Security Centre, through the website, provides resources and guides for small businesses on how to manage information and secure their businesses, including a free Cyber Security Assessment Tool that can help identify the cyber security strengths of a business and learn how to improve cyber security:

The website also contains information on how to recover and small businesses can report cyber attack incidents through 1300 CYBER1.

The ASBFEO website includes simple steps and a checklist to better protect small businesses:

ASBFEO's website also has a video offering tips which can be viewed at:




Cybersecurity checklist for working remotely 

WHILE REMOTE WORK offers flexibility and new opportunities, it also presents cybersecurity challenges.

As more organisations adopt remote and hybrid working practices, there is an increase in access to sensitive data from various locations. This has caused targeted attacks to rise, often exploiting human emotions through tactics like phishing, pretexting, and baiting.  

TeamViewer Asia-Pacific president, Sojung Lee, said, “Social engineering attackers have used these tactics for a long time. These tactics work because they prey on human nature, manipulating it to gain unauthorised access to confidential information. 

“Unfortunately, attacks are becoming more personalised and targeted, making it essential for every team to recognise these dangers and be prepared to fight against them.” 

Cybersecurity checklist for remote working 

Ms Lee said very few people were information technology (IT) experts and many may not know where to start. However, following the advice of a cybersecurity checklist can help companies keep safe from cyber threats, even when employees are working remotely. 

Check 1 — Education and awareness:  

  • Recognise targeted attacks: regularly train staff to identify spear phishing, whaling, and other targeted attacks that exploit personal information. 
  • Avoid unknown devices and baiting:educate employees not to plug unfamiliar devices like USBs into their systems. Highlight the risks of baiting, where malicious devices are left for workers to find.
  • Implement protocols against pretexting: establish protocols and code words to minimise risks from pretexters impersonating legitimate access holders, such as vendors or technical support. 
  • Encourage caution with personal information: warn against sharing personal details that could be used in spear phishing campaigns. 
  • Promote continuous education: emphasise that ongoing learning is the cornerstone of cybersecurity, especially in remote settings. 

Check 2 — Implement protocols and leverage technology: 

  • Use multi-factor authentication (MFA): employ MFA for connections and accounts for added security. 
  • Restrict USB port usage: control access to USB ports or use alternatives that remove the need for physical devices. 
  • Implement secure access features: use methods that ensure connection without passwords for stronger validation. 
  • Leverage certificates: company-wide certificates, paired with trusted services that allow their implementation, provide easy and highly secure access. 

Check 3 — Promote password best practices:

  • Encourage unique passwords: advocate for different passwords across various sites and services. 
  • Recommend trusted password managers:promote the use of reliable tools for secure password storage. 
  • Cultivate good password hygiene:foster a culture that appreciates and practises secure password habits. 

“In a world where remote access is integral to business, organisations need to take full responsibility and implement a strict zero-trust policy, limiting access to critical resources and confidential information with designated role management and conditional access capabilities,” Ms Lee said.

“Together with an educated workforce organisations can build a resilient, multi-layered defence, mitigating the constant threat of security incidents. 

“Having a cybersecurity checklist is more than just a set of guidelines, it’s an essential part of business strategy in the remote working era,” she said.

“By adhering to these principles and leveraging the right technological solutions, organisations can maintain integrity and resilience against the constantly evolving cyber threats. 

“It’s essential to always err on the side of caution and recognise that social engineering preys on human nature itself. Understanding this is the key to preventing companies from becoming the next victim of these time-tested strategies.”


Australian businesses strengthen cybersecurity, rattled by major organisational breaches

AUSTRALIAN enterprise leaders are steadily recognising and unearthing growing threats, assessing risks and changing strategies to better detect and respond to attacks, according to a new ISG Provider Lens report

The recent series of damaging, high-profile data leaks in Australia has changed the way Australian organisations approach enterprise security and procure cybersecurity services, according to the new research published today by Information Services Group (ISG, Nasdaq: III), a global technology research and advisory firm with runs on the board in cybersecurity.

The 2023 ISG Provider Lens Cybersecurity Solutions and Services report for Australia has found the attacks revealed escalating threats and changed cybersecurity from solely an information technology (IT) issue to a closely monitored enterprise challenge.

“Australian companies recognise the business dangers of data leaks,” ISG Cybersecurity director for ANZ and Asia Pacific, Joyce Harkness said.

