Technology Update

Phishing in 2026: How It Has Changed and Why It Still Affects Australian Businesses

Harvey Norman Technology for Business

What is phishing?

Phishing is when scammers pretend to be someone you trust like a supplier, a customer, your bank, or even a colleague, to trick you into clicking a link, scanning a QR code, opening a file, or entering your login details.

In 2024–25, the Australian Cyber Security Centre received more than 84,700 cybercrime reports, or around one every six minutes. For businesses, many of the most common incidents involved email compromise and identity fraud, outcomes that often begin with phishing. The Australian Signals Directorate’s 2024–25 Cyber Threat Report found that phishing was involved in 38 per cent of reported cyber incidents.

Scammers have always relied on tricking people, but AI has made it quicker, more convincing and easier to roll out to large numbers of businesses at once. We’re still taught to watch for pressure and urgency, and that advice matters, but phishing has changed in 2026. Urgency is still common, especially around payments and accounts, yet many attacks now arrive quietly and look like everyday business messages. That’s what makes modern phishing harder to spot and easier to miss.

When Fake Messages Look Like Real Work

Phishing often looks like routine business. It arrives as invoice notices, shared documents, payment confirmations, calendar invites or “quick follow-ups”, the same messages teams handle every day.

Instead of pushing for immediate action, many phishing attempts are written to feel like part of normal work. They reference real suppliers, familiar brands, or everyday processes. When teams are juggling email, portals, messages and notifications, these are easy to trust and easy to click. Instead of trying to stand out, phishing has evolved and is now designed to blend in.

Timing the pattern of business life

Phishing tends to spike when businesses are busiest, like the end of financial year, seasonal peaks, or heavy billing cycles, when inboxes are full and attention is stretched.

Attackers time messages for those moments because people are moving faster, approvals happen quicker, and “normal” requests get processed without a second look. When it fits the pattern of a busy week, phishing becomes background noise, which is exactly why it works.

Personalising false communications

Another change is how personal phishing now feels. Messages may include real names, roles, or references to known suppliers and can appear to come from trusted contacts like accountants, logistics providers, or business partners. This familiarity lowers suspicion. If it looks like an existing relationship, it feels safe even when the request isn’t. Modern phishing relies less on obvious tricks and more on imitation, copying the way real businesses communicate.

How AI is changing phishing

AI hasn’t made phishing more technical, it’s made it more convincing. Attackers can now produce clear, well-written messages quickly, in a tone that sounds like normal business communication. This means fewer spelling mistakes, fewer awkward requests, and more “business-as-usual” language. Many phishing messages now read like a normal email you’d receive – which is why they are harder to spot.

Beyond the email inbox

Email is still common, but phishing now shows up in text messages, shared documents, calendar invites, online forms, websites, messaging platforms and QR codes in workplaces.

That matters because people don’t just work in one place anymore. We move between devices, apps and approvals all day. A “document share” notification or “delivery update” can slip into the flow of work without raising suspicion.

When phishing appears everywhere normal communication happens, awareness alone isn’t enough, prevention is critical.

The long-game approach

Not all phishing is immediate. Some attacks build familiarity first, starting with low-risk messages that don’t ask for anything at all. Later messages then feel like a natural continuation of that conversation. This mirrors how real business relationships develop, instead of relying on a quick mistake.

A simple scenario

It’s a busy mid-week morning for an employee, processing invoices and replying to customers. An email arrives that looks like a routine document share from a known supplier, that references a real and ongoing project and doesn’t look urgent. The employee clicks on it and nothing happens. Later however, a shared system stops working and staff notice strange behaviour.Work slows, and customers are impacted, and there’s no immediate cause.

This is how phishing often hits small and mid-sized businesses : there is no dramatic start, and today the focus is on messages and mediums that look ordinary and mundane.

Working to prevent phishing with a TSSP

In situations like this, working with a Technology Services and Security Provider (TSSP) can make a real difference through prevention.

Instead of relying on people to spot everything, a TSSP helps put the right controls around the IT environment so phishing attempts are less likely to land in email inboxes, less likely to succeed, and less likely to turn into wider disruption.

Phishing still works because it blends into the normal pace of small business life. Messages often look routine with invoices, shared files, payment follow-ups or supplier requests and arrive when teams are busy and moving quickly. There’s rarely time to stop and second-guess every email. When businesses underestimate the risk or aren’t confident about how to respond, phishing has exactly the opening it needs.

How the Essential Eight Fits In

The Essential Eight is a practical cyber security framework created by the Australian Cyber Security Centre (ACSC) to help businesses stay protected. It’s based on a proven strategies that significantly reduce cyber risk, limit the damage if an attack occurs, and is widely used as a benchmark for good cyber security in Australia.

How we help

At Harvey Norman Technology for Business, we focus on keeping your IT environment secure, whether you’re a sole trader or a multi-site business.

Our approach is prevention-first, including:

Advanced email protection to reduce what reaches inboxes in the first place
Restricted administrative privileges to limit what a compromised account can do
Proactive monitoring and maintenance to reduce risk and downtime

Prevention is far more valuable than chasing problems after the fact, especially when outcomes are never guaranteed.

A Practical Awareness Check

Phishing is harder to spot because so many messages look normal. Instead of judging emails on appearance, use this quick check:

What is this message asking me to do and what happens if I do it?

Pay extra attention when a message asks for:

a login (especially via a link or QR code)
a payment or change to payment details
an attachment or file you weren’t expecting
an approval outside your normal process
a new “sign in to view” step for something you already access regularly, is unexpected and asks you to click on a link

If it involves money, access, or credentials, slow down and verify by contacting the company you regularly do business with.

Final takeaway

Phishing has changed, but the goal hasn’t. It still relies on trust, familiarity and timing; it just looks more like everyday work now. The practical response is also clear. Awareness matters, but prevention controls matter more.