Phishing remains the entry point for the majority of cyber incidents affecting Australian businesses. What has changed significantly is the quality, targeting, and technical sophistication of phishing attacks.
AI-Generated Phishing
Large language models have dramatically lowered the barrier to creating convincing phishing content. Grammatically perfect, contextually relevant phishing emails — previously a signal that the attacker had invested significant effort — are now trivially generated at scale. The tell-tale signs of older phishing — awkward phrasing, grammatical errors, implausible scenarios — are no longer reliable detection signals.
Adversary-in-the-Middle Attacks
AiTM (Adversary-in-the-Middle) phishing proxies real authentication pages in real time. The victim enters their credentials and MFA code into what appears to be a legitimate login page; the attacker captures both and uses them immediately to authenticate to the real service. Standard TOTP-based MFA does not protect against AiTM. Phishing-resistant MFA — FIDO2 hardware keys, Windows Hello — does.
QR Code Phishing
QR codes in phishing emails bypass email security tools that scan URLs in email body text. The victim scans the QR code with their phone, opening a malicious URL in a mobile browser that may lack the same security controls as a corporate desktop. Mobile device management that extends email security controls to managed phones is the relevant mitigation.
What Has Not Changed
The goal: steal credentials, deliver malware, or initiate a fraudulent financial transaction. The delivery: email, SMS, and voice calls remain the primary vectors. The human vulnerability: urgency, authority, and fear are still the most effective triggers. Technical controls reduce the consequence of a successful phish. Awareness training reduces the likelihood.
