Remember when phishing emails were obvious? Bad grammar, Nigerian princes, dodgy sender addresses that were clearly not from your bank. Those days are gone.

In 2026, AI-generated phishing attacks have reached a level of sophistication that’s catching out even security-aware employees. And for Australian SMBs without dedicated security teams, this represents a serious and growing threat.

Let’s talk about what’s actually changed, how these attacks work, and what you can realistically do about it.

What’s Different About AI-Powered Phishing

Traditional phishing was a numbers game. Attackers blasted out millions of poorly written emails, hoping a tiny percentage would click. The success rate was low — maybe 1-3% — but volume made up for it.

AI has fundamentally changed the economics. Modern phishing campaigns use large language models to generate emails that are:

Grammatically perfect. No more spelling errors or awkward phrasing. The emails read like they were written by a native English speaker — because effectively, they were.

Contextually aware. Attackers scrape LinkedIn, company websites, and social media to build detailed profiles. The email doesn’t just pretend to be from “your bank.” It pretends to be from your specific supplier, referencing a real invoice number, using the correct contact name, and matching the formatting of previous legitimate emails.

Emotionally targeted. AI tools can analyse communication patterns and craft messages that trigger the right emotional response. Urgency for finance teams (“payment overdue, immediate action required”). Authority for junior staff (“request from the CEO”). Curiosity for everyone else (“documents shared with you”).

The Australian Signals Directorate flagged AI-enhanced social engineering as a top threat in their most recent advisory, noting that successful phishing rates have increased by approximately 60% in sectors where AI-crafted emails are being used.

Real Examples From Australian Businesses

Here’s a scenario that played out at a Melbourne accounting firm in January 2026. The office manager received an email that appeared to be from their biggest client. It referenced a real project name, used the client’s actual email signature format, and asked for a payment to be redirected to a new bank account “due to an internal banking change.”

The email passed through their spam filter without issue. The language was flawless. The sender address was one character different from the real address — a lowercase “l” replaced with a “1” in the domain name.

The office manager, who had completed security awareness training six months earlier, processed the payment. $47,000. Gone.

Another case: a Brisbane construction company received emails that appeared to be from their project management platform, complete with accurate branding and a link to what looked like a login page. Three employees entered their credentials before anyone realised the domain was fake. The attackers used those credentials to access real project documents and launch further targeted attacks on the company’s subcontractors.

These aren’t careless people. They’re busy professionals dealing with hundreds of emails per day, and the attacks were genuinely convincing.

Voice and Video Phishing Is Here Too

It’s not just email anymore. AI voice cloning technology can now produce convincing replicas of a person’s voice from just a few minutes of sample audio — easily obtained from a conference recording, podcast appearance, or YouTube video.

Australian businesses have already reported incidents of AI-generated voice calls purporting to be from company directors, requesting urgent wire transfers. The calls are brief, authoritative, and hard to distinguish from the real thing over a phone line.

Deepfake video is still relatively rare in targeted phishing, but it’s coming. The quality of real-time video generation has improved dramatically, and it won’t be long before a convincing video call is within reach of average cybercriminals, not just nation-state actors.

What SMBs Can Actually Do

I’m not going to tell you to “stay vigilant” — that’s useless advice when the attacks are specifically designed to defeat vigilance. Instead, here are concrete, implementable defences:

Technical Controls

Email authentication (DMARC, DKIM, SPF). If you haven’t configured these for your domain, do it today. They won’t stop all phishing, but they prevent attackers from spoofing your exact domain. The Australian Cyber Security Centre has step-by-step guides.

Advanced email filtering. Basic spam filters aren’t enough anymore. Tools like Microsoft Defender for Office 365, Abnormal Security, or Proofpoint use AI themselves to detect AI-generated phishing. Fight fire with fire.

Multi-factor authentication (MFA) on everything. Even if credentials get phished, MFA stops attackers from using them. Use app-based MFA (Microsoft Authenticator, Google Authenticator), not SMS. SMS-based MFA is increasingly vulnerable to SIM-swapping attacks.

Domain monitoring. Services that alert you when someone registers a domain similar to yours. If your domain is “smithplumbing.com.au,” you want to know immediately when someone registers “smithplurnbing.com.au.”

Process Controls

Payment verification procedures. Any change to banking details must be verified through a separate communication channel. Someone emails asking you to change payment details? Pick up the phone and call them on a number you already have on file — not a number from the email.

Internal reporting culture. Make it easy and safe for staff to report suspicious emails. No blame, no embarrassment. The faster a phishing email gets reported, the faster you can warn everyone else.

Regular simulated phishing tests. These aren’t about catching people out. They’re about building muscle memory. When staff regularly encounter simulated phishing, they develop better instincts for real attacks. Specialists in this space can help set up programs that test and train simultaneously.

Human Controls

Slow down financial processes. The most effective phishing exploits urgency. Building deliberate friction into financial approvals — requiring dual authorisation for any payment over $5,000, for instance — gives people time to think rather than react.

Verify unusual requests. If the CEO emails asking for an urgent wire transfer, call the CEO. If a supplier emails with new banking details, call the supplier. Every time. No exceptions.

The Uncomfortable Truth

Here’s what nobody wants to hear: you can’t completely prevent phishing from succeeding. With AI generating near-perfect attacks at scale, some will get through your technical defences, and some will fool your people. The question isn’t whether it’ll happen — it’s whether you can minimise the damage when it does.

That means having an incident response plan. Knowing who to call. Having cyber insurance. Running regular backups. Monitoring for unusual account activity.

Moving Forward

AI phishing is an arms race, and right now, the attackers have the advantage. They’re using the same AI tools that the rest of us use for productivity, except they’re using them to craft increasingly convincing deceptions.

The response has to be layered: technical controls to catch what you can, process controls to slow down the attacks that get through, and human awareness that accepts the threat is real without creating paralysing fear.

No single measure will protect you. All of them together significantly reduce your risk. And in the current threat environment, significantly reducing risk is the best any SMB can hope for.