“Top management and boards are increasingly interested in cyber risk and the quantification of such risk, and are involved in decision-making about strategies, products and services.” 

The Australian Government has strengthened the country’s cybersecurity response by imposing the Notifiable Data Breaches (NDB) scheme, which requires organisations to report breaches, and working with the state of South Australia to establish the Australian Cyber Collaboration Centre, an incubator for new security solutions and initiatives.

More recently, the Federal Government unveiled the 2023-2030 Australian Cyber Security Strategy, aimed at making Australia one of the most cyber secure nations in the world by 2030. The government also appointed the Australia’s first cyber security coordinator and began operationalising the Security of Critical Infrastructure Act 2018.

Plugging security capability gaps

Recent attacks revealed that even large Australian enterprises had cyber capability gaps, the report said.

Most had invested heavily in cybersecurity controls but focused only on preventing breaches and assumed all sensitive data was in offices. In reality, the ‘attack surface’ has expanded with the rise of remote work, digital engagement, an expanding supply chain and the internet of things (IoT).

Mistakes inside organisations and among IT provider partners, such as employees falling prey to phishing attacks or making configuration errors, are thought to have played a major role in recent leaks in Australia and elsewhere.

ISG reported that, as a result, Australian enterprises had “begun to assess their risk tolerance, evaluate current controls and take an ‘assume breach’ approach, recognising that not all breaches can be prevented and focusing on rapid detection and response”.

As they migrate to the cloud over the next few years, many Australian companies are expected to invest in cloud-based solutions, such as extended detection and response (XDR), the report said.

The report deduced that companies with multiple cybersecurity tools, “which often generate false positives that require manual intervention” will also need greater automation and interoperability to relieve the pressure on security operations centres (SOCs). The role of artificial intelligence (AI) is expected to grow exponentially, often to secure IoT assets.

“We expect strong growth in the Australian security market over the next five years,” ISG Provider Lens Research partner and global leader, Jan Erik Aase said.

“Enterprises and providers will be investing heavily in both new technologies and essential skills.”

Australian business tries to get it right

The report also explored other cybersecurity trends in Australia, including the increasing adoption of zero-trust frameworks and next-generation identity and access management (IAM) to maintain high-level security while enabling improved customer experience.

The 2023 ISG Provider Lens Cybersecurity Solutions and Services report for Australia evaluates the capabilities of 82 providers across six quadrants: identity and access management (IAM), extended detection and response (XDR), security service edge (SSE), technical security services, strategic security services, and managed security services (SOC).

The report named IBM as a leader in four quadrants. It names Accenture, CyberCX, Deloitte, DXC Technology, Fujitsu, NTT DATA, Telstra, Tesserent, Verizon Business and Wipro as Leaders in three quadrants each. Microsoft is named as a Leader in two quadrants.

Bitdefender, Broadcom, Cato Networks, CGI, Cisco, CrowdStrike, CyberArk, EY, Forcepoint, HCLTech, Infosys, Kasada, KPMG, Netskope, Okta, Palo Alto Networks, Ping Identity, PwC, SailPoint, Tech Mahindra, Unisys, Versa Networks, VMware and Zscaler are named as leaders in one quadrant each.

In addition, Kyndryl is named as a ‘rising star’ — a company with a “promising portfolio” and “high future potential” by ISG’s definition — in two quadrants. BeyondTrust, HPE (Aruba), Macquarie Telecom Group and SentinelOne are named as rising stars in one quadrant each.

The 2023 ISG Provider Lens Cybersecurity Solutions and Services report for Australia is available through



Why investing in reliable payment gateways is crucial for business success

By Ricky Blacker >>

AN ONLINE STORE’s primary purpose is to generate conversions. To succeed, the website must provide an efficient, secure and positive customer experience.

With digital wallets increasingly overtaking credit cards for online payments (Global Payments Report FIS), it is more important than ever for businesses to accommodate a range of payment methods and ensure they function smoothly.

Payment gateways are what make online payments possible, as they connect a business’s website to its merchant account, such as PayPal or Stripe. Depending on the merchant(s) selected, a business can accept payments in a range of currencies and leverage different plug-ins to tailor the checkout process based on business and customer preferences. 

It’s important to choose a strong, reliable payment gateway to protect the reputation and financial success of the business. An inefficient payment gateway, or worse, an error in the platform, can result in additional processing fees or even legal implications. 

