Explore all our services
Design services
Discovery & research
Journey mapping
Prototyping
Accessibility
UX & UI design
Development services
Front-end development
Back-end development
Website development
Mobile development
Delivery services
Project management
Testing & auditing
Support & maintenance
See our live solutions
Solutions
Service finder software
Booking software
Learning management software
Web portal software
Member service portals
Packages
Digital assurance
Idea to prototype
Idea to version one
Technologies
AWS
Node JS
Payload CMS
Python and Django
React JS
+ many more
Read our case studies
Industries
Healthcare
Education
Government
Finance
Arts & recreation
Media & technology
Professional services
Recent client projects
Hunter Health
Macquarie University
Service NSW
Westpac
Museums of History NSW
Val Morgan
Ark
Business sizes
Startups
SMEs
Enterprise
Learn more about us
Explore our careers
Meet the team
How we work
Practical guide to AI agents
Latest blog posts
The phishing reality facing Australia
The AWS mess: the why, and the fun people poked at it
Twitter’s three takes on AI: Bubble, Melt-Up, or the Next Industrial Revolution?
WCAG 3.0 - What the new Working Draft means for accessibility
When Data Stops, So Does Production: Lessons from the Jaguar Land Rover Cyber Attack
Commentary
5
min read

The phishing reality facing Australia

Rich Atkinson
November 11, 2025
Illustration of three email envelopes resembling the Gmail logo, each pierced by a fishhook, symbolising phishing attacks.

When it comes to software and app security, you’re only as strong as your weakest link and today more than ever, phishing is that link.

If your users (and administrators) can access critical and sensitive data, then it can also be reached by being phished.

There are best practice protocols to defend companies though if they’re not in place - or ignored - the risk exposure is real.

Research by Microsoft instructs that AI-written and delivered phishing emails are clicked 4.5x more than human-written phishing emails.

And by our analysis, when you multiply that by the number of Australians that would have been phished under ‘normal’ circumstances, almost 1.2m Australians are in the firing line.

It’s not good.

Key findings

  • Effectiveness uplift: AI-written phishing emails test at ~4.5x the click-through of standard attempts (Microsoft).
  • Scale of exposure: Around 1.18 million Australians could be affected over the next 12 months, about +930k vs recent annual baselines.
  • Company incidents: Large-org phishing breaches reported last year were 147. A 4.5x uplift projects to ~540 in 2025, affecting ~715,500 people via company incidents.
  • Direct-to-individual scams: Recent average of ~103,228 people per year scammed via phishing rises to ~464,528 with a 4.5x uplift.
  • Economics: Up to 50x higher profitability for phishing with AI, which increases attacker adoption.

What is driving the change

  • Language quality at scale, messages read like a colleague.
  • Context injection, public data and recent activity make lures feel specific.
  • Rapid micro-testing, thousands of variants, the winners scale.

Scenario model, at a glance

  • Company breaches stream: Baseline 147. Apply 4.5x effectiveness to approximate ~540 in 2025. Multiply by conservative average exposure per breach to reach ~715,500 people affected.
  • Individual scams stream: Baseline ~103,228. Apply 4.5x to reach ~464,528.
  • Combined order of magnitude: ~1.18m people. This is a scenario, not a point forecast.

Sensitivities and caveats

  • Effectiveness varies by sector, inbox controls, and attacker quality. 4.5x is a widely cited figure, real-world ranges will differ.
  • Reporting lag means recent breach counts may revise upward.
  • Defender improvements could blunt uplift. Even a partial uplift still produces a marked increase.

Why it matters now

  • Phishing already leads reported company breaches in Australia.
  • AI tilts the threat from volume to quality, so legacy awareness and static filters decay quickly.
  • The practical risk is the chain after the first click, not the email itself.

Bottom line: Treat ~1.18m as planning-grade scale, not prediction. The signal is clear... phishing is getting better at sounding like us.

Update

Really pleased to see The Daily Mail use our research as part of a phishing story. The more that people know the risk, the better.

Share this post
Rich Atkinson
Rich Atkinson
Executive Director, Technology

Related posts

A glowing purple AWS logo illuminated on stage, representing Amazon Web Services.
Commentary
7
min read

The AWS mess: the why, and the fun people poked at it

A major AWS outage brought much of the internet to a halt and sparked a wave of humour, insight, and reflection across the tech world.
Rich Atkinson
October 22, 2025
A large pile of glossy blue 3D tiles featuring the classic white Twitter bird logo, symbolising the crowded and fast-moving nature of online discussions and debates on the platform.
Commentary
11
min read

Twitter’s three takes on AI: Bubble, Melt-Up, or the Next Industrial Revolution?

Weighing both sides of the AI bubble debate, concluding that while speculation may burst, AI itself is here to stay.
Rich Atkinson
October 16, 2025
A designer reviews website accessibility sketches and notes, alongside wireframes and accessibility reminders on a desk next to a laptop.
Design
5
min read

WCAG 3.0 - What the new Working Draft means for accessibility

W3C’s updated Working Draft of WCAG 3.0, highlights a shift toward a more flexible, user-centred approach to accessibility through weighted scoring, inclusive testing, and clearer guidance for designers, developers, and content creators.
Riley Langbein
October 12, 2025
View all
The Airteam logo.

Australia's trusted software development partner

Suite 209/56 Bowman St, Pyrmont, NSW 2009
hello@airteam.com.au
We acknowledge the Traditional Owners of Country throughout Australia and recognise their continuing connection to land, waters and culture. We pay our respects to their elders past, present and emerging.
ServicesCase StudiesDMS
TeamCareersArticlesContact
AWS Select Consulting Partner badge.Luma Institute certificationISO 27001 certification for software development companyISO 9001 certification for software development companyGoogle 4.9 Stars BadgeGood Design Award Badge
© Airteam 2025
ABN: 52 613 107 618
Privacy Statement