Phishing and AI-Powered Social Engineering: How Attacks Are Evolving and How to Stay Protected

Managed IT & Cybersecurity

Phishing and AI-Powered Social Engineering: How Attacks Are Evolving and How to Stay Protected

Phishing is not new. Businesses have been warned about it for decades. So why is it still responsible for the majority of successful cyber attacks on Australian businesses in 2026?

Because it works — and because the attacks have become dramatically harder to spot.

The phishing email that arrives in your inbox today is not the obvious, broken-English scam of ten years ago. It may reference your company by name, quote a real project you are working on, use the correct tone of your organisation's communications, and appear to come from a genuine colleague or supplier. Artificial intelligence is giving attackers the tools to research, craft, and deploy highly personalised attacks at a scale that was previously impossible.

For Australian small and medium-sized businesses — the ones without a dedicated security operations team — this shift is particularly dangerous. This article explains what phishing looks like in 2026, why AI has raised the stakes, and what practical steps you can take to protect your business.

What Is Phishing?

Phishing is a social engineering attack in which an attacker impersonates a trusted person or organisation to trick the target into taking a harmful action. That action might be handing over login credentials, clicking a link that installs malware, downloading a malicious file, or authorising a fraudulent payment.

It is, consistently, the most common initial access method used in cyber attacks. The Australian Cyber Security Centre (ACSC) has reported phishing as the top reported cybercrime type for Australian businesses year after year — not because businesses are careless, but because the attacks are increasingly difficult to distinguish from legitimate communications.

Phishing is delivered through three main channels.

Email is by far the most common. Attackers send messages that appear to come from trusted senders — colleagues, banks, government agencies, software providers — and direct the recipient to take an action.

SMS (smishing) uses text messages to deliver malicious links or prompt a call-back. SMS has a higher open rate than email, and mobile users are often less cautious — they tap links without inspecting URLs because small screens make verification difficult.

Voice calls (vishing) involve the attacker calling the target directly, impersonating a bank fraud team, the ATO, an IT helpdesk, or a supplier. The caller uses social pressure and urgency to extract credentials or convince the target to install remote access software.

In 2026, all three channels are being supercharged by artificial intelligence.

How AI Is Changing Phishing in 2026

The traditional advice for spotting phishing — "look for bad grammar, spelling mistakes, and generic greetings" — is no longer sufficient. AI tools have eliminated most of the signals that users were trained to look for, and added capabilities that make attacks far more targeted and convincing.

Hyper-Personalised Spear Phishing

Generic phishing — "Dear Customer, your account has been compromised" — still exists, but it is increasingly ineffective as a high-value attack method. What has replaced it is spear phishing: targeted, researched attacks crafted for a specific individual.

AI tools can scrape LinkedIn profiles, company websites, news articles, social media, and leaked data from previous breaches to build a detailed profile of a target in minutes. The resulting phishing email might reference your job title, the name of a project mentioned in a recent company announcement, a colleague who posted about a meeting, or a software platform you are known to use.

When a finance manager receives an email from what appears to be the CEO — referencing a real acquisition, using the correct informal tone, and asking them to process an urgent payment before close of business — the email no longer looks like phishing. It looks like a slightly unusual but plausible request.

AI-Generated Voice Cloning (Vishing)

Voice cloning technology has reached the point where an attacker needs as little as three seconds of audio to generate a convincing replica of someone's voice. That audio might come from a YouTube video, a podcast interview, a company webinar recording, or even a voicemail.

The cloned voice is then used to call a target — impersonating a CEO, a CFO, an external lawyer, or a key supplier — to request an urgent wire transfer, credential disclosure, or to authorise a process change. Because the voice sounds genuinely familiar, the psychological barriers that might make someone question a written request are lowered significantly.

These attacks are not theoretical. They have resulted in significant financial losses for businesses in Australia and globally, and the quality of voice cloning continues to improve rapidly.

