For years, the standard advice given to Australian businesses about phishing was reassuringly simple: train your staff to look for spelling mistakes, suspicious sender addresses, and awkward phrasing. That advice worked well enough when phishing emails were written by non-native speakers working at volume. In 2026, that advice is dangerously out of date, and continuing to rely on it is leaving your business exposed in ways most business owners have not yet fully confronted.

The reason for this shift is artificial intelligence, and specifically the way attackers are now using large language models to craft phishing messages that are grammatically perfect, contextually plausible, and in many cases eerily personalised. The old tells are gone. The new attacks are sophisticated enough to fool experienced professionals who have completed cybersecurity awareness training multiple times, and Australian businesses are seeing the consequences directly in their incident reports and insurance claims.

Business email compromise scams increased by 15 percent in the past year across Australia, with some campaigns now bypassing multi-factor authentication entirely. For any business relying on professional managed cybersecurity services to keep pace with this evolution, understanding what has changed and what a meaningful response looks like is not optional.

What AI Has Changed About Phishing Attacks

The core problem with traditional phishing detection was always that it relied on humans identifying signals inconsistent with legitimate communication. Poor grammar was one signal. Generic greetings like “Dear Customer” were another. Urgency that felt out of proportion to the situation was a third. Trained staff could catch these patterns with reasonable reliability because the patterns were consistent.

AI-generated phishing emails eliminate most of those signals by default. A language model can produce fluent, well-structured prose in Australian English, calibrated to the apparent context of the communication, in seconds and at virtually no cost to the attacker. What previously required a skilled human writer can now be generated at scale with minimal effort and no meaningful skill barrier.

Beyond the language itself, attackers are now using AI to conduct reconnaissance on targets before sending anything. Publicly available information from LinkedIn profiles, company websites, news articles, and social media gives AI systems enough context to personalise messages in ways that would have been impractical to achieve manually at any meaningful scale. A phishing email that references a recipient’s actual job title, their manager’s name, a recent company announcement, or an ongoing project does not read like a mass-market scam. It reads like a legitimate internal communication from someone who knows the business.

This category of attack is now described as spear phishing at scale, and it represents a qualitative change in the threat environment rather than simply a quantitative one. It is not more phishing. It is fundamentally more convincing phishing, delivered to more precisely selected targets, with a higher probability of success per attempt.

Why Business Email Compromise Is the Highest Priority Threat

Of all the attack types that benefit from AI-assisted phishing, business email compromise deserves particular attention because the financial consequences are direct, immediate, and largely unrecoverable once the fraud has occurred. Business email compromise refers to attacks where the goal is not malware installation or data theft in the traditional sense, but financial fraud achieved by manipulating legitimate business processes.

The most common form involves an attacker compromising or impersonating an email account involved in financial transactions, then intervening at a moment when payment instructions are being communicated. The attacker redirects a payment by changing account details, and by the time the fraud is discovered, the funds have moved through multiple accounts in ways that make recovery extremely difficult.

What makes these attacks particularly effective is that they exploit trust rather than technology vulnerabilities. The email typically looks legitimate because it comes from a real account or a convincingly spoofed one, references real context from an actual business relationship, and arrives at a moment when the recipient is busy and operating under time pressure. AI makes all of these elements easier to execute at higher quality and significantly lower cost than was possible even two years ago.

Australian businesses in professional services, legal, real estate, and finance are disproportionately targeted because the transaction values are high and the email workflows are predictable. A law firm settlement, a property transaction, or an invoice from a trusted supplier represents a high-value target that justifies the effort of a personalised attack.

The Limitations of Awareness Training as a Primary Control

None of this means that cybersecurity awareness training is worthless. Educating staff about the categories of attacks they face and the general patterns to watch for remains a valuable component of any security programme. The problem is when organisations treat awareness training as their primary defence rather than one layer in a much deeper strategy.

The research on human error in cybersecurity is consistent and sobering: even well-trained, attentive people make mistakes, particularly under time pressure and when dealing with high volumes of email. The conditions that make phishing attacks most effective, urgency, familiarity, and plausibility, are exactly the conditions most likely to cause a well-trained person to make an error in judgement at the critical moment. Building a security posture that depends on every staff member making the right call every time is not a security posture. It is an assumption that will eventually be tested and found wanting.

