Every firewall has a gap. Every antivirus has a blind spot. And more often than not, that gap isn't in the code—it's in the person reading the email.
Social engineering remains the most effective attack vector for cybercriminals targeting Australian businesses. It's not about breaking through your security; it's about convincing your people to open the door willingly.
The Numbers Don't Lie
Consider these statistics from the ACSC Annual Cyber Threat Report:
- ▸43% of cyber incidents in Australia involve social engineering or phishing
- ▸The average business receives 3.4 phishing emails per day
- ▸82% of data breaches involve a human element—clicking links, downloading attachments, or revealing credentials
The attackers know this. They've shifted from trying to exploit code to trying to exploit people. Because people are predictable, trusting, and busy.
Why Tech Alone Can't Stop Phishing
Your email gateway catches malicious emails. Your endpoint protection blocks malicious files. Your firewall prevents unauthorized connections. That's good—but it's not enough.
Here's why: a perfectly crafted phishing email can:
- ▸Come from a legitimate, compromised email account
- ▸Contain no malware—just a convincing lie
- ▸Bypass all technical controls by appearing normal
- ▸Sit in your inbox for hours before someone clicks
The email itself isn't the problem. The decision someone makes to click it is.
The Anatomy of a Phishing Attack
Most phishing campaigns follow a recognisable pattern:
1. Reconnaissance Attackers gather information from LinkedIn, Facebook, company websites, and data breaches. They know your CEO's name, your supplier's invoice format, and the internal terminology your team uses.
2. Spoofing or Compromise They either forge the sender address (display name spoofing) or compromise a legitimate account through prior credential leaks. Both approaches fool most users who don't check headers.
3. Credibility Building The email references real events, uses correct terminology, and creates urgency. "Invoice overdue," "Urgent: verify your password," "Action required: your subscription will expire."
4. The Hook A link leads to a convincing fake login page. An attachment contains a malicious document that enables macros. A phone number connects to a convincing "IT support" agent.
5. Exploitation Once credentials or access are obtained, attackers move laterally, escalate privileges, and exfiltrate data—often over days or weeks before detection.
Common Phishing Tactics Targeting Australian Businesses
Business Email Compromise (BEC)
BEC attacks impersonate executives, finance teams, or vendors to request wire transfers or sensitive data. Unlike classic phishing, BEC often involves no malicious links—just a request from a trusted-looking sender.
A CFO receives an email from what appears to be the CEO: "Can you approve this payment urgently? I'll explain later."
These attacks work because they exploit authority, urgency, and discretion.
Invoice Scams
Attackers compromise vendor email accounts or create convincing fake invoices. The formatting matches the real vendor. The bank details are slightly different. The amount is close to expected.
Accounts payable teams are particularly vulnerable—they process many invoices quickly and trust vendor communications.
Credential Harvesting
Fake Microsoft 365, Google Workspace, or Australian bank login pages are hosted on compromised websites or lookalike domains. Users enter credentials, which attackers capture and use immediately.
Spear Phishing
Unlike mass phishing, spear phishing targets specific individuals with personalised content. The attacker knows your name, your role, your projects. These attacks are harder to detect and more damaging when successful.
The Human Firewall: Your Best Defence
Technical controls reduce the volume of phishing emails that reach users. But ultimately, your people are both your biggest vulnerability and your last line of defence.
Build a Security-Aware Culture
Start with awareness, not blame. People who fear punishment for mistakes will hide them. People who understand the stakes will help you catch them.
Make security part of daily conversations. Discuss real incidents (even hypothetical ones) in team meetings. Share what phishing attempts you've seen. Make it normal to question unusual requests.
Celebrate the catch, not the click. When someone reports a suspicious email, acknowledge it. When someone catches a fraudulent invoice, thank them. Positive reinforcement builds the behaviour you want.
Practical Tips for Your Team
Train your people to:
Pause before clicking. Ask: "Was I expecting this email? Does this request make sense? Would this person normally contact me this way?"
Check the sender's actual email address. Display names can be spoofed. Hover over the address to see the real domain.
Verify unusual requests through a different channel. If the "CEO" asks for an urgent wire transfer, call them. If a vendor changes their bank details, call them.
Report suspicious emails immediately. Use the reporting function in your email client. Forward them to your IT team. Better to report a false positive than miss a real attack.
Never enter credentials from an email link. Go directly to the service by typing the address in your browser or using your saved bookmark.
Reducing the Attack Surface
Beyond training, consider these technical and procedural controls:
| Control | Purpose |
|---|---|
| Multi-Factor Authentication (MFA) | Makes credential theft insufficient for account access |
| Email authentication (SPF, DKIM, DMARC) | Prevents email spoofing from your domain |
| URL inspection tools | Shows the actual destination before clicking |
| Least privilege access | Limits damage if credentials are compromised |
| Regular backup testing | Ensures recovery if ransomware arrives via phishing |
Incident Response: When Someone Clicks
Despite best efforts, someone will eventually click. What you do next matters enormously.
- 1.Isolate the affected device from the network
- 2.Reset the compromised account's password
- 3.Enable MFA if not already active
- 4.Preserve evidence—don't power off the device
- 1.Scope the incident—what data could have been accessed?
- 2.Check for lateral movement—did the attacker access other systems?
- 3.Review email rules—did the attacker set up forwarding?
- 4.Notify relevant stakeholders
- 1.Engage your incident response plan
- 2.Consider whether regulatory notification is required
- 3.Assess if law enforcement should be involved
- 4.Document lessons learned
Measuring Your Phishing Risk
How do you know if your awareness training is working?
Phishing simulations test your team's vulnerability ethically. Send realistic phishing emails and track who clicks, who reports, and who ignores. Measure improvement over time.
Click rates should decrease with effective training. A rate above 20% indicates significant risk. Below 5% suggests good awareness.
Report rates should increase with confidence. If no one reports suspicious emails, people either aren't receiving them or aren't comfortable speaking up.
Incident data tells you what's actually getting through. If phishing is leading to ransomware, your detection and response capabilities need improvement.
The Path Forward
Phishing won't disappear. Attackers will continue to exploit human trust because it works. But you can make it significantly harder for them.
The goal isn't perfection—it's raising the cost of attack so that your organisation becomes less attractive than alternatives. Layer your defences: technical controls reduce the volume, processes catch what slips through, and trained people become your best early warning system.
Invest in awareness training. Test it. Measure it. Improve it.
Because in the end, the firewall that matters most is the one between your people and their worst impulses.
---
Need help assessing your organisation's phishing vulnerability? [Contact us](/) for a security assessment.
