Phishing in 2026: The Scams Hitting Perth Small Businesses Right Now

SW
Shaun Wong
5 min read

A few years ago, spotting a phishing email was easy. The spelling was off, the logo was stretched, and the "bank" emailing you was one you had never used. That era is over. In 2026, the scams landing in your inbox are well written, properly branded, and increasingly built with the help of AI. For a small business in Perth, the risk is no longer that you will obviously be fooled. It is that a busy staff member, mid-task, will click something that looks completely legitimate. This is not a fringe problem either. Australians reported more than $2 billion in scam losses in a single year, with phishing among the most reported scams of all.

The good news is that the defences have not really changed. The tactics are slicker, but the habits that stop them are the same ones that have always worked. You just have to actually have them in place.

What phishing looks like now

The classic phishing email pretended to be your bank. The modern version pretends to be your supplier, your accountant, or your own boss. Attackers research a business first, then craft a message that fits. An invoice arrives that matches one you were expecting. An email from "the director" asks the bookkeeper to pay a new account urgently. A message from "Microsoft" warns that your mailbox is full and links to a login page that looks pixel-perfect.

Three trends are making this worse for small businesses. The first is AI-written copy, which removes the clumsy language that used to give scams away. The second is business email compromise, where an attacker gets into one real account and emails your staff or clients from it, so the message is genuinely coming from a trusted address. The third is the move to text messages and QR codes, which feel more personal and slip past the instinct people have learned to apply to email.

The scams we are seeing locally

Two stand out. Invoice and payment fraud is the costliest, and payment redirection is one of the largest sources of business losses in the ACCC's Targeting Scams report. A scammer either fakes a supplier email or breaks into a real one, then sends through "updated" bank details right before a payment is due. The money goes out the door looking like a normal transaction, and it is often gone for good before anyone notices.

The second is the credential grab. A staff member gets an email about a shared document, a parcel, or a password expiry. They click, land on a convincing login page, and type in their Microsoft 365 or Google details. The attacker now has a real account, and the cycle starts again, this time from inside your business.

This short explainer from cybersecurity firm Huntress shows how business email compromise actually plays out, which makes the "verify before you pay" habit below click into place.

How business email compromise works, and why a trusted-looking email is the whole trick.

How to spot one in the moment

You cannot inspect every email forensically, and you should not have to. A few quick instincts catch most attempts. Be suspicious of urgency, because "do this now or else" is a pressure tactic, not a normal business tone. Pause on anything involving money or bank details, especially a change to existing details, and verify it by phone using a number you already have, never the one in the email. Hover over links before clicking to see where they really go. And treat any unexpected login prompt as guilty until proven innocent.

The single most useful rule for a small team is simple. If a message asks you to pay something, change a payment detail, or log in, slow down and check through a second channel. That one habit defeats the overwhelming majority of these scams.

The defences worth putting in place

Awareness matters, but it should not be your only layer. Turn on multi-factor authentication across email and key accounts. It is the closest thing to a silver bullet, because even if someone hands over a password, the attacker still cannot get in. Make sure your email platform is filtering and flagging external messages clearly, so a spoofed "internal" email is easier to catch. Keep your team briefed with a short, plain conversation about what current scams look like, rather than a once-a-year policy nobody reads. And keep solid backups, so that if something does get through, you can recover without paying anyone. The Australian Signals Directorate's Small Business Cyber Security Guide walks through these same basics in plain language, and it is a good one to hand your team.

A ten-minute starting point

Phishing works on busy people, not foolish ones. The aim is not to make your team paranoid, it is to build a couple of reflexes and a couple of safety nets so a single click cannot drain an account or hand over the keys.

Take ten minutes this week and check three things. Is multi-factor authentication on for everyone's email? Does your team know to verify payment changes by phone? And if someone did get tricked tomorrow, do you have a backup and a plan? If any of those answers is shaky, that is the gap a scammer is hoping to find. We help Perth businesses close exactly these gaps, quietly and without the jargon, so the next clever email lands and goes nowhere.

We make tech simple, contact us for expert assistance!

Need tech support, repairs, or a new website? Tech Hero is here to help. Fill out the form and get personalized support from experts you can trust.

I have read, understand, and agree to thePrivacy PolicyandTerms of Service
I agree to receive occasional updates or important information about Tech Hero's services.