Phishing Is Still the #1 Threat to Australian Businesses - Here's How to Stop It

Phishing is still the most reliable way for criminals to get a foothold in AU/NZ businesses. It works because it targets people, not technology. One convincing email or SMS can steal credentials, approve an MFA prompt, or trick someone into paying a fake invoice.

The good news is that you can dramatically reduce phishing risk with a few practical controls. The goal is not perfection. The goal is fewer clicks, fewer successful logins, faster reporting, and smaller blast radius when something slips through.

What phishing looks like in 2025

Phishing is not just a badly written email. The most common patterns we see are:

Fake Microsoft 365 sign-in links to steal passwords
Supplier invoice fraud where bank details are changed
SMS phishing about tolls, parcels, or account alerts
Executive impersonation requesting urgent payments or gift cards
OAuth consent phishing, where a user approves a malicious app instead of typing a password

Start with email identity: SPF, DKIM, and DMARC

If you do nothing else, get your domain email authentication right. These DNS records do two big things:

They reduce spoofing of your domain.
They improve deliverability of legitimate email.

SPF: who is allowed to send for your domain

SPF is a DNS record that lists the systems allowed to send email as your domain. If you use Microsoft 365, Google Workspace, a marketing platform, and a ticketing system, all of those senders need to be included.

Common failure mode: SPF is missing or too permissive, or it breaks when a new sender is added.

DKIM: proving the message was not altered

DKIM adds a cryptographic signature to outgoing mail. Receiving systems can verify that the message really came from a system authorised by your domain and that it was not modified in transit.

DMARC: what to do when SPF or DKIM fails

DMARC ties SPF and DKIM together and defines a policy. It tells receiving systems what to do when authentication fails.

Monitor: collect reports, do not block yet
Quarantine: suspicious mail goes to spam
Reject: unauthorised mail is rejected

DMARC is also what gives you reporting. It helps you see who is sending email as your domain, including unknown senders.

Microsoft 365 and Google Workspace basics that actually matter

Most organisations run on Microsoft 365 or Google Workspace. These are solid platforms, but the defaults are not enough.

Microsoft 365 quick wins

Enforce MFA for every user, including admins
Disable legacy authentication where possible
Use conditional access for risky sign-ins (new country, impossible travel, unfamiliar device)
Turn on phishing and impersonation protections in Defender if you have it
Tighten admin roles and remove Global Admin access from day-to-day accounts

Google Workspace quick wins

Enforce 2-Step Verification and consider security keys for admins
Review and restrict third-party app access and OAuth scopes
Enable alerting for suspicious logins and forwarding rule creation
Lock down email forwarding and external sharing where appropriate
Separate admin accounts from daily user accounts

Build a reporting culture: the one-click report button

Your detection speed is everything. You want suspicious messages reported quickly, with as little friction as possible.

Add a phishing report button to your mail client so staff can report a message in one click. The report should:

Send the message to your security mailbox or ticketing system
Automatically remove the message from the user inbox
Alert the right person so you can investigate and block it for everyone

This is the bridge between training and real outcomes.

Staff training that works: short, frequent, and measurable

Annual training videos do not change behaviour. The training that works is:

Short sessions (10 to 15 minutes)
Monthly or quarterly cadence
Based on real examples your team is seeing
Reinforced with simulated phishing

Simulated phishing, done properly

Simulated phishing is not about shaming people. It is about measuring risk and improving habits.

A good program includes:

A baseline campaign to measure click rate and report rate
Follow-up micro training for people who clicked
Targeted campaigns for high-risk groups (finance, executives, assistants)
Tracking over time so you see improvement

The metric to chase is not just click rate. It is report rate.

Reduce blast radius: least privilege and admin hygiene

Phishing becomes expensive when a compromised account can access everything.

Use least privilege. People should only access what they need.
Separate admin accounts. Admins should have a dedicated admin login that is not used for email.
Limit mailbox access and shared mailbox permissions.
Review who can create forwarding rules and who can add apps.

MFA, but do it properly

MFA is non-negotiable, but attackers now use MFA fatigue and session theft.

Prefer authenticator apps over SMS
Use number matching where available
Train staff never to approve unexpected prompts
Use conditional access to stop high-risk logins

Quick win checklist

If you want to materially reduce phishing risk this week:

[ ] Enforce MFA for all users and admins
[ ] Remove day-to-day Global Admin access and use separate admin accounts
[ ] Verify SPF is correct and not broken by new senders
[ ] Enable DKIM for your domain
[ ] Set DMARC to monitor, then move to quarantine, then reject
[ ] Add a phishing report button and define who receives reports
[ ] Run a baseline simulated phishing campaign
[ ] Review and reduce admin roles and privileged groups
[ ] Review inbox forwarding rules and disable risky patterns

When you need help

If you want this implemented end-to-end, the work is not just policy. It is configuration, monitoring, and ongoing training. The fastest win is to harden identity and email first, then build the staff habits that keep you safe.