Cyber crime is evolving – is your business prepared?

In January 2024, multinational engineering firm Arup confirmed that a significant case of fraud had occurred in its Hong Kong office. A finance worker had attended a video call with people he believed to be the firm’s CFO and other members of staff, and agreed to send a total of HK$200 million — or roughly US$25 million — to bank accounts via 15 transactions.

The employee had received a phishing email addressed from the company’s UK office and, while he felt suspicious at its request for secret transactions, the subsequent video call allayed his concerns.

The people on the screen looked and sounded just like his colleagues, but in an alarming example of criminal sophistication, he had been duped by deepfakes created by artificial intelligence (AI).

The world has entered a golden age of scams. Data from research firm Cybersecurity Ventures shows that annual global cybercrime costs are expected to reach US$10.5 trillion in 2025, up from US$3 trillion in 2015.

Criminal tactics have become more sophisticated, with technologies like AI now used to send more phishing emails and text messages, or to produce deepfakes or voice clones. 

However, just as cyber scams are becoming more elaborate, defensive tactics are becoming more sophisticated and new innovations are emerging. In 2020, for example, cybersecurity patent applications peaked, with 453 being lodged at patent offices around the world.

And while cross-industry collaborations are seeking to build cyber resilience, advances in AI and cryptology are also fuelling new cybersecurity measures, pointing to how cyber scams may be fought in the future.

A game of cat and mouse

Shameela Gonzalez, financial services industry lead at cybersecurity company CyberCX, says an increasingly digital society has created a “playground for criminals”.

“We’re playing a constant game of cat and mouse,” she says. “Every time the good guys come up with strong prevention techniques, the criminals just have to get smarter and wiser as to how they circumnavigate them.”

Gonzalez notes that AI is proving valuable to scammers for tactics like voice cloning.

“Sometimes, scammers call and immediately manipulate you to transact, but more recently we have observed that they might just try to keep you on the line to take a voice recording,” she says. “They might not ask you to do a transaction, but your voice footprint is being fed into an engine to be manipulated and turned into a voice clip that they want.”

While AI is being used by scammers, it’s also feeding into crime-prevention techniques. Data from Precedence Research indicates that the AI-based cybersecurity solutions market is expected to grow from US$24.8 billion in 2024 to US$146.5 billion by 2034.

 

"I is planned to be the number one investment for most [small] businesses and, as a result, we think they should also look to improve their cybersecurity. As you adopt more advanced technology, the cybersecurity risks increase."

 

“Everything we do to detect irregular behaviour requires looking at large amounts of data and then building a logic that says, ‘If this looks suspicious, then alert it and make sure that something is done with it in triage’,” says Gonzalez.

“Enabling AI behind this allows you to look more efficiently across vast amounts of data and, more importantly, to generate new rules and algorithms that hunt for anomalous activity faster and more effectively.”

Mary Attard, cybersecurity lead at Accenture Australia and New Zealand, says AI is also stepping in to fill skill shortages in cybersecurity.

“It helps our defence teams protect against vulnerabilities a lot quicker, because we would need more people on the tools. The number of people that we have with the right capability and experience in markets like Australia and New Zealand hasn’t matched the rate at which security threats have grown.”

Cryptology and collaboration

Advances in cryptology are also changing the cybersecurity landscape. While evolving encryption standards dictate the safe flow of data in and out of organisations, Gonzalez notes that quantum computing may have an ability to break them. This may lead to the development of quantum-resistant technologies.

“We know that globally there is a race to develop and operationalise a quantum computer and eventually make it available to governments and large enterprises at scale,” she says. “Our greatest concern is simply to prepare for threat actors getting there faster. Internationally, regulators are already preparing for the development of post-quantum cryptography standards.”

Collective action and collaboration are also proving vital in building cyber resilience. In Australia, for example, the recently formed National Cyber Intel Partnership sees organisations like banks and telecommunications companies working together to block cyber threats and protect customers from scams.

