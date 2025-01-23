The number of phishing emails received by Australians surged by 30% last year, new research by security firm Abnormal Security has found. Cybercriminals have increasingly targeted the Asia-Pacific region, partly because it is becoming a larger player in critical industries like data centres and telecoms.

For APAC as a whole, credential phishing attacks rose by 30.5% between 2023 and 2024, according to the research. New Zealand saw a 30% rise, while for Japan and Singapore, it was 37%. Out of all the types of advanced email attacks, including business email compromise and malware deployment, phishing saw the biggest increase.

“The surge in attack volume across the APAC region can likely be attributed to several factors, including the strategic significance of its countries as epicentres for trade, finance, and defence,” said Tim Bentley, Vice President of APJ at Abnormal Security said in a press release.

“This makes organisations in the region attractive targets for complex email campaigns designed to exploit economic dynamics, disrupt essential industries, and steal sensitive data.”

Between 2023 and 2024, the median monthly rate of all advanced email attacks rose by 26.9% across all of APAC, including Australia, New Zealand, Japan, and Singapore. This encompassed a 16% increase from Q1 to Q2 2024, and a 20% increase from Q2 to Q3.

While phishing was the dominant attack type, BEC attacks — including executive impersonation and payment fraud — also grew by 6% year-over-year in APAC. According to Abnormal Security, the average cost associated with one successful BEC attack exceeded USD $137,000 in 2023.

Australia’s cyber immaturity and the AI boom are causing a perfect storm

The news that Australia is prone to cyber attack is not entirely new. A Rubrik survey from last year found that Australian organisations reported the highest rate of data breaches compared with global markets in 2023.

Antoine Le Tard, vice president – of Asia-Pacific and Japan at Rubrik, said at the time that Australia was a favourite target partly because the country “is a mature market and early adopter of cloud and enterprise security technologies,” and therefore may have prioritised rapid deployment over comprehensive security.

At a national level, the approach to cyber security has been a bit slow off the mark. The Australian Signals Directorate reported that only 15% of government agencies achieved the minimum level of cyber security in 2024 — a sharp decline from 25% in 2023. Such entities have also proven reluctant to adopt passkey authentication methods, stemming from cyber security maturity in the public sector and the perception that implementing it is complex.

There is also the AI factor, which is influencing the security landscape globally. The ease of access to chatbots, both regular and jailbroken for nefarious purposes, makes it faster to generate material for phishing emails and lowers the barrier to entry, as no technical knowledge is required to use them. AI-powered chatbots were named one of 2025’s top AI threats for Australian cyber professionals, for that reason.

The number of BEC attacks detected by security firm Vipre in the second quarter of 2024 was 20% higher than the same period in 2023 — and two-fifths of them were generated by AI. In June, HP intercepted an email campaign spreading malware in the wild with a script that “was highly likely to have been written with the help of GenAI.”

Furthermore, adversaries have begun using AI chatbots to build trust with victims and ultimately scam them. The technique mimics how an enterprise may use AI to combine human-driven interaction with the AI chatbot to engage and “convert” a person.