by The Computing Australia Group | Protect Your Business from Phishing
Cybersecurity is no longer something only large companies need to worry about. Today, almost every small business depends on email, cloud software, online banking, websites, remote access tools, mobile devices and digital customer communication. This makes businesses more efficient, but it also makes them more exposed.
For Perth small businesses, phishing is one of the most common and damaging cyber threats. A single fake email, text message, phone call or social media message can lead to stolen passwords, fraudulent payments, malware infections, data breaches and serious reputational damage. The Australian Cyber Security Centre notes that cybercriminals use email, text messages, social media and phone calls to steal passwords, access computers or trick people into taking harmful actions.
The good news is that phishing can be managed. You do not need an enterprise-sized budget to reduce your risk. With the right mix of staff awareness, strong passwords, multi-factor authentication, email filtering, software updates, backups and clear internal processes, small businesses can make it much harder for attackers to succeed.
This guide explains what phishing is, how it works, the most common types of phishing attacks, the warning signs to look for, and the practical steps Perth businesses can take to protect their staff, systems and customers.
What Is Phishing?
Phishing is a type of cyberattack where criminals pretend to be a trusted person, company or organisation to trick victims into revealing sensitive information or taking an unsafe action.
The information targeted in phishing attacks often includes:
- Email usernames and passwords
- Microsoft 365 or Google Workspace login details
- Online banking credentials
- Credit card numbers
- Customer records
- Payroll information
- Supplier payment details
- Remote access credentials
- Identity documents
- One-time passcodes or verification codes
Phishing attacks often arrive by email, but they can also come through SMS, phone calls, messaging apps, social media platforms and fake websites. Modern phishing messages can look highly convincing. They may use real logos, realistic email signatures, familiar language and urgent wording designed to make the recipient act quickly.
For small businesses, phishing is especially dangerous because attackers often target the systems that businesses use every day: email accounts, accounting platforms, cloud storage, customer relationship management tools, payment systems and supplier communication channels.
Why Phishing Is a Serious Risk for Small Businesses
Many small businesses assume they are too small to be targeted. Unfortunately, cybercriminals often see small businesses as easier targets because they may have fewer security controls, less formal staff training and limited internal IT support.
A phishing attack can cause damage in several ways.
First, it can lead to direct financial loss. A staff member may be tricked into paying a fake invoice, changing supplier bank details or approving an urgent payment request that appears to come from the business owner or manager.
Second, it can lead to account compromise. If an attacker steals a staff member’s email password, they may access business emails, send phishing messages to customers, reset passwords for other services or gather information for a more targeted attack.
Third, it can damage trust. Customers expect businesses to keep their information safe. If a phishing attack exposes customer records or causes fraudulent communication to be sent from your business email account, your reputation can suffer.
Finally, phishing can become the entry point for a larger cyber incident. Stolen login details can be used to install malware, access cloud files, compromise business systems or launch ransomware.
The ACSC’s small business guidance warns that even a minor cyber security incident can have devastating impacts on a small business.
How Phishing Attacks Work
Most phishing attacks follow a simple pattern.
The attacker sends a message that appears to come from a trusted source. This may be a bank, supplier, delivery company, government agency, software provider, internal manager or well-known brand.
The message then creates a reason for the recipient to act. Common examples include:
- “Your account will be suspended.”
- “Your invoice is overdue.”
- “Your payment has failed.”
- “Your mailbox is full.”
- “Your password is expiring.”
- “Please review the attached document.”
- “Confirm your identity.”
- “Update your payment details.”
- “Approve this urgent transfer.”
- “You have received a secure file.”
The recipient is then encouraged to click a link, open an attachment, call a number, scan a QR code, reply with information or approve a login prompt.
Once the victim acts, the attacker may steal login details, install malware, redirect payments, access business systems or impersonate the victim to target others.
What makes phishing effective is that it relies on human behaviour. Attackers use urgency, fear, curiosity, authority and familiarity to make people respond before they stop and think.
