Phishing Attacks: How to Spot and Stop Them Before They Cost You

Phishing is the most common way cybercriminals break into Australian businesses. It does not require sophisticated hacking — it just requires one staff member to click the wrong link or enter their password on a fake website. In 2024, the ACSC reported that phishing and email-based attacks were the leading initial access method in cyber incidents affecting small and medium businesses. This guide explains how phishing works, how to spot it, and how to build both technical and human defences against it.

What Is Phishing — and Its Variants

Phishing is a social engineering attack delivered via email that attempts to trick the recipient into taking a harmful action — clicking a malicious link, opening an infected attachment, or handing over sensitive information.

Common variants include:

• Spear phishing: Highly targeted phishing that uses personalised information about the victim — their name, role, recent activity, or colleagues — to appear more convincing. Often used against business owners and finance staff.
• Smishing: Phishing via SMS. Common examples include fake parcel delivery notifications, ATO messages, and bank alerts.
• Vishing: Voice phishing, where an attacker calls and impersonates a bank, the ATO, or a tech support service to extract information or access.
• Business Email Compromise (BEC): A form of spear phishing where attackers impersonate a CEO, supplier, or colleague to authorise a fraudulent payment or redirect payroll.

How to Spot a Phishing Email

Traditional phishing emails were easy to spot — poor grammar, obvious spelling mistakes, generic greetings. That is changing fast. AI tools allow attackers to generate highly convincing, personalised emails at scale. However, there are still reliable signals to look for:

• Sender mismatch: The display name says "CommBank" but the actual email address is something like noreply@commbank-secure.net. Always check the real sending address.
• Unexpected urgency: "Your account will be suspended in 24 hours." "Immediate action required." Urgency is designed to short-circuit careful thinking.
• Suspicious links: Hover over any link before clicking. Does the destination URL match where it claims to go? Look for subtle misspellings like paypa1.com or long, strange URLs that obscure the real domain.
• Requests for credentials or payment: No legitimate business or government agency will ask for your password via email. Any unexpected payment request, especially one that bypasses normal processes, should be verified by phone.
• Unexpected attachments: An invoice or document you were not expecting, especially from a new contact, should be treated with caution.

What Happens When You Click

The consequences of clicking a phishing link depend on what the attacker is after:

• Credential theft: You are taken to a fake login page — a convincing copy of Microsoft 365, Xero, or your bank — and your username and password are captured the moment you type them.
• Malware installation: The link triggers a download that installs ransomware, a keylogger, or a remote access tool on your device.
• Business Email Compromise: The attacker accesses your email account and uses it to intercept supplier invoices, redirect payments, or impersonate you to your own staff.

In each case, the damage can be severe — financial loss, data breach, reputational harm, and regulatory obligations under Australia's Privacy Act.

Technical Controls That Reduce Phishing Risk

Email Authentication: SPF, DKIM, and DMARC

These three DNS-based standards verify that emails claiming to come from your domain are actually sent by you. Configuring SPF, DKIM, and DMARC on your domain makes it significantly harder for attackers to spoof your email address when targeting your customers or partners. Your IT provider or email host can set these up, and tools like MXToolbox can check your current configuration.

Spam and Phishing Filters

Microsoft 365 and Google Workspace both include built-in anti-phishing protections. Enable the advanced threat protection settings — these use machine learning to flag suspicious emails, impersonation attempts, and malicious attachments. Third-party email security gateways like Proofpoint or Mimecast offer additional protection for higher-risk environments.

Multi-Factor Authentication

MFA is your single most important backstop against phishing. Even if an attacker successfully steals a staff member's password, they cannot access the account without the second factor. Enable MFA on your email, banking, accounting software, and any other critical system — no exceptions.

Human Controls: Building a Phishing-Resistant Culture

Technology alone cannot stop phishing. The human layer matters just as much.

• Regular training: Run short, practical phishing awareness sessions with staff. Platforms like KnowBe4 or Proofpoint Security Awareness allow you to send simulated phishing emails and track who clicks.
• Report-phishing button: Make it easy for staff to report suspicious emails with one click. Microsoft 365 and Google Workspace both support this natively. Reporting builds organisational awareness and helps filters improve.
• Pause and verify culture: Encourage staff to pause before acting on any unexpected request, especially those involving money or credentials. A quick phone call to verify an unexpected invoice or payment change request can save tens of thousands of dollars.

Phishing works because it exploits trust and urgency. Building a culture where it is normal — even encouraged — to slow down and verify unusual requests is one of the most effective defences a small business can develop.