Australia’s Cyber Threat Report Card: Cybercrime In The Age Of COVID-19

With the lockdowns, panics, businesses shutting up shop, and general uncertainty, 2020 has been a tough year for businesses. And amidst all this, it would be too easy for many to not spare a thought about ongoing cyber threats.

But as the Australian Cyber Security Centre (or ACSC) reports, cybercriminals haven’t just stayed as active as they were pre-COVID, but at some points become even bolder.

At the end of every financial year, the Australian Cyber Security Centre (or ACSC) releases its annual cyber threat report, and it was no different this year… and that’s what we’re talking about today.

As a business owner, it’s really easy to forget about your technology and data security at times like this. Keeping things afloat is the #1 priority for many of us. However, hackers and cybercriminals haven’t gone away, so it would be a mistake to ignore them.

In fact, the ACSC had a “bumper” year in terms of activity:


Cyber security incidents the ACSC responded to


Cybercrime reports made (or 1 every 10 mins)


Industry estimates of the annual financial fallout of cybercrime in the Australian economy

But these numbers don’t show details like the who or the how, so let’s take a closer look at the key findings...

A Different Kind of “COVID Surge”
In April, the ACSC released a threat update around coronavirus and the methods cybercriminals were using to exploit the situation (in particular, several phishing campaigns pretending to be from the Government had been detected).

These were some of the details from the ACSC:

  • At the time of the update, more than 95 cybercrime reports of Australians being scammed out of money or personal information from COVID-related scams
  • They had responded to 20 cyber security incidents that were disrupting coronavirus response services
  • Disabled over 150 malicious COVID-themed websites
  • ACCC’s ScamWatch had also received 1,100 reports around COVID-19 scams, with losses estimated around $130,000

The Numbers

The ACSC report is filled with data, so we’ve pulled out the cyber security incident statistics that matter the most.

Who Got Hit
  • The ACSC responded to 228 reported cyber security incidents on small organisations or sole traders
  • Medium-sized businesses and organisations reported 482 incidents during 2019-20 FY
  • State governments, supply chain organisations, and large businesses reported 729 cyber security incidents
How It Happened
  • 612 incidents involved malicious email attacks
  • 553 incidents compromised systems, where someone accessed or modified a network, account, DB or website without authorisation
  • 319 incidents were around system scanning, recon, or “brute force”

The Damage Done
  • There was only a single Category 1 incident—the highest severity as categorised by the ACSC—throughout the year, which was the sustained attacks on Australian government systems
  • 6 incidents were classified as Category 2
  • Most of the remaining 2,259 were assessed as Category 4 and 5 incidents, being largely cyber attacks such as targeted reconnaissance, phishing emails, and malicious software that hit larger organisations

Types Of Cybercrime
  • 23,841 (39.86%) of the reports were fraud-related, most often investment, shopping or romance scams
  • 19,467 (32.4%) were identity-related crimes
  • 13,309 (22.1%) related to cyber abuse, such as bullying or stalking

Where It Happened
  • Queensland was the unlucky “winner” in terms of most cybercrime reports made, with 14,630
  • Despite NSW having a million more people, Victoria actually had the second highest number of reports with 14,061
  • Unsurprisingly, the Northern Territory reported the least number of crimes with 463

The report also dove deeper into the primary threats identified by the ACSC, so let’s do the same...

The Threats

Phishing / Spearphishing

In late 2019, the ACSC were detecting over 4,500 malicious emails every day from the Emotet malware campaign, an email-based banking Trojan that targeted sensitive personal and financial information.

The most common cyber threat, phishing is popular for criminals and hackers for several reasons. Firstly, anyone can send an email to a list of thousands - it doesn’t require much skill or expense. Secondly, people have a natural curiosity which leads them to open emails, and often click on links. From that point, a person may be only one step away from divulging private details.

Of course, it’s easy enough to spot a poorly created phishing email, or one coming from an organisation you don’t even deal with. For example, we’ve been sent emails from the “Commonwealth Bank”… but we don’t hold any accounts with them. However, the increasing detail and care some agents use to construct legitimate-looking emails can make detection much harder, especially for lay-people.

