The number of phishing emails received by Australians increased by 30% last year, new research from security firm Abnormal Security has found. Cybercriminals have increasingly targeted the Asia-Pacific region, in part because it is becoming a bigger player in critical industries such as data centers and telecommunications.
For APAC as a whole, credential phishing attacks increased by 30.5% between 2023 and 2024, according to the research. New Zealand saw a 30% increase, while for Japan and Singapore it was 37%. Of all types of advanced email attacks, including corporate email compromise and malware deployment, phishing saw the biggest increase.
“The increase in attack volume across the APAC region is likely attributable to several factors, including the strategic importance of its countries as epicenters of trade, finance and defense,” said Tim Bentley, vice president of APJ at Abnormal Security in a press release. press release.
“This makes organizations in the region attractive targets for complex email campaigns designed to exploit economic dynamics, disrupt key industries and steal sensitive data.”
WATCH: 80% of critical national infrastructure companies experienced an email security breach last year
Between 2023 and 2024, the average monthly rate of all advanced email attacks increased by 26.9% across APAC, including Australia, New Zealand, Japan and Singapore. This included a 16% increase from Q1 to Q2 2024 and a 20% increase from Q2 to Q3.
While phishing was the dominant attack type, BEC attacks – including leader impersonation and payment fraud – also grew by 6% year-on-year in APAC. According to Abnormal Security, the average cost associated with a successful BEC attack exceeded USD $137,000 in 2023.
Australia’s cyber immaturity and the AI boom are causing a perfect storm
The news that Australia is prone to cyber attacks is not entirely new. A Rubrik study from last year found that Australian organizations reported the highest frequency of data breaches compared to global markets in 2023.
Antoine Le Tard, vice president of Asia-Pacific and Japan at Rubrik, said at the time that Australia was a favored target, in part because the country “is a mature market and an early adopter of cloud and enterprise security technologies,” and therefore may have prioritized rapid implementation rather than comprehensive security.
At the national level, the approach to cyber security has been a bit slow. The Australian Signals Directorate reported that only 15% of government agencies reached the minimum level of cyber security by 2024 – a sharp drop from 25% in 2023. Such entities have also shown reluctance to adopt access key authentication methods, stemming from cyber security maturity in the public sector and the perception that implementing it is complex.
There is also the AI factor, which is affecting the security landscape globally. The ease of access to chatbots, both regular and jailbroken for malicious purposes, speeds up the generation of material for phishing emails and lowers the barrier to entry as no technical knowledge is required to use them. AI-powered chatbots were therefore named as one of 2025’s biggest AI threats to Australian cyber professionals.
SEE: The impact of artificial intelligence on the cybersecurity landscape
The number of BEC attacks detected by security firm Vipre in the second quarter of 2024 was 20% higher than in the same period in 2023 – and two-fifths of them were generated by AI. In June, HP intercepted an email campaign spreading malware in the wild with a script that was “highly likely to be written with the help of GenAI.”
Furthermore, adversaries have started using AI chatbots to build trust with victims and ultimately cheat them. The technique mimics how a business can use AI to combine human-powered interaction with AI chatbot to engage and “convert” a person.