EOFY Cyber Threats: What Every Australian Business Must Know Right Now
Tax time is the most dangerous time of year for Australian businesses. While you are focused on reconciling accounts, gathering receipts, and lodging returns, cybercriminals are running their own operation — one specifically engineered to exploit the pressure, distraction, and volume of EOFY activity. According to the ATO, scam emails surged 179% and scam SMS jumped 414% in a single year. One in four Australians have encountered an EOFY scam. The question is not whether attackers will target your business this tax season. The question is whether you will be ready when they do. This article breaks down the most common EOFY cyber threats facing Australian businesses right now, and the practical steps you can take today to stay protected. Why EOFY Is Prime Time for Cybercriminals Every year, the weeks leading up to 30 June see a spike in cyber attack attempts across Australia. The reason is simple: businesses and individuals are expecting communications from their accountant, their tax agent, the ATO, myGov, and their bank. That expectation is exactly what attackers exploit. When an email about your tax return lands in your inbox, your guard is lower. When a message says your refund is ready, you want to click. Cybercriminals weaponise urgency, familiarity, and trust during this window. The average cost of a cyber attack on an Australian small business is $56,600 per incident. For medium businesses, that figure rises to $97,200. EOFY is not the time to find out your defences are inadequate. Recommended Link: Learn how cybersecurity awareness training can protect your team from EOFY threats The 4 Most Common EOFY Cyber Threats Right Now 1. Accounting and Tax Business Fraud Attackers impersonate accountants and tax agents to request payments or sensitive information via email. These messages often look completely legitimate, referencing real business names and using professional language. What to do: If you receive an unexpected email from your accountant or tax agent, do not respond to it. Call them directly on a number you already have stored, not a number provided in the email itself. 2. Phishing Emails and Account Compromise Phishing emails spike sharply at tax time. Watch closely for: If something feels off, do not click any links. Call the sender directly to verify. Recommended Link: Understand how phishing and business email compromise target Australian SMBs 3. Bank Fraud and Payment Redirection This is one of the most financially devastating EOFY cyber threats. Attackers impersonate suppliers, accountants, or the ATO to redirect payments to accounts they control. Any email advising a change in bank account details is a major red flag. Always call the business directly on a number you have on file before making any payment changes. 4. myGov and Government Account Targeting Scammers use fake myGov login pages, phishing emails, and SMS scams to steal government account credentials. This gives them access to your tax refunds, super balance, and personal identity information. Remember these hard rules: Always type https://www.my.gov.au directly into your browser. If you receive a suspicious ATO communication, report it to 1800 008 540. Simple Measures to Protect Your Business This Tax Season You do not need a massive IT budget to defend against EOFY cyber threats. These practical steps significantly reduce your exposure: Recommended Link: See how Netlogyx implements vulnerability management and security monitoring for Gold Coast businesses The One Rule That Stops Most EOFY Attacks If you take nothing else from this article, take this: Stop. Verify. Then act. Before responding to any email involving money, bank details, login credentials, or personal information — stop. Pick up the phone. Call the person or organisation on a number you independently know. Then, and only then, act. A phone call takes 60 seconds. A successful payment redirection scam can take everything. Train your team on this rule. Share it with your accountant. Post it near the printer if you have to. Ready to Know Where Your Business Actually Stands on Cybersecurity? EOFY is the most targeted time of year. Now is the right moment to get a clear picture of your current cybersecurity posture — before attackers find the gaps. We are offering a complimentary Cyber Discovery Session exclusively for our current clients, normally valued at $250, at absolutely no cost to you. In this session, we will: This is a no-obligation conversation designed to give you confidence and clarity heading into the new financial year. Please note: Only 5 spots are available, exclusively for current clients. This offer closes 15 July — reach out now to secure your spot. Reply to this email or contact us directly at neil@netlogyx.com.au or call +61 7 5520 1211. Recommended Internal Link: Learn more about Netlogyx cybersecurity services for Gold Coast and SE Queensland businesses Frequently Asked Questions Q: How do I know if an email from the ATO is real?A: The ATO will never send an unsolicited email or SMS containing a hyperlink asking you to log in. Legitimate ATO correspondence can always be verified by logging into your myGov account directly — type the URL yourself — or by calling 1800 008 540. If a message creates urgency, threatens consequences, or asks for personal information, treat it as suspicious regardless of how official it looks. Q: What should I do if I think I have already clicked a suspicious link?A: Do not enter any information on the page that opened. Close your browser immediately. Change your myGov and email passwords, and contact your bank if you provided any financial details. Run a security scan on your device and report the incident to the ATO at ReportScams@ato.gov.au. The sooner you act, the better your chances of limiting the damage. Q: Are small businesses really targeted during EOFY, or just large companies?A: Small and medium businesses are disproportionately targeted precisely because their defences are typically weaker. The ATO received over 7,400 impersonation scam reports in July 2025 alone. Attackers cast a wide net during EOFY — every inbox, every business, regardless of size. Finish EOFY Feeling Confident, Not Compromised EOFY cyber threats are real, they are surging, and they are specifically designed to catch busy business owners off guard. The good news
