Australia’s banking sector is dedicated to protecting its customers from sophisticated criminal networks through the Scam-Safe Accord—a globally leading initiative designed to disrupt, detect, and respond to scam activity. This industry-wide commitment unites community-owned banks, building societies, credit unions, and commercial banks under a comprehensive framework of anti-scam measures to strengthen financial security.

Digital security is important for protecting both banks and their customers. If done correctly, it can significantly improve business brands and give customers confidence that their funds are safe.

Many financial institutions are targeted by cybercriminals due to the sensitive data they hold. Indeed, the January to June 2024 Notifiable Data Breaches report from the OAIC found that the finance sector is among the top five industries reporting the highest number of data breaches in the six month period.

The Australian Government’s ScamWatch also recently reported that there were 249,440 scams during 2024 resulting in reported losses of $318,762,688.02 with investment scams making up 60 per cent of the total with the CBA investing more than $800 million to help protect customers against fraud and cybercrime.

This highlights the need for collaboration among banks, financial institutions, and regulatory bodies to mitigate these risks.  Securing information assets to be resilient against a broad spectrum of threats is a journey many Australian organisations find themselves on. A steady stream of data breach disclosures – and a desire not to join that list – is keeping them motivated to stay the course.

For banks and other financial entities, there’s additional motivation in the form of regulation – Australian Prudential Regulation Authority (APRA) Prudential Standard CPS 234 – which aims to ensure their information security capabilities are proportionate to their risks

However, the growing sophistication of cybercrime tactics is a major concern. Generative AI is one attack vectors which enables nefarious players to create highly realistic phishing emails and social engineering scams, making them more difficult to detect. These AI-powered attacks exploit human vulnerabilities, often targeting employees or customers with personalised messages designed to trick them into revealing sensitive information.

Key areas in cybersecurity related to scams

The cyberthreats faced by banks and other financial institutions are many and varied. Some of the most significant include:

• Credential theft: Stolen usernames and passwords continue to be a major vulnerability. Implementing password-less authentication protocols and two-factor authentication can significantly reduce this risk
• Identity theft: Identity theft occurs when a cybercriminal gains access to personal documents such as your passport, licence, birth certificate or even a photo of on your electronic device or emails, to steal your identity. This could allow them to withdraw money from accounts or apply for a new credit card or bank loans in your name.
• Phishing and social engineering: These tactics, often powered by AI, remain the top threats facing organisations globally, including banks. Attackers exploit human error by impersonating legitimate institutions to gain access to confidential information.
• Remote access scams: In this scam, a malicious actor gains access to a system or device from another location. This is often done by tricking clients into clicking a link or downloading software that gives them access.
• Exploited application vulnerabilities: Banks are frequently targeted by hackers who seek to exploit weaknesses in software applications. With the Mobile applications being deployed in the customers’ devices, a strong methodology around Secure Software Development Lifecycle, Code Obfuscation, Tamper Resistance and Data Protection are as important as keeping the software stack up to date.

Government and Industry Key Initiatives

It’s encouraging to see the industry and government collaborating to address these issues. Some of the initiatives being undertaken include:

• The scam safe accord including payee verification technology: Several banks have announced the rollout of confirmation of payee technology to reduce scams, supported by a $100 million investment in a new system across all Australian banks, as part of the Scam Safe Accord. Other focus areas of the scam-safe accord include:
• Biometric checks and other controls for new online accounts
• Increased warnings, payment delays and security questions
• Shared scams intelligence across the banking sector
• Limits on high-risk payment channels
• Scam indicator tool: Launched by Telstra and CBA in mid-2023, this pilot program helps detect phone scams. The tool enables CBA to identify if a customer is on a phone call while making a transaction, which is a potential indicator of a scam. This has significantly increased the bank’s ability to detect phone scams.
• Payment prompts: The NAB introduced prompts in their digital banking platform to alert customers to potential red flags during transactions. These prompts have been highly effective, helping customers avoid over $50 million in payments to suspected scammers within eight months.
• Bank actions on cryptocurrency exchanges: From mid-2023, major banks limited transactions to high-risk cryptocurrency exchanges, reducing scam payments and deterring criminals from operating in Australia
• The Scams Prevention Framework Bill proposing a broader, ecosystem-based approach to tackling scams, is currently being reviewed by parliament.

A multifaceted approach to strengthening bank cybersecurity

Banks and financial services firms can implement various initiatives to strengthen their cybersecurity measures.  A good example is the CBA NameCheck security tool launched to assist customers avoid potential false billing scams and payments.

One such approach is “deliberate friction,” which introduces additional checks and balances when customers make third-party payments. Financial institutions can:

• Verify the destination account against recent scam complaints by linking to complaints management data
• Hold payments for 24 hours when sending funds to new accounts, a safeguard that can be seamlessly implemented through customer journey design enabled by engagement banking platforms
• Cross-check accounts with the ASIC register to identify potential scam accounts, aligning with the latest anti-scam initiatives
• Utilise analytics to detect unusual payment patterns, such as irregular transaction sizes or frequencies often associated with romance scams.

By embedding these safeguards, banks can proactively mitigate fraud risks and enhance customer protection.

Additionally, banking institutions should look to boost security awareness among all staff and customers.

Regular training for employees and customers is essential in the fight against cybercrime and scams. Educating users on how to identify phishing attempts, protect their personal information, and report suspicious activity is paramount.

Training should be ongoing and adapted to reflect the latest threats. Banks can also leverage gamification techniques to make security awareness training more engaging and effective.

It is also important for security teams to take steps that minimise credential theft: Transitioning to password-less authentication methods, for example, significantly reduces the attack surface and protects against compromised credentials.

Engagement Banking platforms help banks combat scams by leveraging their extensive ecosystem and digital capabilities. They provide seamless access to a wide range of capabilities, including Know-Your-Customer (KYC), Anti-Money Laundering (AML), biometric verification, transaction monitoring, fraud detection, and compliance solutions, sourced from a curated network of local and global providers.

The cybersecurity landscape is constantly evolving, posing continuous challenges for banks against sophisticated cybercriminals. However, by adopting a comprehensive cybersecurity strategy that integrates multiple data sources and streams and enhances the digital experience, banks can significantly bolster their defences and protect their customers.