The Australian Signals Directorate’s latest threat report makes uncomfortable reading. AI-powered cyberattacks against Australian organisations are increasing in sophistication and frequency. This isn’t future speculation. It’s happening now.

Let me walk through what’s changed, what the real threats are, and what Australian businesses should be doing about it.

What’s Actually Changed

Cybercriminals have always evolved their tactics. What AI changes is the scale and sophistication of attacks, particularly in three areas.

Phishing. AI-generated phishing emails are dramatically better than the poorly written attempts of previous years. Large language models create personalised, contextually appropriate emails that are nearly indistinguishable from legitimate business communication. The days when you could spot a phishing email by its grammar are over.

ASD reports that AI-enhanced phishing campaigns targeting Australian organisations have increased by over 300% in the past year. The emails reference real projects, use appropriate industry terminology, and mimic the writing style of known contacts. Several Australian companies have reported successful phishing attacks where the email was so convincing that even security-aware employees clicked.

Voice and video deepfakes. AI-generated voice cloning is now good enough to impersonate specific individuals in real-time phone calls. Australian companies have reported incidents where callers impersonating senior executives convinced employees to authorise financial transfers. The voice quality was convincing enough to pass initial verification.

Video deepfakes for business purposes are less common but the technology is ready. Expect to see deepfake video calls used in business email compromise schemes within the next twelve months.

Automated vulnerability discovery. AI tools that scan systems for vulnerabilities and generate exploit code are becoming more capable. What previously required a skilled human attacker operating over days can now be accomplished by AI tools in hours. This doesn’t change the types of vulnerabilities that exist but dramatically increases the speed at which they can be identified and exploited.

What ASD Recommends

ASD’s guidance centres on several specific measures.

Multi-factor authentication everywhere. This has been ASD guidance for years, but it’s more critical now. AI-enhanced phishing can capture passwords effectively. MFA provides a second barrier that most automated attacks can’t bypass.

Zero-trust architecture. Assume your perimeter will be breached. Design systems so that compromising one component doesn’t give attackers access to everything. Segment networks. Enforce least-privilege access. Verify identity continuously rather than once at login.

Employee training that reflects AI threats. Traditional phishing training that focuses on spotting spelling errors and suspicious sender addresses is outdated. Training needs to address AI-generated threats that look legitimate. Focus on behavioural verification: if an email asks you to do something unusual, verify through a separate channel regardless of how legitimate it looks.

Incident response planning. Have a documented, tested plan for responding to a cybersecurity incident. AI-powered attacks can move faster than traditional attacks, so your response needs to be rapid. Knowing what to do before an incident occurs is significantly better than improvising during one.

The Defence AI Gap

Here’s the uncomfortable truth. Australian businesses are overwhelmingly using AI on the offence (marketing, analytics, operations) but underinvesting in AI for defence.

AI-powered security tools exist and are effective. They can analyse network traffic patterns in real-time, identifying anomalies that suggest intrusion. They can detect AI-generated phishing attempts. They can monitor for deepfake activity. They can automate incident response for common attack patterns.

But many Australian businesses, particularly in the mid-market, haven’t deployed these tools. They’re relying on traditional security measures that were designed for traditional threats. That’s like bringing a shield to a gunfight.

The investment doesn’t need to be enormous. Cloud-based AI security tools are available at subscription price points accessible to mid-market businesses. The key is recognising that your security posture needs to evolve at the same pace as attack sophistication.

For many Australian organisations, engaging these AI specialists or specialist cybersecurity advisors who understand both AI threats and AI defences is the fastest path to closing this gap. The intersection of AI expertise and security expertise is narrow, and external specialists often bring capabilities that would take months to build internally.

Sector-Specific Concerns

Financial services. AI-enhanced fraud is accelerating. Banks report that AI-generated synthetic identities are harder to detect than traditional fraudulent identities. Voice deepfakes targeting banking authentication systems are a growing concern.

Healthcare. Ransomware remains the primary threat, but AI is making targeting more precise. Attackers use AI to identify which healthcare organisations have the weakest defences and the highest willingness to pay, then concentrate efforts there.

Government. State-sponsored actors are using AI to scale espionage operations. Australian government agencies handling sensitive data are high-value targets, and AI enables more sophisticated social engineering against government employees.

Small business. AI democratises cyberattacking. Attacks that previously required skilled operators can now be automated. This means small businesses that were previously too small to be individually targeted are now attacked by AI systems that scan and exploit at scale.

What You Should Do This Week

Five actions that every Australian business should take immediately.

Review your MFA coverage. If any systems that handle sensitive data or financial transactions don’t have MFA, implement it now.

Update your phishing training. Brief your team on AI-generated threats. Establish a verification protocol for unusual requests, regardless of how legitimate they appear.

Check your backups. Ensure you have recent, tested backups that are isolated from your production network. If ransomware hits, backups are your recovery path.

Review your incident response plan. If you don’t have one, create one. If you do, test it. Can your team execute it under pressure?

Consider an external security assessment. A penetration test or security audit that specifically tests for AI-enhanced attack vectors will identify your biggest vulnerabilities.

The threat landscape has changed. Australian businesses need to change with it.