Deepfake Video Calls

More sophisticated than voice-only vishing, real-time deepfake video technology allows attackers to impersonate executives during live video calls. The attacker uses AI-generated video to replace their face and voice with those of the impersonated individual, in real time.

A widely reported 2024 incident at a Hong Kong bank illustrated the scale of risk: an employee was convinced to authorise a US$25 million transfer after participating in a video call that appeared to show the company's CFO and other senior colleagues. All of those "colleagues" were deepfake constructs. The employee had no indication anything was wrong until after the transfer was made.

As video conferencing has become the default for business communication, this attack vector is likely to become more prevalent.

AI-Written Phishing Emails With No Spelling Errors

The grammar and spelling checks that users have been trained to apply are now essentially useless as primary detection signals. AI-generated phishing emails are written in fluent, contextually appropriate English (or any other language), use correct punctuation, adopt the right level of formality for the impersonated sender, and pass casual scrutiny.

This does not mean phishing is undetectable — but it does mean the signals that reveal a phishing email are now subtler, and users need to be trained to look for different things.

Adversary-in-the-Middle (AiTM) Phishing Kits

Perhaps the most technically significant development in phishing infrastructure is the rise of Adversary-in-the-Middle (AiTM) attack frameworks. Tools like Evilginx2 function as transparent proxies that sit between the user and the legitimate website.

The attack flow looks like this: the user receives a phishing link and clicks it. They arrive at what appears to be the genuine login page of their bank, Microsoft 365 account, or other service. They enter their credentials and complete multi-factor authentication correctly. They are redirected to the real site and may never suspect anything happened.

Behind the scenes, the phishing proxy has captured both the credentials and the authenticated session token that was generated after MFA was completed. The attacker now has a live, authenticated session — and MFA does nothing to protect against it, because MFA was successfully completed by the real user.

This is why "enable MFA" alone is no longer sufficient advice. The type of MFA matters. Phishing-resistant MFA methods, particularly FIDO2/passkeys, are not susceptible to AiTM attacks because they cryptographically bind authentication to the legitimate domain — a proxy cannot relay a FIDO2 response.

The Most Dangerous Phishing Variants in 2026

Spear Phishing

Spear phishing is a targeted attack on a specific individual. Unlike mass phishing, which relies on volume, spear phishing invests research and effort into making a single attack highly convincing. It is frequently used as the first step in a larger attack chain — to gain initial access that then enables ransomware deployment, data exfiltration, or business email compromise.

Because the emails are crafted to match the target's real context, click rates on spear phishing emails are significantly higher than on generic phishing. The investment pays off for attackers when the target is a high-value individual.

Whaling

Whaling is spear phishing specifically targeting executives — CEOs, CFOs, board members, and other senior figures. These individuals are attractive targets for two reasons: they have the authority to approve large transactions and process changes, and they often operate outside normal verification procedures. A CEO who emails the CFO asking for an urgent payment to be processed is unlikely to be challenged in many organisations.

Attackers research executives thoroughly before launching a whaling attack, and the requests are calibrated to seem plausible — an invoice from a real supplier name, a payment tied to an actual contract, a request that aligns with known business activity.

Business Email Compromise (BEC)

Business email compromise is one of the costliest forms of cybercrime affecting Australian businesses. BEC attacks use phishing to either gain access to a legitimate business email account or to convincingly impersonate a business email address, then use that access to redirect payments, intercept transactions, or change supplier banking details.

Because a BEC attack often involves a real compromised account — not a spoofed address — even technically sophisticated recipients can be deceived. The email comes from a known address, uses the correct email signature, and matches the sender's normal communication style.

Smishing (SMS Phishing)

Smishing attacks arrive via SMS and commonly impersonate entities Australians regularly interact with: the major banks, the ATO, Australia Post, myGov, Telstra, and toll road operators. The messages typically create urgency — an undelivered parcel, a suspicious transaction, an overdue tax notice — and include a link to a credential harvesting page.

Mobile users are particularly vulnerable because the URL is harder to inspect on a small screen, the app-like experience of many phishing pages looks legitimate on mobile, and people are conditioned to act quickly on SMS messages.