Why Phishing Attacks Are So Successful
Phishing remains successful because attackers constantly adapt their methods. Today’s phishing campaigns are more polished, more targeted and more difficult to detect than the obvious scam emails of the past.
Lack of Security Awareness
Many staff members are not trained to identify suspicious emails, links, attachments or payment requests. Without regular awareness training, employees may not know what to check before clicking.
Realistic Impersonation
Cybercriminals can copy branding, email signatures, website layouts and writing styles. Some phishing messages are almost identical to legitimate business communications.
Urgency and Pressure
Attackers often create a false sense of urgency. They may claim that an account will be closed, a payment is overdue or an important service will stop unless immediate action is taken.
Personalised Attacks
Modern attackers often research businesses before sending phishing messages. They may use information from LinkedIn, websites, social media, staff profiles and previous data breaches to make their messages more believable.
Weak Password Practices
If staff reuse passwords across multiple services, a single stolen password can give attackers access to several business systems.
Lack of Multi-Factor Authentication
Without multi-factor authentication, attackers may only need a username and password to access an account. MFA adds an extra barrier by requiring another form of verification.
Inadequate Email Security
Businesses without strong email filtering, domain protection and malware scanning are more likely to receive dangerous messages in staff inboxes.
Common Types of Phishing Attacks
Understanding the different types of phishing helps staff recognise threats before they cause damage.
1. Email Phishing
Email phishing is the most common form of phishing. Attackers send fake emails to many recipients, hoping that some will click a link, download a file or enter their login details.
These emails often appear to come from well-known organisations such as banks, Microsoft, Google, Australia Post, delivery companies, telecommunications providers, government agencies or cloud software platforms.
Common Signs of Email Phishing
Look out for:
- Unexpected requests to log in
- Suspicious links or attachments
- Poor grammar or unusual wording
- Urgent threats or warnings
- Requests for payment or bank details
- Email addresses that do not match the sender’s organisation
- Slightly altered domain names
- Generic greetings such as “Dear customer”
- Attachments you were not expecting
- Messages asking you to bypass normal procedures
A common tactic is to use a link that looks similar to the real website but contains a small change. For example, a fake domain may use extra words, missing letters or a different ending to mislead users.
2. Spear Phishing
Spear phishing is a targeted phishing attack aimed at a specific person, role or business. Instead of sending the same message to thousands of random recipients, the attacker researches the victim first.
For example, an attacker may identify the business owner, accounts manager or office administrator and send a message that appears to come from a real supplier, customer or senior staff member.
Why Spear Phishing Is Dangerous
Spear phishing is dangerous because the message often feels familiar. It may reference real names, projects, invoices, suppliers or business processes. This makes the recipient more likely to trust the request.
Common spear phishing examples include:
- A fake email from the managing director asking for an urgent payment
- A supplier invoice with changed bank details
- A request to download a shared document
- A fake Microsoft 365 login page
- A message pretending to be from an accountant, lawyer or IT provider
- A request for payroll or employee information
Business Email Compromise, also known as BEC, is a form of targeted phishing where criminals try to scam organisations out of money, goods or important business information.
3. Smishing
Smishing is phishing by SMS or text message. These messages often appear to come from banks, delivery companies, toll providers, government services or subscription platforms.
Examples include:
- “Your parcel could not be delivered.”
- “Your toll payment is overdue.”
- “Your bank account has been locked.”
- “Your tax refund is ready.”
- “Your subscription payment failed.”
Smishing messages usually contain a link to a fake website. The page may ask for login details, credit card information or identity verification.
Because many people read text messages quickly on their phones, smishing can be very effective.
4. Vishing
Vishing is phishing by voice call. The attacker calls the victim and pretends to be from a trusted organisation such as a bank, IT support provider, telco, government department or software company.
The caller may claim there is a problem with your account, computer, payment or security settings. They may ask you to confirm personal details, install remote access software, approve a transaction or provide a verification code.
Red Flags in Vishing Calls
Be cautious if a caller:
- Creates panic or urgency
- Asks for passwords or one-time codes
- Wants remote access to your computer
- Requests immediate payment
- Refuses to let you call back through official channels
- Claims your business will suffer consequences unless you act immediately
A safe response is to hang up and call the organisation back using a phone number from its official website or your existing records.
