Remember when phishing emails were obvious? Bad grammar, ridiculous stories, requests from royalty you’d never heard of?

Those days are gone.

The phishing emails landing in Australian inboxes now are polished, personalised, and increasingly difficult to spot. I’ve seen examples that fooled experienced IT professionals. And if they can be fooled, so can anyone in your business.

How Phishing Has Changed

AI-generated content. Attackers are using large language models to write grammatically perfect, contextually appropriate emails. No more spelling mistakes or awkward phrasing to tip you off.

Localisation. Phishing campaigns targeting Australia now reference real Australian companies, use Australian English spelling, and even mention local events. I’ve seen phishing emails referencing specific ATO deadlines and Australian Post tracking numbers.

Multi-channel attacks. It’s not just email anymore. Attackers are using SMS (smishing), voice calls (vishing), and even LinkedIn messages. Sometimes they’ll combine channels - an email followed by a “verification” phone call.

Deepfakes in video calls. This one’s emerging but terrifying. Attackers can now create convincing video deepfakes for quick calls. Imagine receiving a video call from your “CEO” asking for an urgent transfer.

The Most Common Phishing Tactics in Australia Right Now

Based on what I’m seeing with clients and in ACSC reports:

1. Fake Microsoft 365 login pages. Your staff receive an email about a shared document, an expired password, or a full mailbox. They click the link, see what looks exactly like the Microsoft login page, and enter their credentials. Except it’s not Microsoft - it’s a clone that sends those credentials straight to the attacker.

2. Invoice fraud. An email appears to come from a supplier, asking you to update their bank details for future payments. The email address looks right at a glance ([email protected] instead of [email protected]). You update your records, and the next payment goes to the attacker.

3. ATO impersonation. Tax time brings a flood of fake ATO emails warning about refunds, audits, or required updates. The stress of anything tax-related makes people click without thinking.

4. Courier notification scams. “Your package couldn’t be delivered. Click here to reschedule.” With so much online shopping, these feel completely normal. The link leads to malware or credential theft.

5. Internal impersonation. Attackers compromise one email account in your organisation, then use it to send requests to others. “Hey, can you quickly send me the updated customer list?” It’s from a colleague’s real email address, so why would you suspect it?

What to Tell Your Team

Training alone won’t stop phishing. But training can reduce the success rate and increase the speed of reporting. Here’s what I tell teams:

Check before you click. Hover over links to see where they actually go. Look for slight misspellings in domain names. When in doubt, don’t click - navigate directly to the site instead.

Be suspicious of urgency. Phishers want you to act fast before you think. Any email demanding immediate action (“Your account will be closed in 2 hours”) should trigger suspicion, not panic.

Verify through another channel. If an email asks you to do something sensitive - transfer money, share data, change credentials - verify it through another method. Call the person using a number you already have, not one in the email.

Look at the actual email address. Not the display name, the actual address. And look carefully - [email protected] is not Microsoft.

When in doubt, report it. Make it easy for staff to flag suspicious emails without feeling stupid. The more reports you get, the faster you can respond to campaigns targeting your business.

Technical Defences That Actually Help

Training is important but it’s not enough. You need technical controls too:

Email filtering. Microsoft 365 and Google Workspace have built-in phishing protection. Make sure it’s actually enabled and configured properly. Consider adding additional filtering like Mimecast or Proofpoint for high-risk businesses.

DMARC, DKIM, and SPF. These email authentication protocols make it harder for attackers to spoof your domain. They’re free to implement and should be mandatory for every business.

Link protection. Some email security tools can rewrite links to check them at click time, catching malicious sites that weren’t detected when the email arrived.

Multi-factor authentication. Even if someone’s credentials are phished, MFA stops the attacker from using them. This is your safety net.

Web filtering. Block known malicious sites at the network level. If someone does click a bad link, the connection gets stopped before damage is done.

Running Phishing Simulations

Controversial take: I think phishing simulations are useful, but not for the reasons most people think.

The point isn’t to catch people and punish them. That just creates fear and reduces reporting. The point is to:

1. Measure your baseline. How many people click? You can’t improve what you don’t measure.
2. Provide teachable moments. Someone who just clicked a simulated phish is very receptive to training about what they missed.
3. Test your detection and response. Do people report the simulations? How quickly do you get alerts?

If you run simulations, be ethical about it. Don’t use emotionally manipulative lures (fake layoff notices, fake health scares). Don’t name and shame individuals. Focus on improvement, not punishment.

When Someone Does Click

Despite everything, someone will eventually click. What happens next matters more than the click itself.

Don’t panic, don’t punish. You want people to report immediately, not hide the incident out of fear.

Assume the worst. Treat any credential submission to a suspicious site as a compromised account. Reset the password immediately and review recent activity.

Check for lateral movement. Did the attacker use the compromised account to send further phishing emails? Did they access shared resources?

Learn from it. What made this particular phish successful? Can you add detection rules for similar attempts?

Phishing isn’t going away. If anything, it’s getting worse as AI makes it easier to generate convincing content at scale. But with the right combination of awareness, training, and technical controls, you can make your business a harder target.

And in security, being a harder target than the business next door is often all it takes.