Quishing (QR Code Phishing)

Quishing uses QR codes to deliver malicious links. In email attacks, the phishing URL is embedded in a QR code image rather than as a clickable text link. This is deliberate: most email security platforms scan links within email text and HTML, but do not decode QR code images.

QR code phishing also occurs in physical environments — fraudulent QR codes placed over legitimate ones in carparks, restaurants, and at public charging stations. Scanning a quishing code typically leads to a credential harvesting page or initiates a malware download.

How to Recognise Phishing in 2026

Because grammar and spelling are no longer reliable signals, users need to learn a different set of detection cues.

Unexpected urgency. Phrases like "you must act now," "within the hour," "before the end of business today," or "failure to respond will result in..." are pressure tactics. Legitimate processes rarely require immediate action with no room for verification.

Requests that bypass normal channels. If a message asks you to keep something confidential, not to go through the usual approval process, or to handle something directly without involving others, that is a significant warning sign. Attackers use this framing specifically to prevent verification.

Unusual communication behaviour. If your CEO would normally call you to discuss a large payment, and instead you receive an email asking you to act urgently without a call, ask yourself why the mode of communication has changed. Attackers research their targets but cannot always replicate established communication patterns accurately.

Hover over links before clicking. On desktop, hovering over a link reveals the actual destination URL in the browser status bar or a tooltip. The displayed link text and the actual URL should match. If "Click here to review your invoice" resolves to a URL that does not match your supplier's domain, do not click.

Inspect sender domains carefully. Look-alike domains are a common attack technique. The difference between thinkpickle.com.au and thinkpickIe.com.au (where the lowercase L has been replaced by an uppercase I) is invisible in many fonts. Attackers also use Cyrillic or other Unicode characters that look identical to Latin characters — for example, replacing the standard "e" with a visually identical Cyrillic character. Check the full domain, character by character, in any email where the request is unusual.

Unexpected attachments from known contacts. An email from a real, known contact that includes an unexpected attachment — particularly a PDF, Word document, or ZIP file — should be treated with caution. If an attacker has compromised that contact's email account, their legitimate address will send the malicious file. Verify the attachment was intentional by contacting the sender through a separate channel.

Verify unusual requests through a separate channel. Any request involving money, credential changes, or process changes should be verified by contacting the sender through a known, independently sourced method — calling the supplier on their published number, calling a colleague on their direct line, or initiating a new message thread. Do not rely on contact details provided within the suspicious message.

Technical Controls That Reduce Phishing Exposure

Human vigilance alone is not enough. Technical controls reduce the volume of phishing that reaches users and limit the damage when a click does occur.

Email Authentication (SPF, DKIM, DMARC)

SPF, DKIM, and DMARC are email authentication standards that collectively prevent attackers from spoofing your domain — sending emails that appear to come from your business address. SPF specifies which mail servers are authorised to send on behalf of your domain. DKIM applies a cryptographic signature to outgoing messages that receiving servers can verify. DMARC instructs receiving mail servers on what to do when a message fails SPF or DKIM checks.

A properly configured DMARC policy with p=reject means that any email purporting to be from your domain that fails authentication checks will be rejected before it reaches the recipient's inbox. This protects your contacts from receiving convincing phishing emails that appear to come from your business.

Many Australian SMBs have not implemented DMARC, or have implemented it in monitor-only mode (p=none) without progressing to enforcement. This leaves a significant gap.

Anti-Phishing and URL Filtering

Enterprise email platforms — Microsoft Defender for Office 365 and Google Workspace with advanced protection — provide anti-phishing capabilities that go beyond basic spam filtering. These include detonating suspicious links and attachments in isolated sandboxes, rewriting links so they are re-checked at click time (not just at delivery), and machine-learning-based detection of impersonation and spoofing attempts.

These controls do not catch everything, but they significantly reduce the volume of malicious email that reaches users, buying time and reducing exposure.

