What is phishing?
Phishing is when scammers pretend to be someone you trust like a supplier, a customer, your bank, or even a colleague to trick you into clicking a link, scanning a QR code, opening a file, or entering your login details.
In 2024–25, the Australian Cyber Security Centre received more than 84,700 cybercrime reports. That’s around one every six minutes. For businesses, many of the most common incidents involved email compromise and identity fraud, outcomes that often begin with phishing. The Australian Signals Directorate’s 2024–25 Cyber Threat Report found that phishing was involved in 38% of reported cyber incidents.
Scammers have always relied on tricking people, but AI has made it quicker, more convincing and easier to rollout to large numbers of businesses at once. We’re still taught to watch for pressure and urgency and that advice matters but phishing has changed in 2026. Urgency is still common, especially around payments and accounts, yet many attacks now arrive quietly and look like everyday business messages. That’s what makes modern phishing harder to spot and easier to miss.
When Fake Messages Look Like Real Work
Phishing often looks like routine business. It arrives as invoice notices, shared documents, payment confirmations, calendar invites or “quick follow‑ups” , the same messages teams handle every day.
Instead of pushing for immediate action, many phishing attempts are written to feel like part of normal work. They reference real suppliers, familiar brands, or everyday processes. When teams are juggling email, portals, messages and notifications, these are easy to trust and easy to click. Instead of trying to stand out, phishing has evolved and is now designed to blend in.
Timing That Matches Business Life
Phishing tends to spike when businesses are busiest like end of financial year, seasonal peaks, or heavy billing cycles, when inboxes are full and attention is stretched.
Attackers time messages for those moments because people are moving faster, approvals happen quicker, and “normal” requests get processed without a second look. When it fits the pattern of a busy week, phishing becomes background noise which is exactly why it works.
More Personal, Less Obvious
Another change is how personal phishing now feels. Messages may include real names, roles, or references to known suppliers and can appear to come from trusted contacts like accountants, logistics providers, or business partners. This familiarity lowers suspicion. If it looks like an existing relationship, it feels safe even when the request isn’t. Modern phishing relies less on obvious tricks and more on copying the way real business communicate.
How AI Is Changing Phishing
AI hasn’t made phishing more technical, it’s made it more convincing. Attackers can now produce clear, well‑written messages quickly, in a tone that sounds like normal business communication. This means fewer spelling mistakes, fewer awkward requests, and more “business‑as‑usual” language. Many phishing messages now read like a normal email you’d receive which is why they are harder to spot.
Beyond Email: Phishing Everywhere
Email is still common, but phishing now shows up in text messages, shared documents, calendar invites, online forms, websites, messaging platforms and QR codes in workplaces.
That matters because people don’t just work in one place anymore. We move between devices, apps and approvals all day. A “document share” notification or “delivery update” can slip into the flow of work without raising suspicion.
When phishing appears everywhere normal communication happens, awareness alone isn’t enough, prevention is critical.
The Long‑Game Approach
Not all phishing is immediate. Some attacks build familiarity first, starting with low‑risk messages that don’t ask for anything at all. Later messages then feel like a natural continuation of that conversation. This mirrors how real business relationships develop which is why it’s effective, instead of relying on a quick mistake.
A Simple Scenario: When a Normal Day Takes a Turn
It’s a busy mid‑week morning. You’re processing invoices, replying to customers, getting through the day. An email arrives that looks like a routine document share from a known supplier. It references a real project. Nothing feels urgent. Later, a shared system stops working. A few people notice strange behaviour. Work slows. Customers are impacted. And it’s not immediately clear what started it.
That’s how phishing often hits small and mid‑sized businesses today. Not through dramatic warnings, but through messages that look ordinary until the impact shows up.
How a Technology Services & Security Provider Makes Prevention a Priority
In situations like this, working with a Technology Services and Security Provider (TSSP) can make a real difference through prevention.
Instead of relying on people to spot everything, a TSSP helps put the right controls around the IT environment so phishing attempts are less likely to land in email inboxes, less likely to succeed, and less likely to turn into wider disruption.
Why Phishing Still Catches Small Businesses
Phishing still works because it blends into the normal pace of small business life. Messages often look routine with invoices, shared files, payment follow‑ups or supplier requests and arrive when teams are busy and moving quickly. There’s rarely time to stop and second‑guess every email. That’s why phishing remains one of the leading causes of cyber incidents. In 2024–25, the Australian Cyber Security Centre received more than 84,700 cybercrime reports, with common business impacts including email compromise, identity fraud and financial loss. When businesses underestimate the risk or aren’t confident about how to respond, phishing has exactly the opening it needs.
How the Essential Eight Fits In
The Essential Eight is a practical cyber security framework created by the Australian Cyber Security Centre (ACSC) to help businesses stay protected. It’s based on a proven strategies that significantly reduce cyber risk, limit the damage if an attack occurs, and is widely used as a benchmark for good cyber security in Australia.
How we help
At Harvey Norman Technology for Business, we focus on keeping your IT environment secure, whether you’re a sole trader or a multi‑site business.
Our approach is prevention‑first, including:
- Advanced email protection to reduce what reaches inboxes in the first place
- Restricted administrative privileges to limit what a compromised account can do
- Proactive monitoring and maintenance to reduce risk and downtime
Prevention is far more valuable than chasing problems after the fact especially when outcomes are never guaranteed.
A Practical Awareness Check (Useful, not “every email ever”)
Phishing is harder to spot because so many messages look normal. Instead of judging emails on appearance, use this quick check:
“What is this message asking me to do and what happens if I do it?”
Pay extra attention when a message asks for:
- a login (especially via a link or QR code)
- a payment or change to payment details
- an attachment or file you weren't expecting
- an approvaloutside your normal process
- a new "sign in to view" step for something you already access regularly, is unexpected and asks you to click on a link
If it involves money, access, or credentials slow down and verify by contacting the company you regularly do business with.
Final takeaway
Phishing has changed, but the goal hasn’t. It still relies on trust, familiarity and timing it just looks more like every day work now. The practical response is also clear. Awareness matters, but prevention controls matter more.
Contact us today and book an appointment with our expert term to learn more about how we can support your business.