5. Angler Phishing
Angler phishing happens on social media. Attackers often impersonate customer support accounts or company representatives.
For example, a customer may complain about a service issue on Facebook, Instagram, LinkedIn or X. A scam account may reply, pretending to be the company’s support team, and ask the customer to click a link or send account details.
Businesses should monitor their brand presence online and educate customers to use official support channels.
6. QR Code Phishing
QR code phishing, sometimes called quishing, uses QR codes to direct users to fake websites. These may appear in emails, posters, invoices, parking notices, menus or printed flyers.
Because QR codes hide the destination URL, users may not realise they are being sent to a malicious site until it is too late.
Businesses should be cautious with unexpected QR codes, especially those asking for payment, login details or identity information.
7. Invoice and Payment Redirection Scams
Payment redirection is one of the most financially damaging phishing-related threats for businesses.
In this attack, criminals impersonate a supplier, contractor or internal staff member and request that future payments be sent to a new bank account. The email may look legitimate and may even come from a compromised supplier account.
To prevent this, businesses should verify all bank detail changes through a trusted phone number already on file, not the phone number provided in the email.
Common Phishing Techniques
Phishing campaigns use several common techniques. Knowing these techniques makes it easier to recognise suspicious activity.
Fake Website Imitations
Many phishing emails link to fake websites that look almost identical to legitimate login pages. These may imitate Microsoft 365, Google, banks, accounting software, courier companies or government portals.
Once the user enters their details, the attacker captures them and may use them immediately.
Always check the website address before entering login details. Better still, access important services by typing the known address into your browser or using a saved bookmark.
Deactivation and Account Suspension Messages
Messages such as “Your account will be deactivated” or “Your subscription is expiring” are designed to create urgency.
These messages may claim that your email, website hosting, domain name, cloud storage, bank account or business software will stop working unless you act immediately.
Before clicking, verify the message through the provider’s official website or support channel.
Fake Technical Support
In this technique, scammers pretend to offer technical support. They may claim your computer is infected, your email has been compromised or your software licence needs attention.
They may ask you to download remote access tools, share your screen or provide login details.
Legitimate IT providers should follow clear support processes. If you receive an unexpected support call or email, confirm it with your regular IT contact before taking action.
Fake Rewards, Grants and Donations
Some phishing messages claim you have won a prize, qualified for a grant or been selected for a donation. These scams often ask for personal information, bank details or an upfront payment.
If something sounds too good to be true, it probably is.
Malicious Attachments
Attachments can contain malware or links to credential-stealing websites. Dangerous files may be disguised as invoices, resumes, remittance notices, reports, delivery documents or scanned files.
Be especially careful with unexpected attachments, even if they appear to come from someone you know. Their account may have been compromised.
How Perth Small Businesses Can Protect Themselves from Phishing
Phishing prevention works best when businesses combine technology, training and clear procedures.
1. Start with a Cybersecurity Audit
A cybersecurity audit helps identify weaknesses in your current systems, policies and processes. It can review email security, password practices, device management, backups, software updates, access permissions, cloud accounts and staff awareness.
For small businesses, an audit does not need to be overly complex. The goal is to understand your current risk and create a practical improvement plan.
A good audit should answer questions such as:
- Are all business accounts protected with multi-factor authentication?
- Are staff using strong, unique passwords?
- Are old accounts disabled?
- Are admin privileges restricted?
- Are devices patched and protected?
- Are backups working and tested?
- Are staff trained to identify phishing?
- Are payment approval processes secure?
- Is email filtering properly configured?
- Do you have an incident response plan?
2. Use Multi-Factor Authentication
Multi-factor authentication is one of the most effective ways to reduce account compromise. It requires users to verify their identity using more than just a password.
MFA may involve an authenticator app, security key, biometric check or push notification.
