
Your Monthly Cybersecurity Advisory for Australian Small Business
Welcome to the first edition of Cyber Secure Australia. This month the headlines are hard to ignore: the Five Eyes intelligence agencies - including Australia's own ASD - issued a blunt joint warning on 22 June 2026 that AI is now accelerating cyber attacks faster than most businesses can adapt. At the same time, a widespread attack on business routers called FortiBleed is making real news, and a new SMS scam rule quietly came into force on 1 July that every Australian business owner should know about. We have a real war story from a Victorian construction company that nearly lost $938,600 in a single afternoon, three actions you can do today, and - as always, nothing here requires an IT team or a big budget.
Every month we share a real-world incident - with identifying details de-identified - to show how attacks actually unfold and how they could have been stopped.
THE BUSINESS — A small construction company in regional Victoria. Around ten staff. They had been using the same local building supplier for routine jobs for several years - a trusted relationship with straightforward email invoicing.
WHAT HAPPENED — A job was completed and the supplier emailed draft invoices to verify the amount before formal payment was requested. Shortly after, the construction company received what looked like the final invoice - correct amount, familiar formatting, signed by the supplier's director - but with different banking details and a note: "Please ensure payment is made to the above bank details as funds paid to the old account will now bounce." Because the email appeared to come from the supplier's real address and everything else looked legitimate, the construction company paid the invoice in full - $938,600 - to an account controlled by the criminal. What had actually happened: the supplier's email account had been hacked. The criminal had been silently monitoring the email thread, waiting for the right moment to intercept.
THE DAMAGE — $938,600 transferred to criminals. The genuine supplier reached out shortly after asking when payment was expected - they had received nothing. Both businesses realised simultaneously what had happened. The construction company immediately called their bank, whose customer protection team acted within hours. Thanks to the speed of reporting, $897,083 - over 95% of the total - was successfully intercepted and recovered. The $41,000 gap, plus days of operational disruption, staff stress, and damaged supplier trust, was very real.
WHAT WOULD HAVE STOPPED IT — One phone call. Before processing any invoice with new or changed bank details, calling the supplier directly - on a number already stored in your contacts, not the one in the email - would have exposed the fraud instantly. Many businesses now have a standing rule: any change to payment details requires verbal confirmation from a known contact, regardless of how legitimate the email looks. This single policy, which costs nothing, defeats the most common and most expensive form of cybercrime targeting Australian SMEs.
Could This Happen to You? — If your business emails invoices, pays suppliers by bank transfer, or receives payment requests via email - yes, this is directly relevant to you. The criminal in this story did not need to hack the construction company at all. They hacked the supplier and waited. Your exposure is not just your own email security; it is every business in your supply chain. The fix is still the same: always verify payment changes by phone before acting.
The old advice - 'look for spelling mistakes and bad grammar' - no longer works. Here's why, and what actually does.
On 22 June 2026, the Five Eyes cyber agencies - including ASD - issued a joint statement confirming that AI is now compressing the time between a threat being developed and it being used against businesses. In plain English: criminals are using AI tools to write phishing emails that are grammatically perfect, professionally formatted, and convincingly written in your suppliers' or bank's actual tone.²
AI voice cloning tools cost as little as $5 per month and need only 3 seconds of audio - a voicemail, a LinkedIn video, or a phone call - to clone someone's voice convincingly. In the first half of 2025 alone, Australians lost $25.8 million to AI voice cloning scams.
The criminal finds your email address on your website, LinkedIn, or a data breach. They also find your accountant's or supplier's name.
They feed your supplier's past emails (from a hacked inbox) or their website copy into an AI tool, which learns their writing style exactly.
The AI generates a perfectly written email - correct name, correct tone, no errors - with a "please update your payment details" request or a fake invoice attached.
You receive it, it looks completely normal, and you act on it. The money is gone within minutes.
Business Email Compromise costs Australian businesses $152.6 million per year. The most effective single defence is not software - it is a written rule that your whole team follows.