Multi-Factor Authentication

Multi-factor authentication (MFA) ensures that even if an attacker successfully phishes a user's password, they cannot use that password alone to access the account. For most business accounts, enabling any form of MFA is significantly better than no MFA.

However, as noted above, standard TOTP (authenticator app codes) and push notification MFA are susceptible to AiTM phishing attacks. Where feasible, deploying phishing-resistant MFA — FIDO2 hardware keys or passkeys — eliminates this vulnerability, because the authentication is cryptographically bound to the genuine domain and cannot be relayed through a proxy.

Endpoint Protection (EDR)

If a user clicks a malicious link or opens a malicious attachment, endpoint detection and response (EDR) software on the device provides a last line of defence. EDR monitors system behaviour in real time and can detect, contain, and alert on suspicious activity — such as a process attempting to establish an outbound connection to a command-and-control server, or a script attempting to modify system files.

EDR does not prevent phishing clicks, but it can prevent a click from becoming a full compromise by containing the threat before it establishes persistence.

Security Awareness Training and the Essential Eight

Technical controls alone cannot eliminate phishing risk. The Essential Eight framework developed by the ACSC includes user application hardening and restricting macro execution as controls that support phishing defence, but user education remains a critical layer. Regular, realistic simulated phishing exercises — combined with structured training — measurably reduce the rate at which staff click on phishing links over time.

Staff Training That Actually Works

Generic annual security awareness training — the "watch this video, tick the box" approach — has consistently poor outcomes. Research shows that it produces short-term awareness that fades within weeks, and does little to change the instinctive behaviour of users under pressure.

What works is different in three important ways.

Simulated phishing campaigns send realistic fake phishing emails to staff on a regular basis. Users who click are not punished — they are immediately presented with brief, contextual training that explains what they missed and why the email was suspicious. This moment-of-failure training is far more effective than abstract instruction, because it is tied to a real experience. Over time, tracked data shows click rates declining as staff become more attuned to phishing signals.

Scenario-based training tailors content to the specific risks associated with each employee's role. Finance staff should run through invoice fraud and payment redirection scenarios. HR staff should practise identifying payroll redirect requests — a common attack where an attacker impersonates an employee to change their direct deposit details. Management should be drilled on whaling and BEC scenarios. Generic training about "phishing in general" does not prepare people for the specific attacks they are most likely to encounter.

Normalising verification culture may be the single most important behavioural change a business can make. In many organisations, questioning a request from a senior person — or asking to verify something by calling back — is perceived as awkward, slow, or distrustful. Attackers exploit this cultural dynamic deliberately. Businesses that make verification a routine expectation — where "I'll just give you a quick call back on your direct line to confirm" is standard practice, not an implied accusation — create significant friction for attackers who rely on urgency and authority to bypass scrutiny.

Building a reporting culture is equally critical. When staff click something they should not have, the worst outcome for a business is that the person is too embarrassed or afraid of consequences to report it. Every hour of delay in reporting a potential compromise is an hour in which an attacker may be moving through the network, exfiltrating data, or establishing persistence. Staff who report quickly — even when they are not sure if what they clicked was malicious — enable faster containment. That culture can only exist if reporting is met with support rather than blame.

If you suspect you have clicked a phishing link or opened a malicious attachment, speed matters. Every minute of delay allows more time for an attacker to act on a compromised session or installed payload.

Take these steps immediately.

Disconnect the affected device from the network — disable Wi-Fi, unplug the ethernet cable, or switch on flight mode. This prevents any malware that may have been installed from communicating with attacker infrastructure or spreading to other devices on your network.

Call your IT provider or internal helpdesk straight away. Do not attempt to close the browser, run a scan yourself, or clean up the device. Well-intentioned self-remediation can destroy forensic evidence that your IT team needs to understand what happened. Get the experts involved before you do anything else with the device.

From a different, unaffected device, change the passwords for any accounts you accessed from the compromised device — particularly email, banking, and cloud platforms. Enable or re-confirm MFA on those accounts.

