Don't Be the Ostrich: Cyber Threats Are Rising for Aussie SMEs

Phishing, invoice fraud, and ransomware don't care if you're "too small." Here's what every Australian small business needs to know—and do—right now.

The Reality Check: SMEs Are Prime Targets

It's tempting to think cyberattacks are a "big business problem." But the reality for Australian small and medium-sized businesses (5–200 staff) is the opposite: attackers love SMEs because they're busy, stretched, and often running on trust.

The Australian Cyber Security Centre (ACSC) has been reporting a steady rise in cyber activity affecting Australian organisations, with common incidents including phishing and business email compromise (BEC). Year-on-year increases in alerts and notifications continue to climb.

Busy & Stretched

SMEs move fast with lean teams—perfect conditions for a scammer to exploit

Running on Trust

Informal processes and trusted relationships are weaponised by attackers

Less Defence

Fewer dedicated IT resources means vulnerabilities go unpatched longer

Why It's Getting Worse: Three Drivers of Global Cybercrime

Organised & Automated

Many scams are run like businesses—complete with helpdesks for victims and "affiliate" ransomware programs.

AI-Powered Scams

Fake invoices, realistic phishing emails, and even voice-cloned phone calls are becoming frighteningly convincing.

More Business Online

Cloud apps, remote work, and online payments expand the number of places attackers can target.

For Australian SMEs, this plays out in very familiar ways: a fake "supplier" email, a payroll account changed by a scammer, a staff member tricked into logging into a fake Microsoft 365 page, or a ransomware event that halts operations entirely.

Threat #1 & #2: Phishing, BEC & Ransomware

Phishing & Business Email Compromise

Phishing is still the number one "front door" for attacks. Modern phishing looks like:

  • A file share request ("view document")
  • A fake invoice or "missed payment" message
  • A Microsoft 365 or Google login prompt
  • An email "from the director" requesting urgent payment
  • A supplier's bank details "changing" before a big invoice

Ransomware & Operational Shutdowns

Ransomware isn't only about paying a ransom. The real cost is often far greater:

  • Days of downtime and lost sales
  • Overtime costs to recover systems
  • Reputational damage with customers
  • Legal and privacy obligations if data is exposed

Australian research continues to show ransomware affects small businesses with significant financial impact on victims—often disproportionate to their size.

Threat #3, #4 & #5: Passwords, Cloud Accounts & Privacy

🔑 Weak or Reused Passwords (and Missing MFA)

Stolen passwords are cheap and widely available on the dark web. Multi-factor authentication (MFA) can stop a login even if the password is correct. If you only do one thing this week—turn on MFA for email, accounting, and cloud systems.

☁️ Cloud Account Takeovers (Microsoft 365 / Google Workspace)

Email is the control centre for your business. If someone gets into a staff mailbox, they can reset passwords for other services, read invoices and contracts, set up hidden forwarding rules, and impersonate staff and customers. Many SMEs don't realise an account can be compromised quietly for weeks.

🔒 Privacy Risk & Notifiable Data Breaches (NDB)

If personal information is accessed or leaked, you may have obligations under Australia's privacy laws and the Notifiable Data Breaches (NDB) scheme. Even if you're unsure whether the Privacy Act applies today, privacy expectations from customers, partners, and insurers are rising fast.

The "No-Ostrich" Action Plan

A practical, non-technical checklist you can action immediately—in order of priority.

Work through these steps in order. The first two steps alone will stop a large chunk of real-world SME losses. Don't try to do everything at once—pick three actions and schedule them this week.

Steps 1 & 2: Email Protection & Invoice Fraud (Do Today & This Week)

Step 1 — Today

Protect Email First

1

Turn on MFA

Enable multi-factor authentication for all email accounts, especially admin accounts. This is your single most impactful action.

2

Disable Legacy Sign-ins

Disable older sign-in methods that bypass MFA where possible in your Microsoft 365 or Google Workspace settings.

3

Set Up Forwarding Alerts

Configure alerts for any new mailbox forwarding rules—a common sign of a compromised account.

Step 2 — This Week

Reduce Invoice Fraud Risk

1

Phone Verification Rule

Any change to bank details must be verified by phone using a trusted number—never the number provided in the email requesting the change.

2

Two-Person Approval

Require two-person sign-off for payments above a set threshold. This simple control stops most BEC payment fraud cold.

Steps 3 & 4: Patching & Backups (This Week & This Month)

Step 3: Patch the Basics

Make sure devices auto-update—Windows, macOS, and browsers. Don't forget routers, firewalls, and key business apps. Unpatched software is one of the most common entry points for attackers, and it's entirely preventable.

Step 4: Backups You Can Actually Restore

Follow the 3-2-1 backup rule: 3 copies of data, on 2 different types of storage, with 1 copy offline or immutable. Critically—test a restore. Many businesses discover their backups don't work during a ransomware event, not before.

Steps 5 & 6: Staff Training & Your Incident Plan (Ongoing)

Step 5 — Ongoing

Train Staff with Short, Regular Refreshers

You don't need a full-day workshop. A 10-minute monthly session asking "What does a phishing email look like this month?" builds real awareness over time.

Step 6 — This Month

Make a One-Page Incident Plan

Write a simple plan that includes:

Who to Call

IT provider, bank, insurer

Isolate Devices

Steps to disconnect affected machines

Contact ACSC

Use cyber.gov.au guidance

Comms Plan

Who handles customer communications

Your Next Steps: Stop Being the Ostrich

Cybersecurity doesn't have to be overwhelming. Start small, start now, and build from there.

01

Pick Three Actions

Choose three items from the action plan above and schedule them into your calendar this week. Don't wait for the "right time."

02

Start with MFA & Bank Verification

These two controls stop a large chunk of real-world SME losses. MFA on email and a phone-verification rule for bank detail changes are your highest-ROI moves.

03

Share with Your Team

Make cybersecurity a normal part of operations. Share this article and make it a standing agenda item in your next team meeting.