Phishing attacks in Australia are not getting simpler. Where once a suspicious email with broken English and an urgent request was easy to spot, today's campaigns are polished, personalised, and increasingly hard to distinguish from legitimate correspondence. For Australian IT teams, understanding how phishing has changed is no longer optional background knowledge. It is a frontline operational requirement.
The modern phishing playbook
Classic phishing cast a wide net, relying on volume over precision. That model still exists, but it has been joined by far more targeted approaches. Spear phishing, where attackers research a specific individual or organisation before crafting a message, is now common across sectors from financial services to local government. Business email compromise (BEC) has become a particularly costly variant, with criminals impersonating executives or finance teams to redirect payments or extract sensitive data.
Smishing (SMS-based phishing) and vishing (voice call phishing) have also grown significantly. Australians continue to receive fake parcel notifications, ATO impersonation texts, and MyGov alerts at scale. The Australian Signals Directorate has consistently flagged phishing as the leading initial access vector in its annual cyber threat assessments, and 2026 has seen no let-up in that trend.
AI is changing the attacker's toolkit
Generative AI has lowered the barrier for sophisticated phishing campaigns dramatically. Attackers can now produce grammatically flawless, contextually relevant lures without the tell-tale errors that once made suspicious messages easier to flag. Deepfake audio is being used in vishing attacks to impersonate senior leaders, and AI-generated video has begun appearing in more advanced fraud attempts.
This shift has significant implications for awareness training. Programmes that teach staff to spot poor grammar or generic greetings need to be updated. The markers that once reliably identified a phishing attempt are no longer reliable. The broader acceleration of AI adoption in Australian enterprises has created a parallel dynamic on the attacker side, where the same tools being adopted for productivity are being weaponised for deception.
Sectors under particular pressure
While no industry is immune, certain sectors face disproportionate targeting. Healthcare providers, superannuation funds, and government agencies have all appeared prominently in ACSC breach reports and OAIC notifiable data breach statistics. The superannuation sector in particular has attracted sustained credential-stuffing and phishing campaigns, with attackers seeking to access retirement savings directly.
Small and medium businesses are also firmly in the crosshairs. Attackers understand that SMEs often have less mature defences than large enterprises and may lack dedicated security staff. Supply chain phishing, where a smaller supplier is compromised to reach a larger target, means that even organisations with strong internal controls can be exposed through a trusted third party.
Technical controls that make a genuine difference
No single control eliminates phishing risk, but a layered approach significantly reduces both the likelihood of a successful attack and the damage if one gets through. The following measures are widely recommended and align with the ASD's Essential Eight framework:
- Multi-factor authentication (MFA): Even when credentials are phished, MFA prevents immediate account takeover in most cases. Phishing-resistant MFA, such as FIDO2 passkeys or hardware tokens, is preferable to SMS-based codes, which can be intercepted.
- Email authentication protocols: Deploying SPF, DKIM, and DMARC reduces the ability of attackers to spoof your domain. DMARC in reject mode is the target configuration, though many Australian organisations still operate in monitor mode.
- DNS filtering and secure web gateways: Blocking known malicious domains at the network level prevents many phishing-linked redirects and malware downloads from completing.
- Privileged access management: Limiting which accounts have elevated privileges reduces the blast radius when a phishing attack does succeed.
- Endpoint detection and response (EDR): Capable of identifying and containing post-phishing malicious activity before it escalates.
The human layer: awareness that actually sticks
Technical controls are essential, but humans remain both the primary target and, with the right preparation, a meaningful line of defence. Security awareness training has a poor reputation in some quarters, often because it is treated as a compliance checkbox rather than a genuine behavioural intervention. Programmes that run annual e-learning modules and call it done are not well suited to the current threat environment.
Effective awareness programmes run simulated phishing exercises regularly, measure click rates and reporting rates over time, and tailor content to the specific scenarios employees actually face. Crucially, they create a culture where reporting a suspicious message is encouraged and rewarded, not stigmatised. An employee who clicks a link and then reports it immediately is far less damaging than one who clicks and says nothing for fear of embarrassment.
Organisations covered by the Notifiable Data Breaches scheme also have a legal incentive to get this right. A phishing-driven breach that leads to unauthorised access of personal information may trigger mandatory reporting obligations under the Privacy Act. Understanding what organisations must do when a notifiable data breach occurs is important preparation, but preventing the breach in the first place is always preferable.
Incident response: when phishing gets through
Even well-prepared organisations will face successful phishing attempts. The quality of the response in the first hours matters enormously. Key steps include isolating affected accounts and endpoints quickly, resetting credentials across any systems the compromised account had access to, and preserving logs and artefacts for forensic investigation.
Organisations should also notify relevant stakeholders promptly. If personal data may have been accessed, the OAIC's notification timeline obligations under the NDB scheme apply. Industry regulators, such as APRA for financial institutions, may have additional incident reporting requirements that run in parallel.
Phishing is not a problem that gets solved once. Attackers adapt, tooling evolves, and the social engineering playbook is continuously refined. What works in 2026 may not be sufficient in two years' time. Treating phishing defence as an ongoing programme, rather than a one-time project, is the only posture that keeps pace with the threat.