AI & phishing attacks highlight human risk in Australian fraud

Cybersecurity leaders are warning that Australasian organisations face heightened risks from sophisticated fraud schemes as International Fraud Awareness Week approaches. Amid the backdrop of recent ransomware attacks and the growing prevalence of AI-generated scams, experts emphasise that people remain the most vulnerable link in security defences.

Human factor

Cybercriminals continue to rely on phishing attacks, exploiting trust and human error to initiate breaches. Despite ongoing investment in advanced detection technologies, there is widespread agreement that improving behavioural awareness within organisations is crucial.

"Fraud awareness isn't just about detecting malicious links - it's about rewiring behaviour. Phishing attacks remain the leading cause of fraud because they exploit human instinct, and no technology can fully compensate for a moment of misplaced trust. Real resilience comes from combining strong identity controls with a culture that encourages people to pause, question and verify before they click. To truly reduce their risk surface, organisations must invest as much in culture and awareness as they do in identity security," said Thomas Fikentscher, Area Vice President ANZ, CyberArk.

This focus on people is echoed by other cybersecurity experts who point to targeted phishing emails as a key entry point for ransomware campaigns disrupting industries from construction to financial services.

AI-driven threats

The role of artificial intelligence is becoming more prominent in both the development of attacks and potential defence strategies. However, rapid AI advancement is also making it easier for criminals to create convincing and personalised phishing lures.

"The recent wave of Qilin ransomware attacks - impacting Australian organisations from construction and manufacturing to financial services - highlights that the most at-risk part of any cybersecurity strategy isn't technology, it's people. Many of these breaches start with a single, targeted phishing email that manipulates trust. One wrong click or misplaced credential can open the door for attackers to move laterally across networks, exfiltrating data and deploying ransomware with devastating speed," said Sam Salehi, Managing Director at Qualys.

Salehi highlighted the growing sophistication of AI-powered attacks, describing how threat actors automate reconnaissance and deploy harder-to-detect campaigns. "As AI reshapes the threat landscape, these human vulnerabilities become even more exploitable. Threat actors are using AI to automate reconnaissance and craft highly personalised phishing campaigns that are faster, more convincing and far harder to detect," said Salehi.

He went further to advocate for a risk-based security approach, aligning protection with business priorities and focusing on critical assets. "To counter this, organisations must adopt a risk-based approach that aligns security investments to business context - prioritising protection of the assets most critical to operations and continuity, while investing equally in human-centric education and training to recognise AI-generated phishing and deepfake content," said Salehi.

Culture and accountability

Building a strong security culture is viewed as key to addressing the human element in fraud risk. Leaders argue that true organisational resilience stems from employees recognising the potential operational impact of their digital actions.

"As organisations strengthen their defences, it's crucial they don't overlook the human element. Cybersecurity hygiene starts with identity security - ensuring every user, machine and system has the right access privileges, and that people understand the value of that access. Cybersecurity is as much a cultural issue as it is a technical one. When employees recognise that a single click can compromise an entire organisation, behaviour starts to shift from compliance to accountability - and that's when real resilience begins," said Fikentscher.

Salehi agreed, adding: "While AI will increasingly automate tasks such as vulnerability scanning and incident response, true resilience is only as strong as your first line of defence - your people. Building a culture of awareness, verification and accountability ensures every user understands their role in managing risk."

Emerging supply chain risks

Fraud schemes are also evolving beyond traditional IT boundaries, impacting operational processes and supply chains. Complex webs of partners and suppliers increase the risk of unnoticed manipulation and data leaks, particularly as generative AI technology is embedded across business operations.

"Fraud is creeping into parts of business operations that often go unnoticed. Phantom suppliers, inflated invoices, and cyber-enabled manipulation can disrupt workflows before anyone realises. Generative AI brings efficiency but also new risks, from faulty outputs to data leaks. Complex supply chains with multiple partners make spotting problems even harder. Traditional audits catch only part of the picture. Organisations need teams who test scenarios, keep a close eye on operations, and set clear expectations with partners. Companies that take these steps protect their operations, maintain trust, and build resilience in a world where digital threats are evolving fast," said Alan Win, Founder and CEO, Middlebank Consulting Group.