All articles
Threat landscape · 3 Jul 2025 · 2 min read

The state of phishing in Australia: emerging tactics & trends

Phishing remains the top vector for initial compromise in Australia. Recent ACSC reports show a marked uptick in credential-harvesting campaigns that exploit major events: tax time, public holidays, even major sports fixtures. Understanding the evolving tactics is the key to shifting from reactive incident response to proactive risk awareness.

From mass email blasts to targeted spear-phishing

Attackers no longer rely solely on generic "click this invoice" lures. They combine open-source intelligence with AI-generated spear-phishing, crafting emails that reference recent board announcements or individual staff roles. Awareness programmes should use real, anonymised examples that show the personalisation markers: the company name in the greeting, time-of-day cues matching the local time zone.

Multi-channel phishing

SMS and voice calls amplify email phishing. Known as smishing and vishing, these use the same social-engineering playbook but often slip past email-centric defences. Teams need to know a link in an SMS can be weaponised just as easily as one in an inbox. Include simulated SMS tests in awareness campaigns to broaden readiness.

Phishing and cloud collaboration

Modern campaigns exploit cloud file-sharing: an attacker crafts a malicious document in OneDrive or SharePoint and sends a "shared" link. Those URLs often bypass traditional email filters. Training should remind users to hover over links, confirm the real domain, and report any unexpected cloud-sharing invitation, even from a known sender if the context feels off.

AI-augmented attacks

Generative AI lets attackers automate spear-phishing at scale, producing plausible email bodies, subject lines and follow-ups when the first lure fails. That raises the bar for awareness: staff need to ask not just "is this from HR?" but "did I actually request this document?" Emphasise the value of a quick verification call or Teams message to the supposed sender.

Building predictive defences

Technology blocks a high volume of phishing, but human awareness catches the ones that slip through. Build a culture where reporting a suspicious email is as routine as logging in. Track reporting rate and time-to-report, and reward high-reporting teams to reinforce the behaviour.

This is where layered email security and trained people meet: our work with Mimecast for threat protection and awareness, alongside identity controls that contain a credential even if a lure succeeds. A cyber health check shows where your weak points are.

Would your people catch a modern, AI-crafted lure?