
Phishing, invoice fraud, and ransomware don't care if you're "too small." Here's what every Australian small business needs to know—and do—right now.
It's tempting to think cyberattacks are a "big business problem." But the reality for Australian small and medium-sized businesses (5–200 staff) is the opposite: attackers love SMEs because they're busy, stretched, and often running on trust.
The Australian Cyber Security Centre (ACSC) has been reporting a steady rise in cyber activity affecting Australian organisations, with common incidents including phishing and business email compromise (BEC). Year-on-year increases in alerts and notifications continue to climb.
SMEs move fast with lean teams—perfect conditions for a scammer to exploit
Informal processes and trusted relationships are weaponised by attackers
Fewer dedicated IT resources means vulnerabilities go unpatched longer
Many scams are run like businesses—complete with helpdesks for victims and "affiliate" ransomware programs.
Fake invoices, realistic phishing emails, and even voice-cloned phone calls are becoming frighteningly convincing.
Cloud apps, remote work, and online payments expand the number of places attackers can target.
For Australian SMEs, this plays out in very familiar ways: a fake "supplier" email, a payroll account changed by a scammer, a staff member tricked into logging into a fake Microsoft 365 page, or a ransomware event that halts operations entirely.
Phishing is still the number one "front door" for attacks. Modern phishing looks like:
Ransomware isn't only about paying a ransom. The real cost is often far greater:
Australian research continues to show ransomware affects small businesses with significant financial impact on victims—often disproportionate to their size.
Stolen passwords are cheap and widely available on the dark web. Multi-factor authentication (MFA) can stop a login even if the password is correct. If you only do one thing this week—turn on MFA for email, accounting, and cloud systems.
Email is the control centre for your business. If someone gets into a staff mailbox, they can reset passwords for other services, read invoices and contracts, set up hidden forwarding rules, and impersonate staff and customers. Many SMEs don't realise an account can be compromised quietly for weeks.
If personal information is accessed or leaked, you may have obligations under Australia's privacy laws and the Notifiable Data Breaches (NDB) scheme. Even if you're unsure whether the Privacy Act applies today, privacy expectations from customers, partners, and insurers are rising fast.
A practical, non-technical checklist you can action immediately—in order of priority.
Work through these steps in order. The first two steps alone will stop a large chunk of real-world SME losses. Don't try to do everything at once—pick three actions and schedule them this week.
Enable multi-factor authentication for all email accounts, especially admin accounts. This is your single most impactful action.
Disable older sign-in methods that bypass MFA where possible in your Microsoft 365 or Google Workspace settings.
Configure alerts for any new mailbox forwarding rules—a common sign of a compromised account.
Any change to bank details must be verified by phone using a trusted number—never the number provided in the email requesting the change.
Require two-person sign-off for payments above a set threshold. This simple control stops most BEC payment fraud cold.
Make sure devices auto-update—Windows, macOS, and browsers. Don't forget routers, firewalls, and key business apps. Unpatched software is one of the most common entry points for attackers, and it's entirely preventable.
Follow the 3-2-1 backup rule: 3 copies of data, on 2 different types of storage, with 1 copy offline or immutable. Critically—test a restore. Many businesses discover their backups don't work during a ransomware event, not before.
You don't need a full-day workshop. A 10-minute monthly session asking "What does a phishing email look like this month?" builds real awareness over time.
Write a simple plan that includes:
IT provider, bank, insurer
Steps to disconnect affected machines
Use cyber.gov.au guidance
Who handles customer communications
Cybersecurity doesn't have to be overwhelming. Start small, start now, and build from there.
Choose three items from the action plan above and schedule them into your calendar this week. Don't wait for the "right time."
These two controls stop a large chunk of real-world SME losses. MFA on email and a phone-verification rule for bank detail changes are your highest-ROI moves.
Make cybersecurity a normal part of operations. Share this article and make it a standing agenda item in your next team meeting.
Don't Be the Ostrich: Cyber Threats Are Rising for Aussie SMEs