Stop the cash first: what law enforcement says about reporting fraud

Stop the cash first: what law enforcement says about reporting fraud

In an episode of CFO Magazine's Lunchtime Live, Detective Superintendent Matt Craft, Commander of the NSW Police Cybercrime Squad, joined Eftsure's Chief Revenue Officer, Sam Rahmanian, to walk Australia's finance leaders through what the police actually see when fraud hits a business. Craft will also be speaking at On the Defense, Eftsure's annual summit, in Sydney on 19 November.

The headline he opened with: most cybercrime is under-reported, and the cost of that reporting gap is paid in cash finance teams could have got back.

The brand problem the police are still trying to solve

Most cybercrime targeting Australian businesses is financially motivated. The NSW Cybercrime Squad puts the figure at around 70%. The rest is retaliation or espionage in roughly equal measure. Yet when a fraud incident hits, the police are rarely the first call.

"If you have your car stolen or your house broken into, the very first thing people think about is contacting the police. But uniquely with cybercrime, that's not the mindset."

Detective Superintendent Matt Craft, NSW Police Cybercrime Squad

A lot of this is brand awareness. Australia has dedicated cybercrime squads inside every state and territory police force, and a national coordination point in the form of the Joint Policing Cybercrime Coordination Centre (JPC3), run out of the AFP. Most finance leaders haven't met the people running them.

The 24-hour window

This is the most expensive piece of the gap. The NSW Cybercrime Squad runs a national business email compromise response called Operation Dolos out of the JPC3, alongside the AFP and the banks. When a BEC incident gets reported quickly, the first move isn't to take statements. It's to stop the cash.

"Because of the way the banking system is now, the first hop will always be an Australian bank account. We're becoming very adept at applying the financial kill chain and stopping the cash. If it's reported 24 to 48 hours after it's happened, there's a good chance we'll be able to get that."

Detective Superintendent Matt Craft, NSW Police Cybercrime Squad

The figure he gave: close to $500 million has now been returned to victims through Operation Dolos. The qualifier: the speed of reporting is the variable that decides whether a business sees that money again. After 48 hours, the funds have usually moved offshore, and recovery becomes considerably harder.

The two-step process Craft put in front of finance leaders. Call the bank first, then report through ReportCyber. ReportCyber is 24/7, accepts reports from any jurisdiction in Australia, and routes straight to the appropriate state cybercrime squad.

The three threats keeping the squad busy

Craft pointed to three threat patterns he wants finance leaders to plan against.

Business email compromise is still the most common, and it remains the easiest to influence through staff education and process discipline. Recent changes to BSB and account verification at the banks have helped, but the human path is still the easiest one for fraudsters to walk down.

Rahmanian pointed out the path is also a lot more deliberate than most finance teams assume. "Fraudsters use the same tools we do," he said. "They have customer relationship management tools, teams of finance and HR professionals, and the latest in AI." They build target lists the same way sales teams build prospect lists: by industry, by macro conditions, by signs of internal pressure. Then they pick the moment. A small invoice with updated bank details, on a Friday at 4:50pm, going into a long weekend, against a payroll run, with school holidays in the background. That sequence isn't coincidence.

Ransomware is the one Craft's team treats as "not if, but when". Sitting back and hoping it doesn't happen isn't a plan. Every board, in his view, should have approved decisions on the ransom question (paying, not paying, and how a payment would be made if it came to it) before an incident lands, and should have rehearsed the response.

The trusted insider is the threat that has grown fastest in the last three years. Unauthorised access to data, exfiltration of sensitive files, retaliation by an employee facing termination: all of it is a crime under the NSW Crimes Act, and all of it is showing up in the squad's caseload more often. The control isn't surveillance. It's the basics: permission hierarchies, USB policy, and clear escalation rules from onboarding day one.

Where the controls are still weakest

Rahmanian's view on the prevention side hit a related point. Most finance teams overestimate their controls because the checks are isolated. A confirmation-of-payee check at onboarding is good. A confirmation-of-payee check that runs once and never again is a false sense of security.

"The technology moves at a pace that changes every two weeks. Most of us can't even keep up."

Sam Rahmanian, Chief Revenue Officer, Eftsure

That's the gap fraudsters work in. They wait for someone to leave, for a new AP staffer to start, for a vendor record to need updating. The right control isn't a single gate. It's continuous, connected, and re-tested at every point of change.

His suggestion to the office of the CFO is to borrow the cyber team's playbook and build a red team of its own. Pressure-test the process during the exact windows fraudsters target: new hire week, a controller on leave, a long weekend. The point is to find the cracks before someone else does.

People, then process, then tools

Asked where the weight should sit between people, process, and technology, Craft was direct.

"People, number one. Everything else needs to complement the people. They're your best asset. They'll identify things."

Detective Superintendent Matt Craft, NSW Police Cybercrime Squad

The case study he shared was an attempted $2 million business email compromise that an early-career employee stopped because the CFO had repeatedly told her team what he would never instruct over email. The instruction in front of her broke one of those rules. She flagged it. The payment didn't move.

Rahmanian agreed people sit at the top of the stack, with one important addition. "If you draw three circles, people, process, and tools, it's the middle bit where they overlap that makes the strongest organisations." Process without people doesn't get executed. Tools without process don't have anything to enforce. People without tools and process are carrying weight they shouldn't have to.

Rahmanian's own example landed hardest. A few months after Eftsure merged with a European business, he received a WhatsApp message from the CEO of the acquired business, asking him to take a call from a French lawyer about a confidential acquisition target. The lawyer wanted an NDA signed. Rahmanian recognised the pattern. But every detail had been researched, every signal calibrated, and the pressure to keep it confidential was textbook. Even with the right training and the right instincts, the attack came close. That's what AI-enabled fraud looks like in 2026.

Before the next incident lands

The single most useful thing a finance team can do this week is make sure it has a documented response to questions like:

  • Who calls the bank?
  • Who calls the police?
  • Who interrupts the CFO in a board meeting?
  • Who has the authority to escalate without waiting for permission?

If those answers aren't written down yet, we've built something you can use. Download the Eftsure post-fraud incident checklist and walk through it with your team before you need it.

Where the rest of this conversation is happening

The webinar was an opening on a much bigger conversation finance leaders need to have: with peers, with law enforcement, and with the cyber and banking ecosystem behind them.

That conversation continues at On the Defense, Eftsure's flagship summit, on 19 November in Sydney. Detective Superintendent Matt Craft will be there, alongside senior representatives from organisations like CyberCX, Huntress, and Mastercard. One day, one mission: giving finance leaders trust and control across the entire business ecosystem.

Register for On the Defense

Banner for On The Defense Summit in November 2026 in Sydney

Author

Shanna Davis

Published

6 Jul 2026

Reading Time

7 minutes

security-image

The New Security Standard for Business Payments

security-image
security-image