AI Phishing Is 3× More Effective, Here's How Australian Businesses Can Fight Back
The Nigerian prince emails are gone. The spelling mistakes and awkward grammar that used to give scam emails away have been replaced by polished, personalised messages that sound like they came from someone who actually knows you. AI has dramatically lowered the bar for creating convincing phishing attacks, and the numbers reflect it.
Research from 2024 and 2025 has consistently found that AI-generated phishing emails are roughly three times more effective at tricking recipients than traditionally written ones. Separately, threat intelligence firms estimate that more than 40% of ransomware attacks now involve AI at some stage, whether in crafting the initial lure, automating the targeting, or adapting the attack in real time. For Australian small businesses, which are frequently targeted precisely because they tend to have weaker defences than large corporations, this shift matters.
Why AI Phishing Is So Much More Convincing
Traditional phishing emails had tells. Odd formatting, generic greetings ("Dear Customer"), spelling errors, and a sense of urgency that felt manufactured. Most people have developed a reasonable instinct for spotting them.
AI-generated phishing emails are different in several ways. First, they have no spelling or grammar errors. A large language model writes flawlessly. Second, they are personalised. Attackers scrape LinkedIn profiles, social media accounts, and company websites before sending. A phishing email targeting a Perth building company might reference a real recent project, use the correct director's name, and reference a supplier relationship that actually exists. That level of detail is what breaks people's guard.
Third, and most concerning, AI can now mimic the writing style of a specific person. If an attacker has access to a few of your emails (perhaps through a previous breach of a contact's account), they can train a model to write in your style. This means an email appearing to come from you can now actually sound like you.
Business Email Compromise (BEC) is the attack type that exploits this most effectively. In a BEC attack, a criminal impersonates a business owner, finance manager, or trusted supplier to trick someone into authorising a payment or transferring funds. The Australian Federal Police and ACSC consistently list BEC as one of the highest-cost cyber threats to Australian businesses. It does not require any malware or technical exploit. It just requires someone to believe a convincing email.
What to Look For
Even well-crafted AI phishing emails have patterns worth watching for. Requests for urgent action, particularly around payments, transfers, or sharing login credentials, should always trigger a pause. Urgency is a manipulation technique. Any email that says "do this now before close of business" about anything involving money or access is a flag, regardless of who appears to have sent it.
Check the sender's email address carefully, not just the display name. An email might show "Shaun from Tech Hero" as the display name but come from a completely unrelated domain like shaun@techh3r0-support.com. Attackers also use lookalike domains, registering addresses like techhero.com.au (with a zero instead of the letter o) or techhero-accounts.com.au. The display name in your inbox is trivially easy to fake.
Be alert to any email that asks you to click a link to verify something, even if it looks exactly like a notification from your bank, the ATO, or Microsoft. Hover over links before clicking to see the actual URL. If in doubt, go directly to the website by typing the address yourself rather than following the link.
The Tools That Help
No tool provides complete protection against phishing, but several significantly reduce the volume of malicious emails that reach your inbox.
If your business uses Microsoft 365, Microsoft Defender for Office 365 (included in Microsoft 365 Business Premium, or available as an add-on) provides AI-powered email filtering that catches a large proportion of phishing attempts, including impersonation attacks. It also provides Safe Links, which checks the destination of URLs at the moment you click them, even if the link appeared legitimate when the email arrived.
Google Workspace's built-in phishing and malware protection has similarly improved. Google uses AI to analyse email patterns across its entire network, which gives it a broad view of emerging attack campaigns. If your business is on Google Workspace, make sure your admin settings have the enhanced phishing and malware protection settings enabled, not just the defaults.
Mimecast is a third-party email security platform used by many Australian businesses as an additional layer on top of Microsoft 365 or Google Workspace. It provides stronger filtering, link checking, attachment sandboxing, and impersonation protection. For businesses in sectors that are frequent targets, such as finance, law, accounting, and construction, the additional layer is often worth the cost.
The One Habit That Stops BEC
All of the technical tools above help, but the single most effective defence against Business Email Compromise is a simple human protocol: verify any payment request by phone before acting on it, regardless of how legitimate the email looks.
If you receive an email that appears to be from your business partner, accountant, or a supplier asking you to change a bank account number or authorise a transfer, pick up the phone and call them directly on a number you already have. Do not call a number included in the email. This one step has prevented enormous losses for Australian businesses that have had it in place.
The same applies in reverse: if your team includes anyone who handles payments or transfers, make sure they have a clear policy that any new payee, any change of bank account details, and any payment request over a certain threshold (set an amount appropriate to your business) requires verbal confirmation before processing.
Reporting Attacks in Australia
If your business receives a sophisticated phishing attempt or falls victim to one, report it to ReportCyber.gov.au, the ACSC's national cybercrime reporting mechanism. Reporting does three things: it helps Australian authorities track emerging attack campaigns targeting local businesses, it creates a record if you need to make an insurance claim, and in cases involving financial loss, it may trigger a response from the Australian Federal Police or your state's cybercrime unit.
If your email account or system has been compromised, change your passwords immediately, enable multi-factor authentication if it is not already on, and contact your IT provider. Time matters. The faster a compromised account is secured, the less damage can be done.
The threat landscape has genuinely shifted. AI has made phishing attacks better and BEC attacks more believable. The response is not panic but it is preparation: better email filtering, a culture of verification for anything involving money or access, and clear reporting procedures when something goes wrong. These are not complicated measures. They are the basics that make a real difference.