For small businesses, MFA should be enabled for:
- Email accounts
- Microsoft 365 or Google Workspace
- Online banking
- Accounting software
- Cloud storage
- Remote access tools
- Website administration accounts
- Social media accounts
- Customer databases
- Password managers
The ACSC includes multi-factor authentication as one of the Essential Eight mitigation strategies.
3. Train Staff Regularly
Staff awareness is critical. Even the best security tools cannot stop every phishing message.
Training should teach employees how to:
- Check sender addresses
- Inspect links before clicking
- Identify fake login pages
- Recognise urgent or unusual requests
- Report suspicious emails
- Verify payment changes
- Handle attachments safely
- Avoid sharing passwords or MFA codes
- Respond to suspected account compromise
Training should not be a one-off event. Short, regular refreshers are usually more effective than long annual sessions.
4. Create a Clear Reporting Process
Employees should know exactly what to do if they receive a suspicious message.
A simple process might be:
1. Do not click links or open attachments.
2. Do not reply to the sender.
3. Report the message to the manager or IT support.
4. Mark the email as phishing if your email system supports it.
5. Delete the message only after it has been reviewed.
6. If a link was clicked, notify IT immediately.
Make reporting easy and blame-free. Staff are more likely to report mistakes quickly if they know they will not be punished.
5. Strengthen Password Management
Weak or reused passwords make phishing far more dangerous.
Businesses should require:
- Unique passwords for every business account
- Long passwords or passphrases
- A business password manager
- No password sharing by email, chat or spreadsheet
- Immediate password changes after suspected compromise
- Removal of access when staff leave
A password manager helps staff create and store strong passwords without needing to remember each one.
6. Secure Business Email
Email is the main delivery channel for phishing, so email security should be a priority.
Useful controls include:
- Spam and malware filtering
- Link scanning
- Attachment scanning
- Domain-based email authentication such as SPF, DKIM and DMARC
- External sender warnings
- Blocking risky file types
- Monitoring unusual login activity
- Disabling automatic forwarding to external addresses
- Protecting admin accounts with stronger controls
Businesses using Microsoft 365 or Google Workspace should review their security settings regularly.
7. Verify Payment and Bank Detail Changes
Many phishing attacks target payments. A simple verification process can prevent major losses.
Before changing supplier bank details or approving an unusual payment:
- Call the supplier using a trusted number already on file
- Do not use contact details provided in the suspicious email
- Require approval from more than one person for large payments
- Keep written records of verification
- Train accounts staff to question urgent requests
- Confirm invoices against purchase orders or known contracts
This process is especially important for Perth businesses dealing with contractors, trades, professional services, property, construction, retail, healthcare and local suppliers.
8. Keep Software and Devices Updated
Updates often fix security vulnerabilities that attackers can exploit. Businesses should patch operating systems, browsers, email clients, mobile devices, business software, plugins and network equipment.
The Essential Eight includes patching applications and operating systems as key mitigation strategies.
Where possible, enable automatic updates. For critical systems, work with an IT provider to test and apply updates safely.
9. Limit Admin Privileges
Not every user needs administrator access. If a phishing attack compromises a standard user account, the damage may be limited. If it compromises an admin account, the attacker may gain broad control.
Businesses should:
- Give admin access only to users who need it
- Use separate admin accounts for administrative tasks
- Review permissions regularly
- Remove access when staff change roles or leave
- Monitor admin activity
Restricting administrative privileges is also one of the Essential Eight strategies.
10. Back Up Important Data
Backups help businesses recover from cyber incidents, accidental deletion, device failure and ransomware.
Backups should be:
- Automatic
- Regular
- Encrypted
- Stored separately from the main system
- Tested periodically
- Protected from unauthorised access
Daily backups are part of the Essential Eight.
What Is the Essential Eight?
The Essential Eight is a set of cybersecurity mitigation strategies developed by the Australian Signals Directorate’s Australian Cyber Security Centre. It is designed as a baseline to help organisations make it much harder for attackers to compromise systems.
The Essential Eight includes:
1. Application control
Prevent unauthorised or malicious programs from running.
2. Patch applications
Keep applications updated to reduce known vulnerabilities.