It is a simple written rule - one paragraph is enough - that says: before processing any payment above a set threshold, or before acting on any request to change bank details, a staff member must verbally confirm the request with the sender using a pre-existing phone number. That is it.
In FY2024-25, Business Email Compromise fraud resulting in financial loss was the second most-reported cybercrime by Australian businesses (15% of all business reports). Email compromise with no financial loss was number one (19%). Most of those losses could have been prevented by a verbal confirmation call.¹
PAYMENT VERIFICATION POLICY - [Your Business Name]
Any request to change banking or payment details for a supplier or staff member must be
verbally confirmed by phone before being processed. Use the phone number from your existing
records - not any number provided in the email or message making the request.
Any payment above $[set your threshold - e.g. $2,000] requires verbal or in-person sign-off
from [name/role] before it is processed.
If you cannot reach the requester by phone, do not process the payment. Wait until you can
confirm.
When in doubt, stop and ask [owner/manager name] before proceeding.✅ Turn on MFA for all business email accounts - it blocks the vast majority of account takeovers.
✅ Write and share the "Verify Before You Pay" policy above with every person who handles invoices or payments.
✅ Check your email settings for any auto-forward rules you did not set up - this is a common sign of a compromised account.
✅ Set up an external email warning banner: any email from outside your domain should display "[EXTERNAL]" in the subject line.
✅ Store verified supplier bank account details in a locked spreadsheet or accounting system so you have a reference to compare against any "new details" claimed in an email.
Ransomware encrypted your files. Your laptop was stolen. A staff member accidentally deleted a year's worth of client records. Would you survive? Here is the simplest backup strategy that works.
Ransomware was present in 11% of all incidents responded to by ASD's ACSC last year. In the FortiBleed campaign, one of the first things attackers do after gaining access is locate and disable backups - before encrypting anything else. A backup that is connected to your main network can be encrypted right along with everything else.¹
Your working copy, plus two backups - so a single failure never wipes everything.
e.g. cloud storage AND an external drive - so one failure does not take both copies.
Disconnected from your network - so ransomware cannot reach it. A USB drive in a locked drawer works.
Don't just check that a backup ran - actually restore something from it. Open your cloud backup (OneDrive, Google Drive, Xero file history - whichever you use) and restore a single file from last week to confirm it actually works. A backup you have never tested is a hope, not a plan. This takes less than five minutes and costs nothing.
Suggested next step: Write down on a single page who you call if your systems go down. Include: your IT support, your bank's fraud line, and ASD's 24/7 hotline: 1300 CYBER1 (1300 292 371). Pin it near every workstation.
No IT team required. No cost. Under 30 minutes total. Each one directly addresses a real threat active in Australia right now.
Copy the policy template from Section 4. Fill in your business name, payment threshold, and your name as approver. Email or print it for every staff member who handles invoices or payments. This single action defeats the #1 financially damaging cybercrime in Australia. Takes 10 minutes. Costs nothing.
Open your cloud backup or external drive and restore one file from the past week to confirm it works. Then check when it last ran automatically. If it has been more than 24 hours, run it manually today and confirm auto-backup is switched on. If you find you have no backup, set one up via OneDrive, Google Drive, or your accounting software - all free. Takes 5-10 minutes.
Go to your email account settings (Gmail, Outlook, or Microsoft 365), find 'Security' or 'Two-step verification', and enable it. Use an authenticator app (Microsoft Authenticator or Google Authenticator) rather than SMS if possible - it is slightly more secure and equally free. This one step blocks the majority of email account takeovers. Takes 5 minutes.
Action 1 directly counters BEC and invoice fraud - the highest-loss cybercrime for Australian SMEs, and the exact method used in this month's war story.
Action 2 is your defence against ransomware. The FortiBleed campaign active right now targets network devices and can deploy ransomware once inside. A tested offline backup means even a worst-case attack does not destroy your business.
Action 3 directly addresses the AI-phishing and credential-reuse threats highlighted by the Five Eyes advisory. Compromised email accounts are how criminals get inside your supply chain and wait for the right invoice - just like in the war story.