Getting your Trinity Audio player ready...
null

The cost of cybercrime for Australian businesses is surging and the human factor accounts for more than half of reported breaches. This is an area of cyber defence that every business can tackle proactively. In 2024-2025, Australian businesses reported that the cost of cybercrime increased by 50%. The rapidly evolving cyber risk landscape poses significant financial challenges for businesses. For example, small businesses lose an average of $56,600 per cyber incident, while large corporations incur an average of $202,700 per incident.

Australia's government agency for cyber threat protection reports that phishing continues to account for around 60% of all reported incidents1 .

Consequently, it is crucial to educate employees on how to identify scam emails and messages so they can stop them.

How phishing works and scammers' tactics

Modern phishing has evolved from generic spam to a highly calculated form of 'human hacking' where attackers seek to exploit vulnerabilities in human nature. The shift from a scattergun approach to a more targeted and sophisticated social engineering makes scams much harder to spot.

By masking (or appearing) as trusted entities, such as banks, government agencies or internal executives, scammers create a digital disguise that is difficult to recognise. Most phishing attacks are commonly two-pronged — a psychological hook to draw victims' attention and confuse them, followed by a technical deception.

Scammers rely on three primary emotional states to cloud a staff member's judgement:

  1. Creating a sense of urgency, e.g., "Your account will be suspended in 2 hours."
  2. Commanding from a position of authority, e.g., "I'm in a meeting and need this invoice paid immediately — don't call me."
  3. Creating fear or curiosity, e.g., "Unauthorised login detected from overseas. Click here to secure your account."

Once the psychological hook is set, attackers employ sophisticated technical tricks such as:

  • Name spoofing, where a sender may appear as 'Microsoft Security,' but hovering over the name reveals a suspicious address, such as support@micros0ft-updates.com.
  • Hyperlink deception, where scammers use 'look-alike' domains or long strings of random characters to hide the true destination. The actual URL becomes visible by hovering over a link (or long-pressing on mobile).
  • Quishing (QR code phishing), where cybercriminals use QR codes to bypass traditional email filters that scan text-based links.
  • MFA bypassing, where attacks use perfect clones of login pages to capture multi-factor authentication (MFA) codes in real time, bypassing traditional security layers entirely. These are called advanced adversary-in-the-middle (AiTM) attacks.
Cyberattackers increasingly use artificial intelligence (AI) to craft near-perfect replicas of official communications. For example, cybercriminals use AI to eliminate the 'poor spelling' red flag in emails, drafting linguistically perfect scams.
Also, there is a rise in:
  • Hyper-personalised spear phishing attacks that use scraped LinkedIn data to mimic your actual colleagues or vendors.
  • Adversary-in-the-middle (AiTM) attacks that bypass traditional MFA by 'hijacking' active login sessions via highly convincing fake pages. Approximately three out of four BEC attacks in 2025 involved AiTM tactics2.
  • Deepfake vishing techniques where scammers use AI-generated voice notes to impersonate executives requesting urgent 'emergency' payments.

Build human cyber defences against phishing attacks

Phishing succeeds because it exploits human factors like trust and urgency. Strengthening your human defences is one of the most effective ways to reduce this risk.

A trained employee who stops to verify an unexpected email, checks a sender's address, or questions an urgent payment request can block an attack before it reaches your systems. Your staff form the first line of human defence against phishing‑led incidents.

Training should go beyond generic modules. Keep it practical and relatable. Use real examples from your industry so employees recognise how phishing works and how easily attackers manipulate human behaviour.

Quick tips to help employees spot phishing risks

Action What to look for
Check the sender Does the 'From' name match the actual email address? Scammers often use ceo@company-updates.com instead of ceo@company.com.
Link validation Hover your mouse over any button or link. Does the URL look legitimate or is it a string of random characters?
Verify If a request involves money or sensitive data, call the person on a known number (not the one provided in the email) to confirm.
Report Encourage staff to report suspicious emails to IT immediately. It is better to report a false alarm than to ignore a real breach.

How Gallagher can help

A single misleading email can expose sensitive data, disrupt operations or trigger financial loss. Our experts help you stay ahead of these threats with practical guidance, real-world training and tailored protection.

Our specialists continually manage evolving cyber risks, including strategic negotiation with threat actors making cyber ransom demands. Alongside our cyber risk management services, we offer robust and comprehensive cyber insurance policies that cover data breaches, business interruptions, legal expenses and more, all in one place.

Connect with us

Sources

1"Annual Cyber Threat Report 2024—2025," Australian Government, 14 Oct 2025.

2"CyberCX 2025 Threat Report reveals cyber landscape is changing," CyberCX, 10 Feb 2025.

Disclaimer

Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient's industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers' control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312

MORE NEWS & INSIGHTS