Exclusive: Yubico pushes for wider protection under Australia's scam bill
Australia's scam prevention laws are a strong start - but not enough, according to Yubico's Geoff Schomburgk.
The Asia-Pacific regional leader of the cybersecurity firm is calling for the Scam Prevention Framework Bill to extend beyond the banking, telco and digital platform sectors.
As it stands, the legislation focuses on regulated industries - but Schomburgk believes cybercriminals are already moving to exploit gaps.
"We think the scam prevention framework bill is a really good thing," he said.
"But we know that consumers have many parts of their digital online presence, and the bad actors know that too. Like water, they'll find the path of least resistance."
Schomburgk is advocating for the bill to be expanded to include more industries that handle sensitive data, such as utilities, healthcare, real estate, education and even online ticketing.
"Anyone with a username and password is a target for phishing attacks," he said.
"Your energy provider has your personal information. Your airline probably has your passport. Real estate agents want everything about you - and if they're not securing it, that's a risk."
The risk, according to Yubico, is not just the data itself, but how that data can be used to access more accounts - a cascading effect made worse by poor digital hygiene.
"Most people reuse their passwords," Schomburgk explained. "If your credentials are stolen from one place, it's very likely they'll work somewhere else."
Artificial intelligence is only making things worse, he warned.
Cybercriminals are leveraging generative AI to craft highly convincing phishing messages, voice impersonations and deepfake videos.
"There's phishing-as-a-service now," Schomburgk said. "The language is more natural, the attacks look legitimate, and that makes us more likely to be fooled."
Phishing remains the number one method attackers use to gain access, according to the latest report from the Australian Cyber Security Centre (ACSC). It found phishing was responsible for more than 80% of data breaches in the country.
"It's still the most dominant attack vector," Schomburgk added. "And it's not going away."
High-profile breaches in the last year underscore the point - from Medibank and Latitude to Ticketmaster and several Australian universities. While not all causes are public, many were rooted in compromised credentials.
"Attackers don't hack in anymore - they simply log in," Schomburgk said.
Yubico, known for its physical security keys and phishing-resistant multi-factor authentication (MFA), believes the solution lies in prevention. The company's technology aligns with the bill's goals - but tackles the problem at the front door.
"While the bill focuses on reporting and response, our technology is about prevention," he said.
"Let's stop the breaches from happening in the first place."
Schomburgk pointed to passkeys and passwordless logins as the future - and said it's not only more secure, but also more convenient for consumers.
"It's four times faster to log in and it's the most secure method of authentication today," he said. "The tech industry has got it right."
One of the most significant challenges in expanding the bill, he acknowledged, is regulation. Many of the sectors Yubico believes should be covered - like retail, education, or real estate - are not currently regulated in ways that support legislative enforcement.
"How can you enforce legislation if it's not regulated and monitored?" he asked. "But I think the bigger challenge is actually education. We need to raise awareness and help people take ownership of their own cyber hygiene."
Schomburgk believes the Australian Government has made meaningful progress, particularly with measures like the Essential Eight, changes to the Critical Infrastructure Act, and adopting phishing-resistant authentication for services like myGov.
"They've really stepped up their intensity around cybersecurity," he said.
"But our job is to keep the pressure on. You can't relax - the cybercriminals are always one step ahead."
Businesses outside the current scope of the bill can still act, he said, and should consider offering phishing-resistant MFA as part of their digital services.
"Think about protecting the front door," he advised. "MFA is one of the Essential Eight, and it's probably the simplest and most effective measure to implement."
He highlighted the US as a standout example of positive momentum, where phishing-resistant authentication was mandated across government agencies. That move created a trickle-down effect across the private sector and ultimately reached consumers.
"That top-down mandate has had a positive effect," he said.
Asked what surprises him most about the state of security among Australian businesses, Schomburgk said he wasn't shocked - but disappointed.
"There's a complacency across sectors," he said. "Any form of MFA is better than none - but not all MFA is created equal. Some older methods can still be phished. If the bad guys have moved on, your security can't stand still."
He sees it as part of Yubico's role - and the broader industry - to spread that message and support government efforts.
"It's about doing the right thing, not just looking after self-interest," he said.
Education is key, Schomburgk added, and so is changing the perception that new security measures are a burden.
"People say their users aren't tech-savvy enough," he said. "But if you offered free Taylor Swift tickets, they'd figure it out. It's not about smarts - it's about motivation and managing change."
Ultimately, he said, Australia has an opportunity to be a global leader - but it will take continued focus, expansion, and collaboration between government and industry.
"Let's stop 80% of the problems at the beginning," he said. "That's the mission."