Read MoreThird-Party Data Breach: The LexisNexis Lesson Every Australian Business Ignores
When LexisNexis confirmed a major cloud breach in March 2026 exposing legal and government client data, it exposed something every Australian business should already know: your cyber security is only as strong as the weakest vendor connected to your systems. A third-party data breach does not need to touch your infrastructure at all. It just needs to touch someone who touches you. From the OracleCMS breach that hit Victorian councils, to the Pareto Phone incident that leaked charity donor data, to MOVEit, Blackbaud, and now LexisNexis, the pattern is identical. If you are not actively managing your vendors, you are not managing your cyber risk. Why Third-Party Data Breach Incidents Dominate the Headlines The Office of the Australian Information Commissioner has repeatedly flagged third-party and supply-chain incidents as one of the fastest-growing breach categories. In the first half of 2025 alone, more than 30% of notifiable breaches in Australia involved a vendor, service provider, or contractor. Recent high-profile Australian examples include: What Exactly Is a Third-Party Data Breach? A third-party data breach occurs when an organisation suffers loss, exposure, or compromise of data through a vendor, supplier, contractor, SaaS provider, or any other external party with access to the organisation’s systems or information. This includes: The Five Vendor Questions Every Australian SMB Must Ask Before you sign any contract that involves a vendor touching your data, your staff, or your systems, you need clear answers to these five questions: Recommended Link: SOC 2 Compliance Services for Australian Businesses Contract Clauses That Actually Protect You Most Australian SMB contracts with vendors contain generic boilerplate security language that does not survive a real breach. Stronger clauses include: Recommended Link: Business Cyber Security Policies and Contract Review Do You Know Which Vendor Will Cause Your Next Breach?Third-party data breach incidents now account for a growing share of Australian notifications. You cannot delegate your risk. Frequently Asked Questions Q: Am I legally responsible if a vendor causes a third-party data breach?A: In most cases, yes. Under the Privacy Act, the organisation that collected the personal information usually remains accountable, even if the breach occurred at a processor or vendor. Q: How often should I review my vendors?A: At minimum annually. For vendors handling sensitive data or with privileged access, a six-month review cycle is strongly recommended. Q: What is the first vendor I should review?A: Any vendor with access to your email environment, your customer database, your payroll system, or your financial records. These are your crown jewels. The LexisNexis breach, the OracleCMS incident, and every other third-party data breach on the Australian record share one common feature: the victim organisations trusted their vendors without verification. Trust is not a control. Verification is. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick
Read MoreDefence Supply Chain Cyber Attack: Why Every Australian SME Contractor Is a Target
When hackers sat undetected inside IKAD Engineering for five months and walked out with data relating to Australia’s Hunter and Collins class submarine programs, they did not need to break into the Department of Defence. They only needed to compromise one small engineering subcontractor. The defence supply chain cyber attack trend has escalated sharply through 2025 and 2026, and the targets are almost never the prime contractors. They are the SMEs nobody has heard of. If your business sits anywhere in the Australian defence, aerospace, or critical infrastructure supply chain, this is the threat landscape you need to understand today. What the IKAD Defence Supply Chain Cyber Attack Revealed IKAD Engineering is an Australian supplier providing components and services to defence, marine, mining, and oil and gas. In November 2025, the J Group ransomware gang claimed to have exfiltrated up to 800 gigabytes of data through a vulnerable legacy VPN, maintaining a hidden presence inside the network for approximately five months. The stolen data allegedly included: The attackers used a technique called “living off the land,” relying on legitimate administrative tools already present on the network to avoid detection. Why the Defence Supply Chain Cyber Attack Vector Is So Effective Prime contractors like BAE Systems, Lockheed Martin, and Thales invest tens of millions in cyber defence every year. Smaller subcontractors usually do not. The attackers know this. The defence supply chain cyber attack pattern in 2025 and 2026 shows a consistent approach: The Defence Industry Security Program (DISP) Is No Longer Optional Any business wanting to win or retain defence contracts in Australia increasingly needs to demonstrate membership in the Defence Industry Security Program. DISP requires: Meeting DISP is not just a compliance exercise. It is the baseline for surviving a defence supply chain cyber attack. Recommended Link: Penetration Testing for Defence and Critical Supply Chains Five Controls That Would Have Stopped the IKAD Attack Recommended Link: SIEM and 24/7 Security Monitoring Is Your Business the Weak Link in a National Security Supply Chain?The defence supply chain cyber attack trend will intensify through 2026. Prime contractors are now demanding proof. Frequently Asked Questions Q: I am a small engineering or services firm. Am I really a target?A: Yes. Attackers increasingly target Tier 2, Tier 3, and Tier 4 suppliers precisely because their security posture is weaker than the prime contractors they serve. Q: What is the difference between DISP and the Essential Eight?A: DISP is the Defence-specific security framework. The Essential Eight is the broader ACSC baseline that feeds into DISP requirements. Most DISP-aligned businesses implement Essential Eight as the foundation. Q: How long does it take to prepare for DISP membership?A: For most Australian SMEs with a low starting maturity, a realistic DISP readiness program takes three to nine months depending on scope and existing controls. The defence supply chain cyber attack against IKAD Engineering is a preview of what is coming for every Australian SME that handles sensitive commercial or government project data. Attackers are patient, they are coordinated, and they already know where the weak links are. The question is whether yours will hold. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read MoreGenea IVF Breach: The Healthcare Cyber Attack Every Australian Clinic Must Learn From
