Artificial intelligence is transforming business operations through tools like ChatGPT and Microsoft Copilot. Cybercriminals are leveraging the same technologies to launch increasingly sophisticated attacks — and for many Australian SMBs the gap between “our filters catch phishing” and “our filters catch what attackers send in 2026” is widening fast.

What is AI-powered phishing?

Phishing traditionally involved impersonating a trusted source — your bank, the ATO, a supplier, a colleague — to steal credentials or trigger a fraudulent payment. The giveaway used to be obvious: spelling errors, awkward phrasing, a dodgy-looking logo.

AI has changed the economics of all three. Attackers can now generate highly professional, personalised phishing messages in seconds, in any language, without the grammar tells that used to catch recipients out.

Modern AI-driven phishing capabilities include:

Automated, large-scale email generation
Personalised attacks that pull from LinkedIn, company websites, and public filings
Realistic fake login pages that mimic Microsoft 365, Xero, MYOB and other business apps
Multi-language phishing with native-level grammar and local tone

The rise of deepfake voice and vishing

Generative audio is the second shoe dropping. Attackers with a handful of samples — a podcast interview, a webinar, a voicemail, a LinkedIn video — can synthesise a convincing voice clone of an executive.

We’ve seen this used to ring finance teams with “urgent” payment requests that sound exactly like the CFO. In the highest-profile cases, the losses have been in the tens of millions. Deepfake phishing (or “vishing”) is becoming a standard item in the attacker’s toolkit, and the voices are now good enough that spotting them by ear is unreliable.

Why small and medium businesses get targeted

Australian SMBs sit in a sweet spot for attackers: enough money flowing through to be worth the effort, not enough security depth to catch subtle attacks. Specifically:

Limited cybersecurity resources and no dedicated security team
Less comprehensive employee security training
Weaker email filtering than enterprise environments
Less sophisticated monitoring and response

A successful breach at an SMB opens several follow-on attacks: data theft, fraudulent customer phishing launched from the compromised account, ransomware deployment, and payment redirection scams.

Common AI-powered phishing techniques to watch for

AI-generated email phishing. Convincing messages requesting password resets, invoice payments, document downloads, or account verifications. The tell is usually the request itself — not the writing.

Fake login pages. Pixel-perfect clones of Microsoft 365 or corporate portals designed to capture credentials. Attackers increasingly register look-alike domains with Unicode characters that render identically to the real domain.

Business email compromise (BEC). Attackers sit inside a compromised mailbox for days or weeks, reading conversations, then send a fraudulent payment request at exactly the right moment in an invoice cycle.

QR code phishing (quishing). QR codes in emails, posters or letters redirect to credential-harvesting sites. Phones often don’t show the destination URL before opening, which is exactly why attackers like the channel.

How businesses can protect themselves

Enable multi-factor authentication (MFA) everywhere. It’s the single highest-leverage control. Phishing-resistant MFA (hardware keys, Windows Hello for Business) is better than SMS, which attackers can intercept or SIM-swap around.

Implement advanced email security. Modern email gateways detect phishing attempts, malicious links, and suspicious attachments using behavioural analysis and URL rewriting. This matters more in 2026 than it did in 2020 because the grammar-based heuristics no longer work.

Provide security awareness training. Regular employee training — especially simulated phishing — is the human defence layer. Training needs to include voice and video deepfakes now, not just email.

Monitor business email accounts. Detect suspicious login activity from unfamiliar geographies, impossible-travel logins, and new forwarding rules. These are the early signals of BEC.

Verify payment changes out-of-band. Any change to supplier banking details, or any urgent payment request from an executive, should be verified by a phone call to a known number — not the number in the email.

Maintain reliable backups. Immutable, tested backups are the safety net when prevention fails. Ransomware is still a real outcome of a successful phish.

The bottom line

AI has lowered the cost and raised the quality of phishing attacks simultaneously. The old advice — “look for spelling mistakes” — is no longer useful. The new advice is layered: strong MFA, modern email filtering, staff training for voice and QR attacks, out-of-band payment verification, and monitoring that can spot compromise fast when prevention fails.

Organisations should partner with an experienced IT provider to implement the right controls for their threat profile, monitor for threats, and respond to incidents quickly. Investment in cybersecurity is cheaper than the disruption, breach costs, and reputational damage of an incident that got through.

If you’d like a short assessment of where your email security stands against AI-powered phishing, get in touch — it takes about half an hour and you’ll come away with a clear picture of your gaps.