Email phishing attack warning on computer screen
Cybersecurity

Protect Your Business From the Latest Phishing Techniques in 2026

PN
Peter Nelson
· · 5 min read

Phishing attacks are evolving rapidly. Learn about the latest techniques, including quishing and AI-generated lures, and how to defend against them.

Phishing remains the leading initial access vector for cyberattacks against Australian businesses. It is not because defenders have not improved — they have. It is because attackers have improved faster. The phishing emails hitting inboxes in 2026 look nothing like the poorly spelled “Nigerian prince” emails of a decade ago.

This is what the current threat landscape looks like, and what to do about it.

How Modern Phishing Has Evolved

AI-Generated Lures

The most significant change in phishing over the past two years is the adoption of generative AI by threat actors. AI eliminates the grammatical errors and awkward phrasing that were the traditional tells of a phishing email. Modern AI-generated phishing emails are:

  • Grammatically perfect and contextually appropriate
  • Tailored to the recipient’s role, industry, and recent activity
  • Written in a natural tone that matches the impersonated sender
  • Free of the obvious templates that email filters learned to detect

Detecting AI-generated phishing requires process controls — verification procedures — not just vigilance.

Spear Phishing and Business Email Compromise

Generic mass phishing (click here to reset your password) is increasingly filtered by modern email security tools. Sophisticated attackers have shifted to spear phishing — targeted attacks against specific individuals using personalised information gathered from LinkedIn, company websites, and social media.

The most dangerous form is Business Email Compromise (BEC): impersonating a senior executive or supplier to authorise fraudulent payments or redirect payroll. The ACCC reports BEC as consistently one of the highest-loss cybercrime categories for Australian businesses, with losses frequently in the tens of thousands to millions of dollars per incident.

Quishing (QR Code Phishing)

QR codes in emails bypass URL scanning in email security tools. An email containing a QR code rather than a clickable link is less likely to be flagged as malicious — because the link destination cannot be analysed at the email layer.

The QR code directs the recipient to a phishing site, typically a convincing replica of a Microsoft 365 login page designed to capture credentials. Quishing campaigns increased significantly through 2024 and remain prevalent.

Defence: Treat QR codes in unsolicited emails with the same scepticism as suspicious links. Do not scan QR codes in unexpected emails.

Adversary-in-the-Middle (AiTM) Phishing

AiTM phishing uses a reverse proxy to sit between the user and the legitimate service. When the user enters their credentials on the phishing site, the attacker captures not just the password but the authenticated session token — bypassing MFA entirely.

This is a significant evolution. MFA is still essential, but it is no longer sufficient against sophisticated AiTM attacks. The additional control required is phishing-resistant MFA: hardware security keys (FIDO2) or certificate-based authentication that cannot be intercepted by a proxy.

Multi-Stage Attacks via Legitimate Services

Attackers are increasingly using legitimate cloud services as infrastructure: hosting phishing pages on SharePoint, OneDrive, Google Drive, or DocuSign. Links to these services pass through email security filters because the domain itself is trusted.

A phishing email that contains a link to a legitimate SharePoint URL — which then redirects to a credential harvesting page — is much harder to detect than a link to an unknown domain.

Technical Controls

Email Authentication: SPF, DKIM, and DMARC

These three email authentication standards significantly reduce spoofing of your own domain. If they are not configured, anyone can send email that appears to come from your organisation.

  • SPF: Specifies which mail servers are authorised to send email for your domain
  • DKIM: Adds a cryptographic signature to outbound emails that verifies they have not been tampered with
  • DMARC: Tells receiving mail servers what to do with emails that fail SPF or DKIM checks (quarantine or reject)

DMARC at an enforcement policy (p=quarantine or p=reject) is the standard that cyber insurers are increasingly requiring. If you do not have DMARC enforcement, speak to your IT provider.

Advanced Email Filtering

Microsoft Defender for Office 365 (Plan 1 or 2, included in M365 Business Premium) provides significantly better phishing protection than the baseline Exchange Online Protection:

  • Safe Links: rewrites URLs and checks them at click time (not just delivery time)
  • Safe Attachments: detonates attachments in a sandbox before delivery
  • Anti-impersonation protection: detects attempts to impersonate your senior staff or trusted domains

Conditional Access and MFA

MFA remains essential even against AiTM attacks, because it stops the vast majority of credential stuffing and password spray attacks. For highest-risk accounts (finance, admin, executives), consider phishing-resistant MFA: FIDO2 hardware keys or Windows Hello for Business with certificate authentication.

Human Controls

Security Awareness Training

Regular, engaging security awareness training — not a once-yearly compliance checkbox — measurably reduces click rates on simulated phishing. Platforms that run ongoing simulated phishing campaigns with immediate learning interventions are far more effective than annual training sessions.

Staff should be trained specifically on:

  • Verifying payment and banking change requests through a separate channel
  • Recognising impersonation attempts (checking the actual sender address, not the display name)
  • QR code scepticism in unsolicited emails
  • The verification call process for any unusual financial instruction

Verification Procedures for Financial Transactions

No amount of technical filtering replaces a procedural control on high-risk actions. Any payment over a defined threshold, any change to supplier banking details, and any unusual financial instruction should require:

  1. A callback to the requestor using independently verified contact details
  2. Dual authorisation (two people must approve)
  3. No exceptions for urgency, seniority, or emotional pressure

CX IT Services implements phishing defence programmes — including email security configuration, DMARC enforcement, and staff awareness training — for Melbourne businesses. Contact us to assess your current phishing exposure.

Related Articles

Free Right Fit Call

Want to Talk Through What This Means for Your Business?

Book a free 15-minute Right Fit Call. No obligation - just a straight conversation about your IT situation.

  • No lock-in contracts - ever
  • Valued at $250 - completely free
  • 4.5-star Google rated
  • Answer in 60 seconds or less

Book Your Free Right Fit Call

Takes about 2 minutes. We'll confirm if we're the right fit - or point you in the right direction.

Step 1 of 8 13%

Takes about 2 minutes · No obligation

4.5★ Google Rated
Valued at $250 - Free
No Lock-In Contracts