Time spent rectifying technical issues may also increase website downtime, thereby impacting potential sales. Together, these can negatively affect the user experience and trust in brand.

Trusted payment gateways make your customers ‘secure’ with you

If customers do not feel safe entering their payment details via your website, they are likely to seek and choose an alternative provider.

In contrast, adopting trusted payment gateways ensures that the final stage of the purchase is easy, which can avoid last minute change of mind, increase the customer’s basket size and encourage repeat purchases.

Once installed, the payment gateways do need to be kept updated and operating at optimal level. This maintenance may seem tedious and complicated but it is crucial for success.

Fortunately, choosing a quality website hosting platform can make this process much easier. For example, WP Engine works seamlessly with WooCommerce, one of the most powerful and flexible platforms to transform websites into online stores, to enable easy integration.

By selecting a managed WooCommerce hosting service, businesses can also outsource website management, ensuring site speed optimisation, automatic updates and free Secure Socket Layer (SSL) certificates are maintained as necessary. This means businesses get time back to focus on their product and service offerings

Success is all about trust

Recognised and trusted payment processing gateways are highly beneficial in gaining consumer trust. When customers see a trusted brand logo such as Stripe, they instantly have peace of mind that any payment details they input will be handled securely.

Choosing a website hosting platform that integrates deeply with one or more trusted payment gateways can accelerate and simplify payment gateway set up.

For example, WP Engine’s new Stripe Connect integration includes Stripe in the WooCommerce store building and management process, so there’s no need to seek out or pay for add-ons — it’s preconfigured to just work.

This new offering also makes Stripe integrations more secure, as businesses can connect to an existing Stripe account without using API keys and credentials.

A good payment gateway needs strong website infrastructure to support it. A slow website that lacks a robust security infrastructure can increase the risk of website crashes and data leaks.

Long loading times may also deter customers from completing their purchase or result in payment processes timing out.

In the best case, this can impact brand reputation. In the worst case, this may lead to incorrect or duplicate payments, resulting in customer frustration.

Therefore, businesses should ensure they constantly optimise their website for speed and ensure they adhere to basic cyber hygiene principles, such as ensuring plug-ins are updated.

Consider managed web hosting

For businesses who want to make efficient use of time and resources, working with a managed web hosting platform or agency can greatly alleviate workloads and pressure.

For example, WP Engine leverages automated plug-in and WordPress updates to ensure vulnerabilities are repaired as soon as possible.

Reliable payment gateways are a key factor to increase business sales and overall success. Not only do they affect sales and conversions, they also impact consumer trust and brand reputation.

By choosing reliable payment gateways and working with a web hosting platform that enables easy integration and management, businesses can succeed online while having more time and resources to focus on what they do best.


About the author    

Ricky Blacker is a senior sales engineer and WordPress ‘evangelist’ at WP Engine, a Brisbane-headquartered company that has developed into one of the world’s leading managed WordPress platforms and hosting services. WP Engine has been voted the number one WordPress platform globally in 2023.


Cold hard realities of cyberattacks, ransomware

 By Leon Gettler, Talking Business >>

THE METHODS for dealing with cyberattacks and ransomware have been around for a relatively long time, technologically.

But according to global network protection company Tenable, the problem remains that a lot of companies have not ‘got the basics down’.

Scott McKinnel, the Australia and New Zealand regional manager for Tenable, said a Tenable survey conducted by Forrester revealed that 92 percent of organisations said 70 percent of their business had been impacted by cybercriminal activity resulting in significant business loss. He also outlined how cyberattacks and ransomware had become increasingly profitable for cyber criminals.

Mr McKinnel said, a couple of years ago, the modus operandi of cyber criminals had been to target individuals.

“What it’s evolved to now is ransomware and clearly they’ve been able to monetize it and find a great financial venture for them.” Mr McKinnel told Talking Business

“The way they do that is two-fold. One is to move away from targeting individuals and targeting organisations that have critical infrastructure … which clearly has a larger impact, not just financially, it brings things to a fall.”

Governments step up legislative support

Mr McKinnel said governments were now moving to legislating to protect vulnerable sectors.

There used to be four such sectors. Now there are 11 sectors centred around critical infrastructure. Among the critical 11 sectors are utilities, financials, water, electricity, food supply, hospitals and health care.

“That’s come about because of awareness of how reliant we are on multiple sectors and supply chains – the fundamental existence in our society,” he said.

