Cyber Security for Tradies: A No-Nonsense Guide for Australian Sole Traders

If you run a trade business — plumbing, electrical, building, landscaping, or anything else — you've probably never thought of yourself as a cyber security target. That's exactly what makes you one.

Cybercriminals don't just go after big corporations. They go after easy targets. And sole traders and micro-businesses often have real money flowing through their accounts, real customer data on their phones, and almost no security in place to stop anyone getting to it.

Why Tradies Are in the Crosshairs

You might think there's nothing worth stealing. But consider what you actually have:

• Customer names, addresses, and contact details
• Access to banking and payment accounts
• An ABN and business identity that can be used for fraud
• Invoices and financial records
• A business email account that can be impersonated

That's more than enough for a scammer. And because you're busy on site all day and dealing with admin in the evenings, you're more likely to click on something quickly without stopping to check if it's legitimate.

The Real Risks You Face

Invoice and payment fraud is one of the biggest threats to tradies. Scammers intercept or spoof email conversations and send fake invoices, or pose as your supplier and send updated bank account details. You pay, and the money goes straight to the scammer. Recovering it is extremely difficult.

ATO impersonation scams are rife in Australia. You'll receive an email, text, or call claiming to be from the Australian Taxation Office demanding urgent payment or threatening legal action. The goal is to panic you into paying or handing over your myGov or banking credentials.

Fake supplier or subcontractor emails are becoming more common, especially as email addresses get easier to spoof. A scammer poses as someone you do business with and requests payment, personal details, or access to your accounts.

Stolen banking credentials can happen if you click a phishing link, use the same password across multiple sites, or use a compromised Wi-Fi network. Once they're in your banking app, the damage can be fast.

The 5 Things Every Tradie Should Do

1. Turn on Multi-Factor Authentication for Email and Banking

Multi-factor authentication (MFA) means that even if someone gets your password, they still can't log in without a second code — usually sent to your phone. Turn it on for your email account first (Gmail, Outlook, or whatever you use), then for your banking app, and any accounting software like Xero or MYOB. It takes five minutes to set up and stops the vast majority of account takeover attempts.

2. Use Strong, Unique Passwords — or a Password Manager

Using the same password everywhere is like having one key for your house, your van, and your lockbox. If it gets compromised once, everything is exposed. A password manager like Bitwarden (free) or 1Password generates and stores unique passwords for every site, so you only need to remember one master password. It's simpler than it sounds and makes a huge difference.

3. Keep Your Phone and Apps Updated

Updates aren't just about new features — they fix security vulnerabilities that criminals actively exploit. Set your phone and apps to update automatically, and don't ignore those prompts when they appear. This applies to your laptop or tablet too if you use one for quoting or invoicing.

4. Back Up Your Job Records and Invoices

If ransomware hits your device — or you simply lose your phone — your business records shouldn't disappear with it. Use a cloud service like Google Drive, iCloud, or OneDrive to automatically back up photos, invoices, and job notes. Most accounting apps like Xero do this automatically, but make sure your other files are covered too.

5. Be Suspicious of Unexpected Requests

If an email or text asks you to click a link, pay an invoice, update bank details, or provide personal information — stop and verify before you act. Call the person using a number you already have (not one provided in the message). The ATO will never demand immediate payment by phone or email. Your bank will never ask for your full password or PIN. When in doubt, don't click.

Keep It Simple

You don't need to become a tech expert. You need to make yourself a harder target than the next person. The five steps above will do exactly that — and most of them are free. Start with MFA on your email today, and work through the rest when you have a spare hour. That's all it takes.