The phishing email looked perfect. Correct branding, no spelling errors, even the CFO’s usual sign-off. A Melbourne accounting firm nearly transferred $47,000 before someone thought to call and verify. The attacker had used AI to craft a message that mimicked months of legitimate correspondence.

This isn’t science fiction. It’s happening right now, and Australian small businesses are squarely in the crosshairs.

Why AI Changes Everything

Traditional phishing was easy to spot. Bad grammar, urgent demands, links that didn’t quite match. We trained our teams to look for these red flags, and it worked—most of the time.

AI has thrown that playbook out the window.

Modern language models can now generate perfectly written emails in any style, tone, or language. They can analyze your company’s communication patterns from publicly available data (LinkedIn posts, website content, even customer reviews) and create messages that sound exactly like your CEO, your supplier, or your IT department.

The Australian Cyber Security Centre has flagged AI-enhanced phishing as one of the fastest-growing threats to SMBs in 2026. Their latest threat report shows a 340% increase in sophisticated spear-phishing attempts targeting businesses with fewer than 50 employees.

It’s Not Just Email Anymore

Here’s where it gets worse: voice deepfakes.

A Sydney construction company lost $89,000 last month when their accounts manager received what she thought was a phone call from the owner. The voice was perfect—same accent, same speech patterns, same background office noise. The “owner” explained he was in a meeting and needed an urgent wire transfer to secure materials for a delayed project.

The call was AI-generated. The real owner was on a golf course.

These voice cloning tools only need a few seconds of audio to work. If your business owner has ever spoken at an event, appeared in a video, or even left a voicemail, there’s probably enough audio online for an attacker to create a convincing deepfake.

Real Attack Patterns We’re Seeing

AI-powered phishing attacks targeting Australian SMBs typically follow these patterns:

Invoice fraud: Attackers study your regular suppliers through publicly visible invoices or payment patterns, then send perfectly formatted invoices with slightly altered bank details. The AI ensures the language, formatting, and timing all match your normal business rhythm.

CEO fraud with context: Instead of generic “I need iTunes cards” scams, attackers now reference actual projects, use company jargon, and time their attacks for when executives are known to be traveling or in meetings (information gleaned from LinkedIn or company social media).

HR credential harvesting: Fake password reset emails or “update your payroll details” messages that perfectly mimic your actual HR software’s communications. The AI generates unique variations for each employee, making mass detection harder.

What Actually Works (No Magic Bullets)

The good news? AI-powered phishing is still phishing. The fundamental defense strategies work—they just need to be tighter.

Verification protocols that can’t be bypassed: Implement a mandatory callback policy for any financial request over a set threshold (say, $5,000). Use a known number, not one provided in the email or call. Yes, it’s inconvenient. That’s the point.

Multi-person approval for changes: Bank details, payment instructions, or credential resets should require two people to sign off. Attackers typically target one person at a time.

Technical controls: DMARC, SPF, and DKIM email authentication won’t stop all AI phishing, but they’ll block domain spoofing. If you don’t have these configured, you’re making it too easy.

Regular testing: Run phishing simulations using AI-generated content. If your team can spot a generic phishing test but fails against AI-crafted attempts, you haven’t actually tested your defenses.

The Human Factor Still Matters

Here’s what I tell clients: AI makes perfect emails, but it doesn’t make perfect situations.

Train your team to question the scenario, not just the message. Does this request make sense? Why the urgency? Why this method? If your supplier has always sent invoices on the 15th and suddenly there’s an urgent payment needed on the 3rd, that’s worth a phone call.

Create a culture where verification isn’t seen as distrust. The best defense I’ve seen was at a Brisbane law firm where the managing partner publicly praised a junior admin for calling to verify what turned out to be a legitimate request. That one action set the tone: checking is professional, not paranoid.

This Will Get Worse Before It Gets Better

I won’t sugarcoat it—AI-powered phishing is only going to become more sophisticated. We’re already seeing multimodal attacks that combine fake emails, follow-up calls, and even fake video meetings.

But Australian SMBs aren’t helpless. The businesses that get breached are typically the ones that assume “it won’t happen to us” or rely solely on technology to solve what’s fundamentally a process and culture problem.

If you take away one thing: slow down the transaction. Every successful AI phishing attack I’ve analyzed this year succeeded because someone felt rushed. The urgency was fake. The loss was real.

The ACSC offers free resources specifically designed for small businesses at their website. Start there. Implement verification protocols today, not after your first $50,000 loss.

Because the attackers aren’t waiting, and their tools are getting better every single day.