VoiceOver users please use the tab key when navigating expanded menus

Cyber conversations: Don’t be alarmed, be alert


“We have layers of controls to help detect these sorts of compromises but we often talk about people as being one of our most important controls.” Lynwen Connick, Chief Information Security Officer, ANZ.

In this podcast series - Cyber conversations – ANZ’s Chief Information Security Officer Lynwen Connick chats to leaders about cyber security to help people understand their role in staying safe and recognising security is everyone's business.


To open the series ANZ Chief Executive Officer Shayne Elliott shares his recent brush with a business email compromise (BEC) scam and the important role we all have in keeping our employees, our customers, our community and ourselves protected. 


From bank vaults to guards, and now cyber, security has been and will continue to be a fundamental part of a bank’s operations. Not only is it a critically important area for the bank but also for customers and the community more broadly.


The cyber landscape is constantly changing. Cyber threats are emerging and evolving at a rapid pace along with the sophistication of the perpetrators.


As a bank, we invest heavily in cyber security however it cannot be managed solely by a security team. Success requires a shared responsibility across the organisation - and indeed the community.


We all have a role to play; cyber threats can happen to anyone at any time – even CEOs.


Andrew Cornell, Managing Editor of bluenotes chats with Lynwen Connick and Shayne Elliott about their recent experience with business email comprise and advice for keeping the community safe.   


What is business email compromise (BEC)?


There has been a significant increase in the number of BEC scams in recent times. A publication released by the Australia Cyber Security Centre (ACSC) shows total losses for the 2020–21 financial year were approximately $81.45 million (AUD), an increase of nearly 15 per cent from the previous financial year. Average loss per successful BEC transaction also increased by 54 per cent.


Business email compromise is when someone receives an email that appears to be a legitimate business email. Often it will be very cleverly crafted to look like it has come from someone you know - often an executive or senior member within an organisation.


Different to some of the other malicious emails we see that ask us to click on a link, these sophisticated, professional, very realistic looking emails will ask you to do something - like make a payment or provide data - making it much harder to detect automatically.


Often there's a sense of urgency. If you receive an email from the CEO of company, it’s common to automatically jump into response mode, thinking ‘I need to action this and can’t question it – it’s from the CEO’.


But if you receive an email like this, take a minute to pause and ask yourself ‘would the CEO really ask me to do this?’


‘Would they really ask me to make an urgent payment?’ It's about actually calling it out, saying ‘that doesn't look quite right’.


Make a PACT

We use an acronym at ANZ to help people remember the simple things they can do - PACT. Make a pact to do the right thing:


  • Pause (P) before you take the action in the CEO scam or the fake BEC email that tells you to do something. Think about what the email is really asking you to do.  

  • Activate (A) two factor authentication. If for some reason you have given your password away or it's been compromised in some way, you have a second factor. That means people can't login as you.

  • Call (C) it out - be aware of current scams. If an email, call or SMS seems unusual, check it through official contact points or report it.

  • Turn (T) on automatic updates, because if you're running the latest version of software, you're much less likely to get these compromised emails or be subject to any sorts of other malicious activity.


Don’t be alarmed, be alert


There are several processes in place to help tackle cybercrime. Our automated systems detect and block around 17 million scam messages every month however if some do get through, we want to ensure people recognise something suspicious and are empowered and educated on how to respond.


We work with a range of partners who help us understand the threat, including government organisations. We receive lots of really good reporting on what's currently happening so we can tune our technical responses and controls.


We have layers of controls to help detect these sorts of compromises - but we often talk about people as being one of our most important controls.



For many people, the cyber world can be a scary place; something that seems high tech, sophisticated and quite overwhelming.


However, speaking with Shayne, we see it’s about deploying basic hygiene habits to protect yourself, just as we protect our homes by locking the door, wearing safety belts in our car and not leaving our credit cards lying around.


“We don't want people to be scared but we need people to be alert and be cautious,” Shayne says.


“You don't need to be a cyber security expert to do this. It is implementing basic hygiene habits to protect yourself, asking the right questions, pausing, thinking things through, and doing that little bit of due diligence.”

Related Articles

HACK ALERT: A second layer of protection

Multi-Factor Authentication is a very simple security measure that everyone can adopt to make our online experience safer. Cybercrime can hit anyone – even bankers.

Locking down cyber threats

Cyber criminals are taking advantage of vulnerabilities caused by the pandemic to attempt to infiltrate businesses more than ever before.

Working together to fight cyber crime

The government’s new Cyber Security Strategy will help individuals and businesses of all sizes bolster against cyber-attacks.