The State of Phishing in Australia: Emerging Tactics & Trends

Phishing remains the top vector for initial compromise in Australia. Recent ACSC reports show a marked uptick in credential-harvesting campaigns exploiting major events—tax time, public holidays and even major sports fixtures. Understanding the evolving tactics is key to shifting from reactive incident response to proactive risk awareness.

From Mass Email Blasts to Targeted Spear-Phishing

Attackers no longer rely solely on generic “click this invoice” lures. They now combine open-source intelligence with AI-generated spear-phishing, crafting emails that reference recent board announcements or even individual staff roles. Awareness programmes must highlight real-life examples: share anonymised email snapshots showing personalisation markers—company name in the greeting, time-of-day cues matching local time zones.

Multi-Channel Phishing

SMS and voice calls amplify email phishing. Known as “smishing” and “vishing,” these methods use the same social-engineering playbook but often escape email-centric defences. Security teams need to raise awareness that links in SMS can be weaponised just as easily. Include simulated SMS tests in awareness campaigns to broaden staff readiness.

Phishing and Cloud Collaboration

Modern campaigns exploit cloud-based file-sharing: an attacker crafts a malicious document in OneDrive or SharePoint and sends a “shared” link. These URLs often bypass traditional email filters. Awareness training should remind users to hover over links, confirm actual domains and report any unexpected cloud-sharing invitations—even from known senders if context seems off.

AI-Augmented Attacks

Generative AI tools empower attackers to automate spear-phishing at scale. They can generate plausible email bodies, subject lines and even follow-ups when initial lures fail. This trend raises the stakes for awareness: staff need to question not just “is the email from HR?” but “have I requested this document?” Emphasise the value of a quick verification call or Teams message to the purported sender.

Building Predictive Defences

While technology blocks a high volume of phishing attempts, human awareness catches the ones that slip through. Encourage a culture where reporting suspicious emails is as routine as logging in. Track metrics like “reporting rate” and “time to report”—these show how quickly staff escalate potential threats. Reward high-reporting teams to reinforce positive behaviours.