Beyond Spam: The Rise of Sophisticated Phishing Attacks in Australia

There’s a stark difference between email security 25 years ago and today.

Back then, the biggest threat came from mass mailing worms like MyDoom—the fastest-spreading email worm in history. At its peak, MyDoom accounted for 1 in 5 global email messages, infecting an estimated 50 million computers. It slowed internet traffic and caused widespread disruption, but worms like this were more about notoriety than financial gain—simpler times.

Then came spam, endless commercial pitches clogging inboxes. Over time, spam became scams (Greetings from Nigeria!) which, despite their absurdity and promised millions, kept improving until email moved to the cloud. But as email matured, so did the attacks. What started as noisy, low-effort disruption has evolved into silent, strategic exploitation. Today, phishing is personal, persuasive, and powered by AI—and most legacy defences aren’t built to stop it.

Cloud adoption encouraged threat actors to shift focus, from simple scams to more sophisticated account takeovers. By exploiting usernames and passwords, they can read emails and create well-researched, well-timed, money-extracting campaigns. Imagine you're buying a house. An attacker with access to your inbox watches the process unfold—spots your solicitor, flags your bank, and tracks the timeline. Then, just as you're expecting the next steps, they send a perfectly timed, perfectly crafted message requesting a wire transfer. It looks real because it fits the moment. And that’s when people are most vulnerable—when everything feels exactly as it should.

Today, we’re in a threat actor’s paradise. The triple-threat megatrends of cloud adoption, remote working, and generative AI have made it easier for bad actors to launch convincing phishing campaigns at scale. It’s now 50 times cheaper to create a five times more convincing email, and three times the volume of these phishing attacks are bypassing legacy defences.

What worked in the past no longer works now. So, how can organisations defend against current threats?

All businesses have humans working for them, and humans are fallible. For years, companies have poured millions into training employees to spot phishing attempts, hoping to turn awareness into defence.

But when training is your frontline strategy, you’re putting the burden on humans to distinguish real from fake in a split second. It’s like asking a goalkeeper to save 60 perfectly placed shots in a row—the odds just aren’t in their favour.

To fully understand what your people are up against, Influence by Robert Cialdini is worth a read. Cialdini, a Professor of Psychology and Marketing at Arizona State University, says human behavior is driven by six core needs: authority, reciprocity, commitment, consensus, liking, and scarcity. Email attackers tap into all of these principles—but lean heavily on authority and scarcity to drive action before logic kicks in.

Phishing emails exploit the principle of time scarcity by creating a false sense of urgency. Subject lines like “Final Warning” or “Immediate Action Required” are designed to trigger snap decisions. This tactic is most effective on a Monday morning, when people are rushing through a weekend backlog, or late afternoon on a Friday, when they’re trying to clear their desks for the weekend.

Meanwhile, the principle of authority plays on our trust and respect for hierarchy. When a message appears to come from someone senior—your manager, an important client, or a department head—it’s far more persuasive. Ignoring it feels insubordinate, and since emails from higher-ups are routine, there’s little reason to suspect one might be laced with malicious intent.

Bad actors rely on the trust currency of corporate email. That’s why they’ve shifted from system vulnerabilities to targeting the flesh-and-blood human behind the screen.

Social engineering is nothing new, of course. Romance scams have been around for years, and people are still falling for those Nigerian Prince emails, despite them becoming a meme.

But just as the average person was getting ahead of these scams, actors gained a powerful new tool: generative AI. Spelling mistakes, grammatical errors, and fake email addresses have long been characteristics of a phishing attack. But when AI steers the ship, phishing emails lose all the telltale signs we train users to watch out for. Now fake bank login pages are so true to form that even experts struggle to immediately tell them apart from the real thing. And if experts can’t spot a phishing email, then regular employees don’t stand a chance.

Recently, cybercriminals managed to compromise the email of an Australian business in liquidation. By monitoring its communications, they identified a relationship between a liquidator, a banker, and a lawyer and learned that nearly a million dollars was held in trust. The actors then targeted the law firm with a fake email string—the liquidator requesting release of the funds, the banker approving it, and so on. Every detail, from the email addresses to language, tone, and content, was meticulously crafted. The emails were so convincing that a senior partner nearly authorised the transfer.

This is today’s innovation. AI algorithms can analyse vast amounts of data to mimic legitimate communication styles and content. And they can do in minutes what would once have taken hackers months of dedicated research.

Just three years ago, attackers needed a certain level of skill to execute a phishing attack, which naturally limited their volume. Now, thousands of unskilled hackers can attack your organisation with just an internet connection and a cheap AI toolkit. There’s even hacker user support available, similar to what you’d expect from a Salesforce or MailChimp subscription.

Phishing-as-a-Service (PhaaS) kits equip malicious actors with everything they need: instructions, infrastructure, email templates, landing pages, code, dashboards, and even technical support. With just a few clicks, rookie hackers can operate like seasoned cybercriminals. Just as no-code platforms enable new programmers to build apps, PhaaS enables inexperienced threat actors to deploy convincing, large-scale phishing campaigns. And with pre-designed templates and infrastructure already set up, hackers can easily replicate successful attacks and target multiple organisations at once.

State-sponsored actors are capitalising on this commoditisation of phishing kits. In one emerging tactic, North Korean operatives secured remote roles at major companies—sometimes even receiving corporate laptops, shipped directly to what appeared to be legitimate employees. Instead, the devices ended up in coordinated laptop farms, where attackers used them to access internal systems and launch further attacks.

The Australian Cyber Security Centre receives a threat report every six minutes, but since many incidents go unreported, the real figure is likely closer to one incident per minute. The most common threats—email account takeover, email fraud, and online banking fraud—are deeply interconnected. Account takeover is often just the beginning. Once inside a victim’s email, attackers take time to research their target before moving in one of two directions.

They either commit email fraud targeting internal staff or external partners for wire transfers, or they launch a lateral phishing attack to compromise additional employee accounts. Lateral phishing is particularly damaging. Instead of a single compromised account, organisations can end up with thousands. The cleanup is intensive, time-consuming, and costly.

So, how bad could it get? The short answer: worse—if we continue relying on legacy defences. Most Australian organisations still depend on secure email gateways (SEGs) designed two decades ago, bolstered only by user training. But today’s phishing attacks are powered by generative AI—technology that easily bypasses those outdated protections.

The good news is that we also have better locks. AI isn’t only in the hands of bad actors. AI-native email security platforms now give defenders the upper hand. These systems can detect and block business email compromise attacks that slip past traditional tools—providing the next generation of protection for the next generation of threats.

Good AI, like Abnormal’s solution, uses behavioural analysis to define what “normal” looks like for your company. It analyses millions of data points to spot patterns that humans miss. Once it establishes a baseline of human behavior, the system can spot anomalies and piece them together with high accuracy—like new software producing the accompanying bill or an Australian sender suddenly originating the message from Russia—and block them before they reach employees’ inboxes. Users don’t see the email, so they don’t have to make repeated “goalie” saves bailing out their limited IT defences. It also prevents security teams from being flooded with alerts, saving hundreds of hours each week for large enterprises.

Aviation, finance, legal, and healthcare have been Australia’s early adopters of this new security, which isn’t surprising. The stakes are high in those industries, and they cannot afford the business disruption or data loss.

In the end, bad actors don’t care what industry they target; they go wherever they can make money. With Abnormal, you firmly shut the door on AI-generated phishing emails, meaning scammers move on to an easier target. That’s a win for your business—and a relief for the hardworking, trusting, but ultimately fallible humans working for it.

Interested in learning more about how Abnormal can protect your organisation from advanced threats? Schedule a demo today!