Australia’s Big Four banks are locked in “asymmetrical warfare” against individuals, criminal syndicates, and nation state actors, one bank’s head cyber investigator has warned while advising customer vigilance in a climate where “every bank is being attacked all the time”.

Those attacks are coming from a range of threat actors, Chris Sheehan, head of the National Australia Bank’s Group Investigations and Fraud business unit, told the ABC as he painted a worrying picture of a threat environment dominated by “sophisticated, ruthless, and resilient transnational organised crime groups”.

“They’re the ones that are driving 90 per cent of the scams that are hitting Australian victims,” Sheehan said, noting that NAB’s security team is also regularly parrying flurries of attacks from “threat actors of all different types”.

This included government backed nation state operators and ‘Larry the loser’ individuals “in the basement at home who [are] having a bit of a chop away on a laptop, and trying to steal money from people or hack into a system.”

“It’s asymmetrical warfare,” he said, “and it changes every day.

“And if it’s not us being attacked, our customers are being attacked in an effort to steal their information and their money.”

Sheehan’s comments come amidst an ever intensifying war between bank cyber experts and cyber attackers who, NAB CEO Ross McEwan revealed in late 2022, was seeing 50 million attacks per month – and that was before the mainstream adoption of generative AI (genAI) technologies that have empowered attackers to increase the volume and sophistication of their scams.

After launching a range of new initiatives to bolster its cyber security and protect customers – including a bug bounty program, a crackdown on malicious insiders and a ban on clickable links in customers SMSs – NAB is claiming an early victory against scammers, announcing this month that scam losses decreased for the past two quarters.

NAB customers abandoned over $100 million in payments after the bank’s systems flagged transactions as possibly fraudulent, with NAB maintaining a near 400-strong contact centre to help customers concerned about frauds and scams.

“There are massive red flags” that can alert consumers that they are being scammed, Sheehan said – in particular, “if someone is applying pressure to you, that you’re going to miss out on something, or that you’ve going to suffer a penalty if you don’t make that payment.”

Financial services sector fights to make cyber investments pay

NAB is far from the only bank dealing with the ongoing surge in cyber attacks: the latest statistics from the Office of the Australian Information Commissioner (OAIC) confirmed that financial services operators had notified it about 49 data breaches during the second half of 2023 alone, 33 of which were attributed to malicious or criminal attacks – including 14 ‘cyber incidents’ and 12 cases where social engineering or impersonation were used to trick employees or customers.

Many breaches happen outside of the control of bank security teams, with last year’s breach of law firm HWL Ebsworth found to have compromised masses of information about the customers of all Big Four banks.

Judo Bank was also caught up in the incident, while financial services giant Latitude’s breach last year had a significant blast radius.

And in April, tier-two bank Suncorp – whose acquisition by ANZ Bank was recently approved by regulators – also suffered a data breach that saw customer funds stolen.

Coming off of earlier Reserve Bank of Australia warnings about the “highly probable” impending breach of a bank’s cyber defences – and an APRA audit that last year highlighted “concerning gaps” in those defences – this level of compromise has brought regulators to the party, with government-backed war games and red-teaming testing bank defences and APRA last year introducing CPS230 resilience requirements to complement the CPS234 cyber security obligations in place since 2019.

Even as banks pull out all the stops to find new ways of stemming the flow of scams, however, Sheehan said customers should follow one simple rule: “Don’t hit send on the payment,” he said.

“Run a mile, seek advice from your bank, or talk to friends or relatives.

“But don’t hit send.”