The Australian businesses fighting payments fraud

The rise of digital payments technology has sped up the process of paying and getting paid for businesses across the globe - and it's also boosted the number of ways they can get fleeced.

One in two businesses say they have been the victim of economic crime or fraud in the past, according to a PriceWaterHouseCoopers survey published in June of more than 7,000 organisations across the globe.

Director of CyberRisk Wayne Tufek lifts the lid on small business systems to find where they're vulnerable to attack from hackers and scammers.

Photo: Darrian Traynor

The perpetrators of these crimes range from senior managers to unscrupulous customers and cyber criminals who develop sophisticated schemes to redirect customer’s cash, the report says.

Meanwhile, businesses are scrambling to work out how to protect themselves from scams and hacks - and a cohort of Australian startups are hoping to lend a helping hand.

Smaller operators vulnerable

Co-director of Melbourne startup CyberRisk, Wayne Tufek, says smaller operators in particular are vulnerable to a range of attacks, and most of the losses come back to not having the basics in place.

He says even more sophisticated scams, including those where a third party impersonates a supplier  to direct payments into fraudulent accounts, start with one breach of a system.

“One case is where the attacker has got into the email system and they’re intercepting all the emails and picking which ones they’re going to fiddle with,” Tufek says.

CyberRisk, which Tufek co-founded with Leong Wang, turns over more than $1 million and has found a niche helping small companies test their cybersecurity credentials through services like its Cyberrisk Sensor, which tests company’s systems and gives them a cyber strength score.

Tufek says in general, the results of these tests reveal vulnerabilities that can be easily fixed - things like having no outbound internet controls, meaning staff can download anything, or not having bought the right antivirus package for their systems.

“And things like multifactor authentication are not complicated - it’s relatively easy to activate.”

Multi-factor authentication, where systems are set up so they require another level of information beyond a password to access, is something bigger firms like accounting platform Xero are also pushing.

Xero is pushing its small business customers to sign up to two-factor authentication before it becomes compulsory for all users of its accounting software from the end of the year.

“This simple step significantly reduces the risk of unauthorised access to accounts by someone hacking your password, and acts like a deadbolt on the door,” Xero Australia managing director Trent Innes says.

Lack of change

However, as threats in the digital payments space continue to emerge, many operators haven’t caught up, believes co-founder of EFTsure, Ian Mirels.

“Internal controls in business haven’t changed that much in 20 years,” he says.

Mirels and co-founders Mike Kontorovich and Mark Chazan launched their payments security business in 2014.

EFTsure co-founders Mike Kontorovich, Ian Mirels and Mark Chazan.

Photo: Supplied.

The company’s ‘Know Your Payee’ technology sits over a company’s banking platform. When a business inputs payment information, the platform draws on a range of data sources to verify that payee and raises an alarm if it looks like the payment is going to the wrong person.

EFTsure launched to address the problem that Australian banks don’t take the full data picture, including the name of a payee, when processing transactions.

The approach fights the rise of “business email compromises”, where scammers infiltrate emails or invoices and change BSB and account numbers so that funds are misdirected.

“We use a multitude of verification techniques,” Mirels says.

The business, which is forecasting $5 million turnover this year, aims to stop incorrect payments by warning businesses the minute they enter payment details.

“We’re focused on the unique way we’re verifying info, at the point of payment - so before the payment gets released," Mirels says.

It’s not just malicious hackers than can hurt a business - customers can also pose a threat.

Risk from customers

ASX-listed fintech ISignThis provides a “Paydentity” service to businesses to verify their customer’s identities when they are on-boarded, including for sectors that need to know who they are dealing with under anti-money laundering regulations.

Chief executive John Karantzis says it’s also critical that businesses selling high-value items know who they’re dealing with, to prevent customer fraud and ensure delivery of expensive goods.

“Even retail merchants that don’t have a regulatory requirement to verify you, they want to be sure of your identity,” he says.

Australia’s IT security consulting space is worth $4 billion annually, according to Ibisworld. Karantzis says while it seems like there’s been a growth in Australian businesses fighting cyber security and fraud across the board, these challenges are not new to businesses.

“From the very first day credit cards were accepted on the internet, this has been a problem,” he says.

Follow MySmallBusiness on Twitter, Facebook and LinkedIn.

Most Viewed in Business