3. Configure Microsoft Office macro settings
Block or restrict risky macros that can be used to deliver malware.
4. User application hardening
Disable unnecessary features in applications that attackers commonly exploit.
5. Restrict administrative privileges
Limit powerful access to users who genuinely need it.
6. Patch operating systems
Keep operating systems and network devices updated.
7. Multi-factor authentication
Add an extra verification step to protect accounts.
8. Regular backups
Maintain recoverable copies of important data.
For small businesses, the ACSC recommends implementing Maturity Level One of the Essential Eight after completing its small business cyber security guide.
What to Do If You Suspect a Phishing Attack
If you think your business has received a phishing email, message or call, act quickly.
If No One Clicked the Link
- Do not click anything
- Report the message internally
- Mark it as phishing or spam
- Block the sender if appropriate
- Warn other staff if similar messages may arrive
If Someone Clicked a Link
- Disconnect the affected device from the network if malware is suspected
- Change the affected password immediately
- Enable or reset MFA
- Review account login activity
- Contact your IT provider
- Scan the device for malware
- Check for email forwarding rules
- Notify affected customers or suppliers if required
If Money Was Sent
- Contact your bank immediately
- Report the incident to the relevant authorities
- Preserve emails, invoices and call records
- Contact your IT provider
- Review payment approval processes
The ACSC advises people who receive phishing via email to contact their email provider for help blocking future phishing emails, and to report phishing attempts through the relevant channel depending on whether the attempt came by email, SMS or social media.
Why Work with a Local Perth Cybersecurity Team?
Small businesses often need practical, cost-effective cybersecurity support. A local IT and cybersecurity provider can help you identify your biggest risks, prioritise improvements and implement security controls without overcomplicating your operations.
A Perth-based cybersecurity team can assist with:
- Cybersecurity audits
- Microsoft 365 and Google Workspace security
- Email protection
- Staff phishing awareness training
- Backup planning
- Device security
- Password management
- MFA rollout
- Essential Eight readiness
- Incident response
- Ongoing monitoring and support
Cybersecurity is not a one-time project. It is an ongoing business discipline. The right partner can help you build simple, repeatable security habits that protect your business every day.
Why Work with a Local Perth Cybersecurity Team?
Phishing attacks are becoming more convincing, more targeted and more damaging. For small businesses, the consequences can include financial loss, downtime, customer distrust, data exposure and long-term reputational harm.
However, phishing is not unbeatable. By training your team, securing your email, using multi-factor authentication, verifying payments, keeping systems updated and following the Essential Eight, your business can significantly reduce its risk.
If you are unsure where to start, begin with a cybersecurity audit. A clear review of your current systems will help you understand your risks and take practical steps to improve security.
Need help protecting your Perth business from phishing? Speak with Computing Australia’s cybersecurity team today for practical advice, security audits and small business IT support.
Jargon Buster
Advanced Persistent Threat – a cyber-attack where a criminal gains access to a system or network and remains there for a prolonged without being detected
Malicious Links – a link created for the purpose of a cyberattack.
2 FA – 2 Factor Authorisation – Access is granted only after two steps of authentication. You will need to provide two pieces of evidence to establish your identity. This is also known as MFA (Multi-factor authentication).
Blake Parry
FAQ
What is phishing in cybersecurity?
Phishing is a cyberattack where criminals impersonate trusted organisations or people to trick victims into sharing passwords, payment details or sensitive information.
Why are small businesses targeted by phishing?
Small businesses are targeted because they often rely heavily on email and cloud tools but may not have strong cybersecurity controls, staff training or formal payment verification processes.
What is the difference between phishing and spear phishing?
Phishing is usually sent broadly to many people, while spear phishing is targeted at a specific person, role or business using personalised information.
How can Perth businesses prevent phishing?
Perth businesses can reduce phishing risk by using multi-factor authentication, staff training, email filtering, strong passwords, payment verification processes, software updates and regular backups.
What should I do if an employee clicks a phishing link?
Change the affected password, enable MFA, contact your IT provider, check login activity, scan the device, review email forwarding rules and assess whether any data or payments were affected.
