You are here: Home Australia

Scams SMEs must watch for in 2026

Avatar photo January 6, 2026 0 comment


If 2023 to 2025 was the warm-up act for cyber crime, 2026 is the stadium tour. Global cyber crime costs are projected to reach around US$10.5 trillion a year by 2025, with scams and fraud a major part of the damage. In Australia, cyber incidents are now measured in minutes, not months, and the average loss for a small business sits in the tens of thousands.

Related Article Block Placeholder

Article ID: 301464

You might think you are too small to bother with. You are not. Across government and industry reports, a large share of reported cyber incidents now hit small and medium businesses, not just big corporations. From a scammer’s point of view, you are the sweet spot: you hold money, customer data and access into bigger organisations, but you do not have the layers of defence or a full-time security team they do.

At the same time, everyone is being told generative AI will transform productivity. Let’s hope so, because right now it is definitely transforming fraud. Gen AI has handed cyber criminals three significant upgrades: massive scale that allows thousands of scams to be launched in seconds, polish and poise with no more sloppy spelling or amateurish logos, and most worrying of all, impersonation through deepfaked voices and faces that feel uncomfortably real.

With AI supercharging scams, SMEs and startups that lack the budget for a chief security officer need a clear view of what to watch for in 2026.

Here is what small businesses and startups need to know, and what you can do about it without a dedicated security team working around the clock.

Smarter business news. Straight to your inbox.

For startup founders, small businesses and leaders. Build sharper instincts and better strategy by learning from Australia’s smartest business minds. Sign up for free.

By continuing, you agree to our Terms & Conditions and Privacy Policy.

Deepfake bosses and suppliers

Related Article Block Placeholder

Article ID: 319540

In 2024, an employee at global engineering firm Arup joined a video call with what looked like senior colleagues and approved transfers of around $US25 million. Every face and voice on the call was an AI deepfake built from real footage and information.

Closer to home, Noosa Council paid more than $2 million to a fraudulent account after scammers impersonated a contractor and convinced staff to update bank details.

We tend to file these under “big organisation problems”; however, the same playbook works beautifully on a 15-person agency or consultancy.

The typical pattern involves a believable email from the founder or finance lead, followed by a call or video chat to “reassure” you, culminating in a request to change bank details or rush a payment.

If your only control between “unusual payment” and “money gone” is a quick chat on Teams or a text in the staff WhatsApp group, you do not have control.

Dodgy sign for 2026: Any request to change bank details or bypass the usual process, even if you have just seen a very familiar face on a screen.

Ransomware as a service industry

My dentist paid $48,000 to get their systems unlocked after a ransomware attack. Once they paid, the criminals helpfully sent a list of security tips so they would not be “an easy target next time”. That is where we are now. Fraud behaves like a service industry with customer care.

Related Article Block Placeholder

Article ID: 317711

For clinics, accountants, law firms, trades and creative shops, the pattern is brutal. One person clicks, then booking, billing, or file systems are encrypted; you cannot trade properly for days, and you are left explaining yourself to clients against a backdrop of breach headlines.

Increasingly, attackers quietly steal data before they lock you out. So even if your backups are solid, they can still threaten to leak identification documents, medical notes or contracts.

Before you ever see a ransom note, you want offline backups, clarity on who you would call, and at least a basic understanding of your legal and insurance obligations. Paying the ransom is rarely recommended and certainly does not guarantee your data is safe.

Dodgy sign for 2026: Any pressure to install remote access tools, open attachments from “support” or ignore security pop-ups “just this once so we can help”.

Emails and texts that look “too right”

We were once told to look out for bad spelling and wobbly logos. That advice is no longer enough. Off-the-shelf scam kits now use GenAI to write emails, texts and websites that are perfectly spelt, correctly branded and tailored to your industry and role. Criminals scrape LinkedIn, your website, and old breach data so they sound exactly like your bank, software vendor or biggest client.

The patterns are boringly predictable. Fake invoices and supplier fraud. “We have changed bank accounts, here are the new details.” Real breaches followed by fake “check if you were affected” links. The breach is real, the fix is fake.

In 2026, there is one dodgy sign to watch for: any message that wants you to click a link and fix something immediately, especially if it mentions payments, identification, tax, age checks or logins. That sense of urgency is almost always dodgy.

Cheap profiling of your people

Related Article Block Placeholder

Article ID: 313826

The same data broker used for sales and recruitment is a gift for scammers.

There are services that claim to profile staff personalities from their online behaviour, flag where an individual’s details have appeared in past breaches, and predict who is more likely to comply under pressure. Some of this sits in a murky “insider risk scoring” space, and some is outright malicious scraping. Either way, it creates another way to target the people most likely to say yes.

The takeaway is not paranoia. It is to assume that some of your team’s personal data is already out there, some of your processes are easy to guess or search for online, and you cannot rely on spotting only “obvious” amateur scams.

Why same scams keep working

Nine out of 10 breaches involve a human factor, and it is usually the same handful of tricks: fake invoices, “we’ve changed bank details”, urgent payment approvals and “verify your account” links that catch people when they are busy and trying to be helpful. 

The problem is not stupid staff, it is that most small businesses either don’t do anything or still rely on one long, boring e-learning module a year, which research shows can actually increase phishing clicks because people remember the pain, not the pattern. 

When someone does get caught, they are often blamed or laughed at, so the next time they nearly fall for something, they stay quiet and nobody else learns from it. 

