PhishByte has warned Australian businesses that spear phishing is driving losses from payment redirection fraud, citing ACCC data showing losses reached AUD $166.8 million.
The Australian security awareness and phishing simulation provider said targeted email scams are overtaking broader phishing campaigns because attackers now research individual businesses before making contact. Criminals use information from LinkedIn, company websites and social media to identify staff who handle invoices, payroll and other payments.
That allows fraudsters to send messages that appear connected to genuine suppliers, clients or internal business processes. The tactic has become more convincing as generative artificial intelligence tools make it easier to produce polished emails at scale and tailor them to specific organisations.
Figures from the National Anti-Scam Centre show total scam losses in Australia reached AUD $2.18 billion in 2025, while payment redirection fraud rose 9.3 per cent year on year. Arthur J. Gallagher's Cyber Insights Report 2026 put the average cost of a cybercrime incident for Australian medium-sized businesses at AUD $97,200.
Legal warning
PhishByte also highlighted a Western Australian District Court ruling that underscored the financial risk for companies that act on altered bank details without independently checking them. In Mobius Group v Inoteq, attackers intercepted email communications between two companies and changed the BSB and account number on a legitimate invoice.
The paying party transferred AUD $191,859 to a criminal-controlled account and was then ordered to pay the original contractor again. The ruling found the loss fell on the paying party because it had not independently verified the changed banking details.
The judgment adds legal weight to a control many cyber specialists have long urged finance teams to adopt: verifying any bank account change by telephone using a trusted number already on file. It also shows how a compromise can occur within what appears to be a normal business exchange rather than through an obviously malicious message.
Common pretexts
PhishByte identified five common scenarios used in spear phishing attempts against Australian organisations: supplier invoice redirection, chief executive impersonation, payroll diversion, fake IT helpdesk notices and the interception of legal and conveyancing communications shortly before settlement.
Each relies on exploiting routine business behaviour. A staff member may feel pressure to process an urgent request from a chief executive, update bank details before a payment run, or respond quickly to a message that appears linked to a property settlement or a software security alert.
These attacks work not because employees are reckless, but because the messages are designed to exploit authority, urgency, familiarity and time pressure. In many cases, the email aligns so closely with expected business activity that traditional warning signs are absent.
PhishByte framed the issue as a gap between technical defences and human decision-making in finance and operations processes.
"Spear phishing does not succeed because employees are careless. It succeeds because attackers deliberately exploit the cognitive biases every human brain has - biases that evolved to help us operate efficiently in a world of trusted relationships and time constraints. No technical control stops an employee who has been socially engineered into processing a payment that looks completely legitimate. The only effective control is an employee who has been trained to question process deviations regardless of who appears to be asking," PhishByte said.
Process controls
Beyond callback verification, PhishByte urged businesses to introduce dual authorisation for payments above a defined threshold and to enforce SPF, DKIM and DMARC settings across company domains. It also said staff training should focus on identifying unusual process changes rather than simply spotting spelling mistakes or other visual clues in suspicious emails.
That reflects a broader shift in cyber defence thinking as AI tools reduce the obvious errors that once made phishing messages easier to spot. For finance, payroll and procurement teams, the practical response increasingly centres on process discipline: checks that happen outside email, clear approval limits and verification steps that cannot be bypassed by urgency alone.
The warning comes as businesses face growing pressure to protect routine financial workflows from fraud that begins with a single tailored message. In Mobius Group v Inoteq, the cost of failing to verify an altered invoice was AUD $191,859, plus a second payment to the legitimate contractor.