What awareness training does usefully is raise the threshold at which staff will pause and verify, and create an organisational culture where questioning suspicious requests is normalised rather than seen as obstructive. Those outcomes are genuinely worth pursuing. They are just not sufficient on their own when the attacks are this sophisticated and this personalised.

What a Meaningful Technical Response Looks Like

Defending against AI-assisted phishing requires layered technical controls that reduce the probability of a successful attack at multiple points in the attack chain, rather than relying on any single control to catch everything. The approach that characterises mature managed cybersecurity services today is defence in depth, where each layer compensates for the inevitable gaps in the layers above and below it.

Email authentication protocols are the first layer that most Australian businesses need to strengthen. DMARC, DKIM, and SPF records, when properly configured and in enforcement mode rather than monitoring mode, make it significantly harder for attackers to spoof your domain or your suppliers’ domains. Many Australian businesses have these records set to monitoring mode, which means they collect data about spoofing attempts but do not actually block spoofed emails from reaching recipients. Reviewing and moving to enforcement is a relatively straightforward step with material risk reduction.

Advanced email filtering that uses behavioural analysis and machine learning to assess message risk, rather than relying purely on known-bad signatures, is a second layer that catches a broader category of novel attacks. The filtering needs to be tuned to your organisation’s communication patterns so that anomalies are detectable against a baseline of normal behaviour.

Multi-factor authentication on email accounts and financial systems remains a critical control, but the increase in BEC attacks successfully bypassing MFA is a reminder that MFA alone is not a complete defence. Phishing-resistant MFA using hardware security keys or passkeys offers substantially stronger protection than SMS codes or standard authenticator app codes, which can be intercepted through real-time phishing proxy attacks.

Payment verification processes that require out-of-band confirmation for any change to payment details are one of the most effective controls against business email compromise specifically. If your organisation’s process allows payment details to be changed via email alone without a separate phone verification to a known number, that process is vulnerable regardless of the quality of your other technical controls.

The Role of 24/7 Monitoring in Catching What Gets Through

Even with strong technical controls and well-trained staff, some phishing attempts will succeed over time. The measure of a mature security posture is not whether attacks succeed, since some inevitably will, but how quickly they are detected and contained before significant damage occurs.

This is where continuous monitoring becomes a critical differentiator between businesses with genuine security resilience and those with only the appearance of it. Professional managed cybersecurity services with 24/7 Security Operations Centre coverage provide real-time visibility into account activity, enabling rapid detection of the behavioural indicators that typically follow a successful phishing attack: unusual login locations, email forwarding rules being created, large data transfers, or changes to account settings.

Early detection of these indicators can mean the difference between a contained incident and a significant financial or reputational loss. Otto IT’s SOC resolved 97 percent of cyber incidents within 30 minutes in 2025, which reflects the operational value of having dedicated, continuous monitoring rather than relying on staff to notice something is wrong and escalate it through a normal helpdesk process during business hours.

What Your Business Should Do Right Now

If your current approach to phishing defence is primarily awareness training and standard email filtering, there are concrete steps worth taking immediately regardless of your broader security posture review. Begin with an audit of your email authentication configuration to confirm DMARC is in enforcement mode. Review your payment change processes to ensure they include out-of-band verification. Assess whether your current MFA deployment uses phishing-resistant methods for your highest-risk accounts and systems.

If you are uncertain where to start or want an independent assessment of your current exposure level, a security assessment from a qualified managed IT support provider will give you a clear baseline. Understanding your actual risk level is a necessary precondition for making sound decisions about where to invest in additional controls.

The threat environment has changed materially in the past 24 months, and the organisational response needs to match that change. Businesses that continue to treat phishing as primarily a training problem rather than a technical security problem are operating with a gap that attackers are actively and systematically exploiting.

To learn more about how Otto IT approaches managed cybersecurity services for Australian businesses, visit our managed cybersecurity page or get in touch through our contact page.