Report the incident internally. Even if you are not certain that anything was compromised, let your IT team or manager know what occurred. The sooner an investigation can begin, the better the outcome is likely to be.

How Pickle Protects Australian Businesses from Phishing

Pickle provides managed IT services to Australian SMBs, strata buildings, and commercial properties — including the full stack of technical controls and human processes needed to defend against phishing in 2026.

That includes configuring and enforcing email authentication standards (SPF, DKIM, and DMARC at p=reject), deploying and managing anti-phishing policies within Microsoft 365 and Google Workspace environments, rolling out MFA across your business accounts, and deploying EDR on endpoints.

Beyond the technical controls, Pickle helps businesses implement regular simulated phishing campaigns and coordinates role-based security awareness training — the kind that changes behaviour rather than just ticking a compliance box.

Phishing attacks are evolving faster than most businesses can track. A managed IT partner who monitors the threat landscape and keeps your defences current is increasingly important for businesses that do not have an in-house security team.

To find out how Pickle can help protect your business, call 1300 688 588 or email [email protected].

FAQ

Q: Can MFA stop phishing attacks?

A: MFA significantly reduces the risk of account compromise from phishing, because even a stolen password alone is not enough to access the account. However, standard MFA methods — such as authenticator app codes and push notifications — do not protect against Adversary-in-the-Middle (AiTM) phishing attacks, where the attacker uses a transparent proxy to capture the authenticated session in real time. Phishing-resistant MFA, particularly FIDO2 hardware keys and passkeys, does protect against AiTM because authentication is cryptographically tied to the legitimate domain. Enabling any MFA is better than no MFA — but for high-value accounts, phishing-resistant methods are worth prioritising.

Q: How do I check if an email link is safe before clicking?

A: On a desktop computer, hover your mouse over the link without clicking. The actual destination URL will appear in the bottom bar of your browser or email client. Check that it matches the domain you expect — for example, if the email claims to be from your bank, the URL should end in the bank's official domain, not a lookalike or unrelated domain. Look carefully at every character in the domain name, as attackers use visually similar characters and substitute letters to create convincing fakes. If you are on a mobile device, press and hold the link to preview the URL before tapping. If anything looks off, do not click — contact the supposed sender through a separate, known channel to verify the message.

Q: What should I do if I think I clicked a phishing link?

A: Act quickly. Disconnect the device from the network immediately — turn off Wi-Fi or unplug the ethernet cable. Then call your IT provider or helpdesk as soon as possible and do not try to fix the device yourself before speaking to them. From a separate, unaffected device, change the passwords for any accounts you were logged into on the affected device, and confirm that MFA is active on those accounts. Report the incident to your IT team even if you are uncertain whether anything was compromised — early reporting dramatically improves the likelihood of containing the threat before it spreads.

Q: How often should businesses run phishing simulation exercises?

A: Most security frameworks recommend running simulated phishing exercises at least monthly, with variations in the type and sophistication of the simulations across the year. Annual or quarterly exercises do not maintain the heightened awareness needed to change instinctive behaviour. Monthly campaigns — with immediate training for anyone who clicks — produce measurable reductions in click rates over time. The simulations should be varied in format and sender type so staff are not simply learning to recognise the same template. For businesses handling sensitive data or financial transactions, a higher frequency or more advanced simulation programme may be appropriate.

Q: Is AI-generated phishing covered by cyber insurance?

A: In most cases, yes — cyber insurance policies cover losses resulting from phishing attacks, including AI-generated phishing, as these are typically classified under social engineering or business email compromise coverage. However, coverage varies significantly between policies and insurers. Some policies place sublimits on social engineering losses that are lower than the overall policy limit, and some require specific controls to be in place — such as MFA, email authentication, and documented staff training — as a condition of cover. It is important to read your policy carefully and discuss coverage specifics with your broker. Importantly, having robust technical and training controls in place is not just good security practice — it can affect your eligibility for cover and your premium.