In Singapore, the Home Team Science and Technology Agency (HTX), a statutory board formed under the Ministry of Home Affairs, is developing innovative technologies like the Online Cybersquat Hunter (OCH), which scans up to two million websites each day and flags the most suspicious for further review.

Gonzalez says collaboration will be essential to fighting cyber scams in the future.

“Industries or companies trying to fight the fight individually is not reflective of how the threat actors out there are operating,” she says. “If the threat actors are collaborating, what’s stopping industries from doing it? This should not be a competitive-advantage race.”

People as ultimate crime fighters

CPA Australia’s Asia-Pacific Small Business Survey 2024–25 shows that 40 per cent of small businesses lost time and/or money due to a cyber attack in 2024, and 41 per cent expect to be attacked this year. More than 50 per cent reviewed their cybersecurity in the past six months and over two-thirds have used cybersecurity measures in the past 12 months.

Azfar Asa’ad, senior advisor, business, investment and international at CPA Australia, says AI adoption among survey respondents is also expected to increase throughout the year, driving a great need for cybersecurity.

“AI is planned to be the number one investment for most businesses and, as a result, we think they should also look to improve their cybersecurity. As you adopt more advanced technology, the cybersecurity risks increase.”

While technologies like AI are elevating cybersecurity, they also present limitations. For example, while the “good guys” need to apply guardrails around AI, the “bad guys” do not.

“We have compliance obligations — it’s not an untethered ‘switch it on and just let it do its thing’ approach, and that’s where we have to be a little bit more constrained about its use,” says Gonzalez, adding that people within an organisation can pose the greatest cybersecurity weakness and strength.

 

"Sometimes, scammers call and immediately manipulate you to transact, but more recently we have observed that they might just try to keep you on the line to take a voice recording."

 

Tyler Wise FCPA, director of forensic accounting and digital forensics firm Cyberwise, says businesses can’t afford to ignore cyber threats.

“The cybersecurity greatest hits are things like multifactor authentication and strong passwords, but we are also encouraging our clients to think about their data storage,” he says.

“How much data do you really need to keep? For example, if a staff member or a client leaves your business, have you offboarded them entirely so that they’re no longer part of your records? Also, restrict the types of devices that can be used in your business.

I’m a big advocate for not using your own devices at work, because you can’t control what’s going on in them, so make sure you have an awareness of everything that is touching your network and has access to your data.”

Attard advises that organisations view cybersecurity as a “business-wide risk”.

“It’s not purely the IT team’s responsibility,” she says. “Cybersecurity threats are not going to go away. They will continue to evolve as we continue to develop and adopt new technology.

“It’s vital that we consider what’s coming next and how we can adapt our security measures and always remain vigilant.”

Cyber risks are financial risks, so Tyler Wise FCPA, director of forensic accounting and digital forensics firm Cyberwise, suggests making cybersecurity part of everyday client conversations. Check that clients are aware of the latest scams, that they're protecting their devices and know how to respond to a security incident.

“Let your clients know how you will and won’t communicate with them, how the ATO will or won’t communicate with them, and stress the importance of not sharing their myGov credentials,” says Wise.

“Accountants don’t need to be cybersecurity experts, but you can still talk about the basics with your clients, like not clicking on links that look unusual and letting them know about the scams that are doing the rounds,” he says. “Having open conversations with your clients about the risks is a really good defence mechanism.”

Shameela Gonzalez, financial services industry lead at cybersecurity company CyberCX, suggests speaking to your clients about unusual bank transactions.

“Banks have invested a lot in terms of proactive fraud capability, but seeing as criminals are constantly advancing their techniques, those who remain closer to their financials can pick up on something suspicious and act as quickly as possible.”

Cybersecurity checklist

What steps can businesses take to protect themselves from cybercrime?

The Australian Cyber Security Centre has a checklist for small businesses. Key areas of focus on are securing accounts, protecting devices and information, and preparing staff for a cyber incident.