Bethany Alvaro 
As businesses begin 2026 operations, cyber security experts are sounding the alarm on the evolving threats facing Australian businesses and the steps needed to stay protected from cyber criminals.
Analysts at Heimdal Security have reported the real cyber threats facing the Australian market in the new year, with a cyber security writer at Heimdal, Danny Mitchell, saying that “scams are no longer simply tricking users into clicking a bad link”.
“Attackers now target the infrastructure, the identity layer, and the psychological weaknesses that traditional security tools weren’t designed to address,” Mitchell said.
The most prominent scam gaining the most traction is, unsurprisingly, AI.
Heimdal reports that cyber criminals are using common Large language models (LLMs) to replicate styles, tones, and inflections of people and organisations known to a potential victim, with voice replication being an eerily growing trend emerging in AI scams.
“We’re seeing cases where employees receive calls that sound identical to their CEO, requesting urgent wire transfers or access credentials,” said Mitchell.
“The technology required to do this is now accessible and cheap. It’s not a theoretical risk any longer, but actually happening regularly.”
An additional scam that was found to be on the rise against Aussie organisations is business email compromise (BEC) attacks that bypass multifactor authentication.
This finding by Heimdal is mirrored by other reports indicating a 15 per cent increase in these scams in the past year. In 2024, BEC scams made upwards of $2 billion in adjustments, with the changing nature of scams and the new strategies cyber criminals are employing driving these numbers.
“Attackers know that users get tired, especially if they’re bombarded with notifications during a meeting or late at night. One accidental approval is all it takes,” Mitchell said.
Malicious browser extensions, fake update scams, and DNS redirections are other ways cyber criminals are improving cyber crimes against businesses, masking scams as productivity add-ons and legitimate websites.
“Everything looks normal, so you enter your credentials, and now they have them,” Mitchell said.
To reduce scam exposure, Heimdal has proposed measures such as privilege access controls, user risk reduction training, and DNS-level threat prevention as strategies businesses can take to prevent the likelihood of falling victim to one of these scams.
“Security needs to work even when users are tired, distracted, or under pressure,” Mitchell said.
“The goal isn’t to blame people for falling for scams, but rather to build systems that make scams harder to execute.”