Phishing is responsible for more than 90% of data breaches globally, and it remains the most common initial access method in Australian cybercrime incidents. Yet it is also one of the most preventable threats β if you have the right combination of technical controls and staff awareness in place.
This guide covers how phishing works in 2026, the specific attack types most commonly targeting Australian businesses, and the layered controls that reduce your exposure to an acceptable level.
What Is Phishing?
Phishing is a social engineering attack in which an attacker impersonates a trusted entity β your bank, your IT team, a supplier, the ATO β to trick a recipient into taking an action that compromises security. That action is usually one of three things:
- Clicking a link that leads to a fake login page (credential harvesting)
- Opening a malicious attachment that installs malware or ransomware
- Completing a fraudulent financial transaction β such as redirecting a payment to an attacker-controlled account
What has changed significantly in recent years is the quality and personalisation of phishing attempts. AI-generated emails are now grammatically perfect, use the correct company branding, and reference real individuals and relationships. The era of βspotting phishing by looking for bad spellingβ is effectively over.
The Main Types of Phishing Targeting Australian Businesses
Business Email Compromise (BEC)
BEC is the highest-value phishing variant and the one Australian businesses lose the most money to. An attacker either compromises a legitimate email account or creates a convincing lookalike domain, then uses it to impersonate a senior executive or trusted supplier to redirect a payment. The Australian Competition & Consumer Commission (ACCC) reported $79 million in BEC losses in 2023 β and that only captures reported incidents.
Credential Phishing
The attacker sends an email that appears to come from Microsoft, Google, or your IT provider, directing the recipient to a fake login page designed to capture their username and password. Once those credentials are stolen, the attacker has legitimate access to your email, files, and any other systems using the same password. This is the most common entry point for ransomware attacks.
Spear Phishing
A targeted attack on a specific individual or organisation. The attacker researches the target using LinkedIn, company websites, and social media to create a highly personalised message β referencing real colleagues, projects, or recent events. Spear phishing messages have significantly higher click rates than generic attacks.
Smishing & Vishing
Phishing via SMS (smishing) and phone calls (vishing) has increased sharply, with attackers impersonating the ATO, banks, and NBN providers. These are often used in combination with email phishing β a follow-up call from an βIT support technicianβ asking you to confirm a code sent to your phone.
The Technical Controls That Stop Phishing
No single control eliminates phishing risk. The effective approach is layered β multiple controls that each reduce the probability of a successful attack.
1. Multi-Factor Authentication (MFA)
MFA is the single most effective technical control against credential phishing. Even if an attacker successfully captures a password via a phishing page, MFA prevents them from using those credentials to access your systems. Enable MFA on every system that supports it β email, VPN, cloud applications, and any remote access tool. If you can only implement one control immediately, make it this one.
2. Email Authentication: SPF, DKIM, and DMARC
These three email standards work together to verify that emails claiming to come from your domain are genuinely sent by you β and to block or quarantine those that aren't.
| Standard | What It Does |
|---|---|
| SPF (Sender Policy Framework) | Publishes a list of mail servers authorised to send email on behalf of your domain |
| DKIM (DomainKeys Identified Mail) | Adds a cryptographic signature to outgoing emails, allowing recipients to verify the message hasn't been tampered with |
| DMARC (Domain-based Message Authentication) | Tells receiving mail servers what to do with emails that fail SPF and DKIM checks β quarantine, reject, or report |
DMARC enforcement at p=reject prevents attackers from spoofing your domain to target your clients or supply chain β a particularly damaging attack vector. Many Australian businesses have SPF configured but no DMARC policy, leaving their domain open to impersonation.
3. Advanced Email Filtering
Microsoft 365 Defender and Google Workspace include advanced threat protection that scans links at click time (not just at delivery), detonates attachments in a sandbox, and detects impersonation attempts. These features need to be explicitly enabled β they are not always on by default at every licence tier.
4. DNS Filtering
A DNS filtering service blocks access to known malicious domains at the network level, before a connection is established. Even if a user clicks a phishing link, DNS filtering can prevent the device from reaching the malicious site. Solutions like Cisco Umbrella, Cloudflare Gateway, and similar are available at low per-user cost and are straightforward to deploy.
5. Endpoint Detection & Response (EDR)
If a phishing email delivers a malicious attachment that executes on a device, EDR provides the detection and containment capability to limit the damage. Modern EDR solutions detect behavioural anomalies that signature-based antivirus would miss β including fileless malware delivered via phishing documents.
The Human Layer: Security Awareness Training
Technical controls reduce the probability of phishing succeeding, but they don't eliminate it. The human layer β staff who can recognise and correctly respond to suspicious messages β is the essential complement to technical defences. One well-trained employee who reports a phishing email before clicking can prevent an incident that would otherwise cost tens of thousands of dollars.
Effective security awareness training is not a one-hour annual e-learning module. The evidence is clear that training which changes behaviour consists of:
- Simulated phishing campaigns β regular, realistic phishing simulations sent to your staff. Employees who click receive immediate, context-specific education rather than punishment
- Short, frequent training β 5β10 minute modules delivered monthly, covering current attack techniques rather than generic cybersecurity concepts
- Clear reporting mechanisms β staff need to know exactly how to report a suspicious email and feel safe doing so without fear of reprisal
- Regular communication β when a new phishing technique is circulating (ATO impersonation, fake Microsoft alerts), inform your team immediately with concrete examples
Specific Controls for Business Email Compromise
BEC deserves specific attention because the losses can be catastrophic and the attack often bypasses technical email filters β the email comes from a legitimate account or a convincing lookalike domain.
- Verbal verification for payment changes β establish a firm policy that any request to change bank account details, redirect a payment, or process an urgent transfer must be verbally confirmed by phone with the known party, using a number you already have on record (not one provided in the email)
- Dual authorisation for large transfers β require two approvers for any payment above a defined threshold, using separate authentication
- Monitor for lookalike domains β services that alert you when a domain similar to yours is registered, a common precursor to a BEC campaign targeting your clients
- Restricted sender rules β email filtering rules that flag external emails with display names matching your internal executives or common supplier names
Want to know how phishing-resistant your business actually is? We offer simulated phishing assessments that give you a baseline and a clear improvement roadmap β without any technical disruption to your operations.
Book a Free IT Assessment βA Practical Phishing Protection Checklist
Use this as a starting point for a conversation with your IT team or provider:
- MFA enabled on Microsoft 365 / Google Workspace for all users
- MFA enabled on VPN and any remote access tools
- SPF, DKIM, and DMARC configured on all business domains β DMARC at
p=quarantineorp=reject - Microsoft Defender for Office 365 (Plan 1 minimum) or equivalent enabled and configured
- DNS filtering deployed across all devices
- EDR solution deployed on all endpoints
- Simulated phishing program running at least quarterly
- Payment change verification policy documented and communicated to finance staff
- Suspicious email reporting process clearly communicated to all staff
The Bottom Line
Phishing is not going away, and the attacks are becoming more sophisticated every year. But the controls that stop phishing are well-understood, accessible to businesses of any size, and β when implemented correctly β genuinely effective. The combination of MFA, email authentication, advanced filtering, and regular staff training reduces your risk to a fraction of what it would be with no controls in place.
The key is implementing these controls proactively, before an incident, rather than reactively after one. The cost of prevention is a small fraction of the cost of recovery.