When 92% of Australian organisations suffered successful phishing attacks in 2024, it became clear that traditional awareness training isn't keeping pace with cybercriminal innovation. The days of obvious spelling mistakes and foreign prince scams are long gone. Today's phishing emails are sophisticated, personalised, and increasingly difficult to spot. Australian businesses lost $84 million to these attacks last year, with small and medium enterprises bearing the brunt of increasingly clever tactics. If your team is still looking for the old red flags, they're missing the new ones entirely.
When Artificial Intelligence Becomes Your Enemy
Artificial intelligence has fundamentally changed the phishing landscape. Since ChatGPT's introduction in 2022, phishing attacks have surged by a staggering 4,151%. Australia was the eighth most targeted country in 2024, facing over 30 million phishing attempts. Attackers used AI to create highly realistic emails targeting specific business departments like IT, human resources, finance, and payroll.
The most concerning development is AI deepfake technology. In early 2024, a multinational corporation fell victim to a sophisticated scam involving AI-generated voice cloning during a video conference. Employees believed they were speaking with their CEO, who instructed them to transfer substantial funds. The voice was indistinguishable from their actual executive, complete with familiar speech patterns and insider knowledge.
AI-powered chatbots require no technical knowledge to operate, allowing cybercriminals to generate convincing emails with perfect grammar, appropriate tone, and personalised details that would have taken hours to research manually.
The red flags have evolved accordingly. Instead of looking for poor English or generic greetings, your team should be suspicious of unusually perfect communication, especially when combined with urgent requests or unusual communication methods. When someone you know suddenly starts using video calls or messaging apps they've never used before, particularly for financial requests, it's time to verify through established channels.
The $84 Million Problem: Business Email Compromise Gets an Upgrade
Business Email Compromise has become the most financially devastating cyber threat facing Australian companies. In the 2023-24 financial year, reported BEC losses totalled almost $84 million, with over 1,400 incidents averaging $55,000 in damages per attack. Queensland businesses were particularly hard hit, accounting for 434 of the confirmed reports.
Traditional BEC attacks involved criminals impersonating executives to request urgent wire transfers. Today's attacks are far more sophisticated. Vendor Email Compromise, which increased by 66% in the first half of 2024, involves attackers compromising supplier email accounts or creating convincing impersonations to redirect legitimate payments to fraudulent accounts.
Modern BEC operations involve months of preparation, with criminals studying email patterns and business processes before making their move. They research business relationships extensively, understanding payment cycles and communication patterns. Some attackers wait weeks after compromising vendor accounts, monitoring correspondence to identify the perfect moment to strike with fraudulent banking detail changes.
Warning signs include any communication involving payment changes, especially when delivered via email rather than through your usual vendor management processes. Urgent language, pressure to act quickly, and requests to keep transactions confidential are particularly concerning when they deviate from established business relationships.
The Phone Call That Follows the Email
Modern phishing campaigns have evolved beyond single-channel attacks. Cybercriminals now orchestrate sophisticated "blended threats" that combine multiple communication methods to appear legitimate.
A typical multi-channel attack begins with a phishing email designed to gather initial information or plant seeds of doubt. This is followed by a phone call from someone claiming to represent the same organisation, building on the email's narrative. The caller might reference the earlier email, ask for verification of details, or guide the victim toward a malicious website or app download.
These attacks exploit our natural tendency to trust consistent information from multiple sources. When someone calls to follow up on an email you received, it feels legitimate. Attackers also leverage popular business communication platforms like Microsoft Teams, Slack, and SMS to add credibility to their schemes.
Australian businesses should establish clear verification protocols that work across all communication channels. If someone contacts you via email, phone, and messaging about the same issue, don't assume consistency equals legitimacy. Instead, verify the request through independently established contact methods, such as calling the organisation's main number or checking their official website.
The Sneaky QR Code Trick That's Fooling Email Filters
One of the most innovative phishing techniques discovered in 2024 is the CorruptQR campaign. This sophisticated attack delivers Microsoft Office documents with intentionally corrupted headers that bypass email security filters. When recipients try to open these documents, they receive an error message prompting them to restore the readable content.
Users believe they're being helpful by fixing a broken document. When they click to restore the content, the file reconstructs itself and displays a QR code, often branded to look like a legitimate security verification or login prompt. Scanning this code leads victims to a convincing phishing website designed to steal corporate credentials and session tokens.
This attack exploits our problem-solving instincts and desire to help colleagues. The QR code element adds perceived legitimacy, as many businesses now use QR codes for legitimate security purposes.
Defence requires suspicion of documents requiring restoration, especially when they originate from unexpected sources. Before scanning any QR code, verify the sender through established contact methods and consider whether the request aligns with normal business processes.
When Everyone's Pretending to Be Someone Else
Impersonation has become the backbone of modern phishing, appearing in 89% of attacks recorded in 2024. Adobe emerged as the most impersonated brand globally, while DHL topped the list for delivery service impersonations. However, internal impersonations pose the greatest risk for Australian SMEs, with human resources departments frequently targeted because HR communications naturally involve personal information requests and urgent deadlines. New employees are especially vulnerable, typically facing sophisticated impersonation attacks within just three weeks of starting their roles.
The research phase of these attacks has become remarkably thorough. Cybercriminals study LinkedIn profiles, company websites, and social media to craft convincing personas. They understand reporting structures, current projects, and communication styles, enabling them to send emails that feel authentic even to security-conscious recipients.
Your Team Is Your Best Defence
The sophistication of modern phishing attacks means technology alone cannot protect your business. Building an effective human firewall requires moving beyond traditional awareness training. Your team needs to understand these evolving tactics and develop healthy scepticism around digital communications.
Establish clear verification procedures for financial requests, regardless of apparent urgency or seniority of the requester. Create a workplace culture where questioning suspicious communications is encouraged rather than seen as obstructive.
Consider implementing Essential 8 compliance measures and comprehensive cybersecurity training that addresses both technical vulnerabilities and human factors. In 2025, cybersecurity awareness isn't just the IT department's responsibility—it's everyone's job to protect your business from these increasingly sophisticated threats.