 “If these organisations and services are to halt, it’s a major impact to society. That’s the new vector that cybercriminals are targeting.”

Mr McKinnel said businesses now needed a plan or process to deal with a cyberattack which could result in them ceasing operations, costing them millions of dollars every day.

“Most of these exploits these cyber criminals use have been out for ages and are easy to fix and remediate,” he said.

“The ability of organisations to put in controls and multi-factor authentication has been around for years so it’s not like these are super sophisticated attacks. People just get caught in the wild because they haven’t done the basic hygiene properly.”

Boards consider true risks of cyberattacks

Mr McKinnel said boards and tech people were clearly aware that cyber security was now a major risk.

“Where we see issues is between the technical practitioners who understand what needs to be done, and the very highest echelon of commercial people and directors that know something needs to be done – and often there’s this mish-mash in the middle of communication,” he said.

Mr McKinnel said this came down to organisations having plans that set out who was responsible for mitigating risk and triaging and allocating.

“There is this swirling mess right now because historically people have seen it as a technical issue … and their only task was doing what they can,” he said.

“What people could probably do is have a clear understanding of the lines of communication and setting up a framework, a governance policy, having an awareness throughout the organisation that this is a business risk now, not an IT issue or IT risk, and treating it as you would with occupational safety and health or other major elements of risk for a business.”


Hear the complete interview and catch up with other topical business news on Leon Gettler’s Talking Business podcast, released every Friday at



AiiMs recommends buyers keep both eyes wide open online

By Leon Gettler, Talking Business >>

THERE IS SO MUCH Australians can do to protect themselves from online scammers and hackers. However, according to Janty Ayoub, founder and CEO of the AiiMs Group, people are not doing it.

“The first thing is that ‘buyer beware’ is the first thing that comes in at my end,” Mr Ayoub told Talking Business.

“If something doesn’t look right, don’t do it. Nothing is free in this life and when we’re purchasing online and put into a different data base and we don’t know where our data goes – and where our details go – and next minute we’re given an offer or deal like a free iPhone for paying $2 for a delivery, it just doesn’t make sense.

“So obviously that’s phishing for your information and phishing for your credit card details. You have to only purchase from trusted sites.”

Identifying trusted sites

Mr Ayoub said there were a few methods that helped users identify trusted sites. 

He said every site had a padlock near the company’s name.

“That padlock identifies whether it’s a secure site or not,” Mr Ayoub said.

“If the padlock is open, it’s a sign that it’s an unsecure site so it’s not verified. When the padlock is closed, it’s a sign that the site has been verified.”

Mr Ayoub said the AiiMs group always told client to read the reviews of websites, of companies and their offerings. This is all part of the process of due diligence.

“Type in the company’s name in Google and read what they’re about before you make that purchase,” he said.

“If they’ve had no reviews, then there is something wrong. If they’ve had five reviews and they’re all good, then that will increase your trust signals.

He said it was also important that people checked the terms and conditions of the product and service the company is offering.

Mr Ayoub said this was something that most Australians did not do.

“Unfortunately [about] 82 percent of online buyers don’t read the terms and conditions,” he said. “They’re more interested in knowing price, delivery, how fast something can come and the terms and conditions are among the smallest read pages on a site pre-purchase.”

He said terms and conditions were also governed by Common Law, so there was some consumer protections, but there were still problems.

“Again, it’s buyer beware. You are always told to read the Ts and Cs,” he said.

Check the URL itself

Mr Ayoub said another thing people could do to protect themselves from scammers was to check the URL of the site. With that information, people can do Google searches and see whether the company is a legitimate business, he said.

He said it was vital that the URL had a padlock on it.

“If the padlock is open, then it’s not a trusted site,” Mr Ayoub said.

“That business hasn’t applied the right principles of security online.”

He said “not being savvy” was no longer an excuse for people not to take precautions

“Online has come a very long way at helping anyone of any language and of any tech background to make a purchase and view a product online,” Mr Ayoub said.

“Across the whole world, we’re seeing a very big rise in hackers and scam artists playing on the vulnerability of people not being tech savvy.

“By not being tech savvy, you don’t understand – when you click a link or are asked to click on something -- that the technology being used is there to basically extract all of your personal information. It could be from your bank account, it could be from your driver’s licence.” 


Hear the complete interview and catch up with other topical business news on Leon Gettler’s Talking Business podcast, released every Friday at


Contact Us


PO Box 2144