What Is Phishing? A Plain-English Guide for Aussie Business Owners

What Is Phishing? A Plain-English Guide for Aussie Business Owners

You've probably heard the word "phishing" thrown around a lot — on the news, in emails from your IT guy, maybe even in a letter from your bank. But what does it actually mean? And more importantly, why should you, a busy small business owner, care?

Let's break it down without the tech-speak.

So… what is phishing?

Phishing is when a scammer pretends to be someone you trust — your bank, the ATO, Australia Post, even your boss — to trick you into handing over something valuable. That could be your login details, your credit card number, or access to your business systems.

The name comes from "fishing" (with a deliberate misspelling, because hackers thought they were being clever in the 1990s). They cast a wide net, send thousands of messages, and wait for someone to take the bait. Unfortunately, a lot of people do.

How does it usually arrive?

Phishing most commonly arrives in your inbox as an email. But these days, scammers are also sliding into your SMS messages (called "smishing"), calling you on the phone (called "vishing"), and even dropping fake QR codes in public places (called "quishing" — yes, they just kept going with the fishing puns).

The message will usually look legitimate. It might have the right logo, the right font, even a convincing email address. It'll create a sense of urgency — "Your account has been suspended!" or "Invoice overdue — action required!" — and ask you to click a link or open an attachment.

What happens if you take the bait?

If you click the link, you'll usually land on a fake login page that looks identical to a real website. Type in your details and — congratulations, you've just handed your credentials to a criminal.

If you open the attachment, you might install malware or ransomware on your device without even knowing it. Ransomware can lock all your files and demand payment to get them back. For a small business, that can mean days of downtime, thousands of dollars in recovery costs, and very awkward conversations with your clients.

Why are Australian small businesses such a big target?

Here's the uncomfortable truth: 43% of all reported cybercrime in Australia targets small businesses. Why? Because criminals know that big corporations have dedicated IT security teams, but a 10-person tradie business or a boutique accountancy probably doesn't.

The average cost of a single cyber incident for an Australian SMB is around $46,000. That's not a typo. Forty-six thousand dollars — for one incident.

But it'll never happen to me, right?

That's what everyone thinks right up until it does. Phishing attacks don't discriminate. They're not targeted at specific industries or income brackets. They're sent in bulk, automatically, to anyone with an email address. Your bakery, your law firm, your landscaping business — everyone's in the fishing pool.

The good news? Phishing attacks are entirely preventable when you know what to look for. A bit of training goes a long way.

The 3 things every Australian should know about phishing:

1. Legitimate organisations will never ask for your password by email or phone. Your bank, the ATO, your super fund — none of them will ever ask you to hand over login details via a link. Never.

1. Urgency is a red flag, not a reason to act fast. Scammers create panic because panicked people don't think clearly. If an email is screaming at you to act immediately, take a breath and slow down.

1. When in doubt, go directly to the source. Don't click the link in the email. Open a new browser tab and navigate directly to the official website, or call the organisation using a number from their official website.

Want to see if you'd actually fall for it?

Knowing the theory is one thing. Knowing how you'd actually react in the moment is another. That's exactly what Phishbate was built for — it's a free, interactive game that puts you face-to-face with real-looking phishing emails, scam messages, and AI-generated fakes, and teaches you to spot the difference.

No sign-up required. No boring slideshows. Just you vs. the internet's shadiest content.

Give it a go at Phishbate →