Cybercriminals are getting better at blending psychology and technology, with modern phishing attacks built around a simple pattern: a hook, a message that pushes action, and, increasingly, the use of artificial intelligence to make everything look real, according to Gallagher.
The attacks are also becoming more costly for Australian businesses. Reported cybercrime costs rose by 50% in 2024–2025, with small businesses losing an average of $56,600 per incident and large organisations facing about $202,700 in losses.
Human behaviour sits at the centre of this shift. A separate report from Gallagher noted that 37% of data breaches in Australia involve human error, while phishing remains the leading cause of malicious or criminal attacks. A cyber incident is reported every six minutes.
Phishing alone accounts for around 60% of reported incidents. Gallagher said many attacks now rely on how people respond rather than on system weaknesses, often targeting staff through links, login requests, or urgent messages.
The first step is the hook. Attackers copy trusted sources such as banks, government agencies, or senior executives, using messages that create urgency or pressure so recipients act quickly without checking.
Once someone engages, the attack moves into a more technical phase. Gallagher said tactics include fake sender names, misleading links, and QR codes that bypass email filters. More advanced methods use cloned login pages to capture credentials and authentication codes in real time. These tactics were linked to about three-quarters of business email compromise cases in 2025.
Artificial intelligence is adding another layer. Gallagher said attackers can now write polished, error-free emails and use public data to tailor messages that look legitimate. Some scams also use AI-generated voice messages to impersonate executives and request urgent payments.
Beyond phishing, Gallagher said other entry points include credential theft, unauthorised access, and the use of personal devices or unapproved software for work tasks. Weak access controls, outdated systems, and password reuse also increase exposure, especially in hybrid or flexible work setups.
Simple checks can still stop many of these attacks. Gallagher said employees should verify unusual requests, check email addresses carefully, and confirm payment instructions through known contacts. Limiting access and using multi-factor authentication can also reduce the impact if accounts are compromised.
Gallagher highlighted that training needs to be practical and ongoing, using real examples instead of one-off sessions. It also said incident response planning is critical, as the first 48 hours after a breach often determine how much damage can be contained.
“A trained employee who stops to verify an unexpected email, checks a sender's address, or questions an urgent payment request can block an attack before it reaches your systems,” it said. “Your staff form the first line of human defence against phishing-led incidents.”