Layer GenAI on top with deepfaked bosses, perfect spelling, cloned logos and the same old scams become harder to spot and easier to scale. Until you design your processes and training for rushed, emotional humans, the money will keep walking out the door for exactly the same reasons.

What can SMEs actually do?

Do the simple technical hygiene

After the recent jewel heist at the Louvre, an old cybersecurity audit surfaced with a spectacular detail: a server running the museum’s video surveillance reportedly used the password “Louvre”. That is the digital equivalent of writing your alarm code on a Post-it and sticking it to the front door.

Don’t be the Louvre.

A few basics make a big difference:

Use strong, unique passwords
Use a password manager. Do not reuse the same password for email, banking or key work accounts anywhere else.

Turn on multi-factor authentication (MFA)
Switch it on for email, banking and any system that touches money or customer data.

Let your devices update themselves
When your phone or computer asks to update, say yes and set updates to run automatically overnight.

Put a security guard on every device
Use built-in security or a well-known security app on all work computers and phones to watch for dodgy files and sites.

Keep a spare copy of anything that would hurt to lose
Back up important files, keep at least one copy separate from your main systems, and test that you can actually restore it.

That is it. Strong passwords, MFA, update, protect, backup.

Set hard rules around money and identity

Write them down. Live by them. No one changes supplier or payroll bank details based on an email or text, ever. You verify using a number or contact you already have on file. Any payment over an amount that would genuinely hurt needs two people to sign off. No passwords, one-time codes or remote access are given to anyone who has called you, no matter who they say they are.

If an attacker still beats those rules, you have an insider problem or a serious breakdown in how those rules are followed.

Make your own messages less “scammy”

If your emails look like scams, do not be surprised when customers ignore them or confuse them with real scams.

Get marketing, finance and anyone who sends official messages in a room and agree on three things. First, establish a short list of official sender addresses and domains. Second, create a simple, consistent structure for billing, password and policy emails. Third, default to “log in via our website or app” instead of “click this link”.

If your security advice says “slow down and double check”, your marketing cannot keep shouting “act now before it is too late”. That is handing scammers the script.

Change how you train people

You do not need glossy training modules. You do need repetition, realism and permission to speak up.

Use short, real examples in team meetings or chat by asking, ‘here is an email that came in this week, what would you do?’. Focus on behaviour, not trivia, by considering who you would check with, how you would verify, and which rule applies. Treat near misses as a signal, not shame. If someone almost fell for something and tells you, capture the pattern and share it.

If your phishing exercise would look cruel on the front page of a newspaper, do not run it. GoDaddy is the classic example. They emailed staff during Covid offering a US$650 holiday bonus, only to reveal it was a phishing drill and sent everyone who clicked to more training. It did not build resilience, but it did destroy trust.

Use outside help that fits your size

Related Article Block Placeholder

Article ID: 291583

Most SMEs and startups do not need a full-time security chief. They do need a grown-up in the room occasionally.

For SMEs and startups with around 25 staff, a managed service can give you monitoring, incident response and strategy without hiring a team. For smaller outfits, lighter-weight support is usually enough.

If you are not ready to spend money yet, start by nominating an internal cyber warden. Government-backed initiatives like the Cyber Wardens program offer free baseline training for small businesses and give that person a starting framework.

Before you plug everything into AI tools

AI will be everywhere in 2026, including in small business apps. That does not mean every tool deserves the keys to your kingdom.

Related Article Block Placeholder

Article ID: 311369

Think carefully before giving any AI tool blanket access to your entire Google Drive or Microsoft 365 account, including tools like ChatGPT. The same principle that would stop you from handing a stranger the keys to every filing cabinet should apply to digital tools asking for access to every contract, client file and staff record you hold.

Where possible, use enterprise versions with proper contracts, settings and controls. Limit access to only the folders and documents needed for a specific task, and involve whoever looks after your security, legal or compliance before you switch on broad integrations.

The goal is not perfection. It is making sure that when, not if, you face a ransomware attack or a convincing payment scam, your first response is not to panic and pay.

Oh, and make a shortlist of who you are going to call when it all goes sideways. Your bank, your insurer, your IT person, maybe IDCARE. Not Ghostbusters. They do ectoplasm, not ransomware.

Need help or somewhere to start

If you are reading this and thinking “we should probably do something”, these are sensible first steps in Australia.

Report and monitor scams
Scamwatch, ACCC, current scam alerts and reporting
https://www.scamwatch.gov.au/

Get official cyber alerts
Australian Cyber Security Centre, advisories and small business hub
https://www.cyber.gov.au/

Free small business training
Cyber Wardens program, basic cyber training for small businesses
https://cyberwardens.com.au/about/

If identity details have been compromised
IDCARE, a not-for-profit service helping people and organisations respond to data breaches and identity misuse
https://www.idcare.org/


Source

Visited 1 times, 1 visit(s) today
Previous Article
Next Article

Recommended For You

Donald Trump’s threats against Greenland pose new, potentially unprecedented challenge to NATO

Smith Family launches fundraising appeal to provide laptops to Queensland students in need

Australian Open hopefuls Mirra Andreeva and Liudmila Samsonova issue Emerson Jones advice

Manage My Health: Patients start to be notified after massive leak

Ashes 2026: Jacob Bethell, England’s biggest hope and biggest blunder, sets up Sydney finale

Hottest day in years recorded across southern Australia as bushfire warnings remain

Avatar photo

About the Author: News Hound