That said, while phishing is often done through email, it can also be executed over other channels. SMS, social media message, phone call, or instant message (such as WhatsApp) are all avenues a phishing campaign could be launched through.

A phishing email is typically sent out to thousands of accounts in a generic form and without any targeting. Spearphishing is more sophisticated. They’re designed to hit a certain set of recipients, and the message created is the result of identifying high-value individuals or organisations and then researching them carefully, via reports, shareholder updates, and social media networks.


While phishing is the most common form of cybercrime, the ACSC sees ransomware as the highest threat, as it requires almost no technical expertise, costs practically nothing to run, and can seriously damage organisations and cripple core functions.

Poke around the dark web and you’ll find no shortage of tools and techniques that can make you an “insta-hacker”. More dangerously, organised crime groups are beginning to use these tools as a secondary income stream, which has led to ransomware becoming a major threat to organisations. So how does it work?

It’s really quite simple. Attackers look to install ransomware on an individual or organisation’s system. To do this, they might use a phishing campaign or trojan. Once installed, the ransomware simply encrypts the files and folders of the system, rendering it effectively useless. The attackers then demand a ransom to supply the keys to decrypt the information.

 The costs of the downtime, data recovery, and strengthening security as a result of a ransomware attack can be huge, regardless of whether the target pays the ransom or not. Ironically, organisations who pay the ransom can often become the target for repeated attacks, as they now have the “reputation” of paying up

Email Compromise

While email compromise may use the same main vector as phishing, this is a specific attack on an individual or organisation with the aim of defrauding the target for financial gain (instead of collecting private information like phishing).

In one sense, business email compromise is the opposite of phishing, though both have a criminal intent. While phishing targets hundreds or even thousands, email compromise targets are made against one particular individual or business. Phishing may appear as sloppy, generic emails, where email compromise is a surgical strike to illegally defrauding the victim.

 Typically, email compromise attacks aim to persuade someone in a business to wire payment to a seemingly legitimate account that’s actually the attacker’s. This might be done by:

Posing as a manager or CEO and asking an employee to transfer money

Pretending to be a supplier and sending a fake invoice

Hacking an employee’s account and using that to request invoice payments

The ACSC report outlines one incident where a financial employee in an Australian consulting firm was emailed by her boss (from his personal email account) and asked to urgently pay a supplier. As her manager was currently in Malaysia, she made the payment of $240,000 and sent him a screenshot of the transaction. It wasn’t until he returned that he discovered his email account had been compromised and the money had gone to the hacker’s account.

Vulnerability Exploitation

Software from popular virtual networking company Citrix was found to have a vulnerability late in 2019. While quickly fixed, the ACSC saw numerous “adversaries” attempting to exploit the vulnerability to compromise networks.

When we think of hackers sitting in darkened rooms, this is what popular media often portrays them to be doing: scanning networks or systems to find a “back door” and get access inside. Once they’re in, they deploy malicious software to start collecting sensitive data, launch ransomware, or execute some other illegal activity.

Of course, criminals can’t just “hack” their way into any system. Typically, they need a vulnerability to exploit, and in the age of so much technology, there are plenty around. Whether it’s unpatched software, a misconfigured device, a network port that’s left open, or unchanged admin credentials for a database, there are literally dozens of ways someone can potentially gain access to a business’ network.

In a year where our attention’s been elsewhere, the cyber threat has remained as a constant menace. The ACSC’s numbers back it up: cybercriminals and hackers are still thriving, even in the “Age of Corona”.

By now you might be thinking: what can I do about security, especially when I’ve got plenty of other priorities to deal with?

We’ll be exploring each of those threats in more detail with upcoming posts, and giving you specific details on how to combat each in kind. But to start with, download our free 14 Ways To Protect Yourself From A Cyber Attack cheat sheet, which will help you shore up your security in the meantime.