When a ransomware group published 940 gigabytes of stolen fertility clinic data on the dark web in February 2025, the healthcare cyber attack landscape in Australia changed forever. The Genea IVF breach exposed Medicare numbers, test results, prescriptions, and deeply personal medical histories belonging to thousands of Australians trying to start families. For every GP, dental clinic, physio, and allied health provider in the country, this incident is the clearest possible warning: the healthcare cyber attack threat is no longer aimed only at hospitals. It is aimed at you. What Happened in the Genea IVF Healthcare Cyber Attack In February 2025, Genea, one of Australia’s largest IVF providers, confirmed that the Termite ransomware group had infiltrated its systems. By July, the group had published nearly a terabyte of patient data including: Elective treatments were delayed. Patients learned from media reports, not from the clinic directly, that their fertility journeys had been made public. Why the Healthcare Cyber Attack Problem Keeps Getting Worse The Office of the Australian Information Commissioner consistently ranks health service providers as the number one sector for reported data breaches. The reasons are straightforward: In 2025 alone, the Pound Road Medical Centre, Riverina Medical and Dental Aboriginal Corporation, Spectrum Medical Imaging, and the Sydney Centre for Ear, Nose & Throat all confirmed incidents. This is not a rare problem. The Four Entry Points Attackers Exploit in Australian Clinics Every one of these is preventable with controls that cost a fraction of the fines and reputational damage a single healthcare cyber attack creates. Vulnerability Management Services for Australian SMBs The Compliance Consequences Most Clinics Underestimate Under the Notifiable Data Breaches scheme, any healthcare provider must notify the OAIC and affected patients within 30 days of a breach that is likely to cause serious harm. Penalties for serious or repeated breaches now reach up to $50 million for body corporates. The My Health Records Act adds additional obligations, including the possibility of criminal sanctions for failing to report breaches involving the national health database. Office 365 Backup for Clinics and Professional Services Ready to Protect Your Patients Before Attackers Reach Them?The Genea healthcare cyber attack cost far more than a ransom. It cost trust that no clinic can buy back. Frequently Asked Questions Q: Does my small clinic really face the same healthcare cyber attack risk as a large hospital?A: Yes, and arguably more. Smaller clinics are specifically targeted because attackers assume the defences are weaker. Ransomware groups do not care about the size of the logo; they care about how quickly data can be stolen and sold. Q: Are paper records safer than digital records?A: No. Paper records create privacy risks of their own and do nothing to help with patient service, reporting, or Medicare compliance. The real answer is a properly secured digital environment with tested offline backups. Q: Is Medicare data the same as regular personal information under the Privacy Act?A: No. Health information is classified as sensitive information and attracts the highest level of protection. Breaches involving health data almost always trigger mandatory notification. The Genea healthcare cyber attack should not be treated as someone else’s bad day. It should be treated as the template for what happens to any Australian clinic that assumes it is too small or too specialised to be targeted. The attackers are not discriminating. They are efficient. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read MoreEssential Eight Maturity Level 2: The SMB Guide for Australian Businesses
Reaching Essential Eight Maturity Level 2 is the single most impactful cybersecurity investment an Australian SMB can make. The ASD’s Essential Eight framework was built directly from the experience of responding to real cyberattacks on Australian organisations — the same vulnerabilities exploited again and again, turned into a structured set of controls that, when properly implemented, stops the majority of them. Yet the Commonwealth’s own 2025 Cyber Security Posture Report reveals that only 22% of Australian government entities reached Essential Eight Maturity Level 2 across all eight controls. If government entities with dedicated IT teams are struggling, the picture for SMBs without those resources is even more challenging — and the urgency is even greater. What the Essential Eight Maturity Level 2 Framework Actually Covers The framework consists of eight mitigation strategies, each targeting a specific attack vector: 1. Application Control Only approved applications can execute on your systems. This prevents ransomware payloads, unauthorised software, and malicious scripts from running entirely. The ASD rates this as its highest-impact single control. 2. Patch Applications Known vulnerabilities in applications are exploited rapidly — sometimes within hours of a proof-of-concept being published. This control requires internet-facing services to be patched within 48 hours of a critical patch release at Maturity Level 2. 3. Configure Microsoft Office Macros Malicious macros remain a primary delivery mechanism for ransomware. Macros should be disabled by default and allowed only for explicitly trusted, digitally signed documents. 4. User Application Hardening Remove unnecessary functionality and default features from applications that attackers can exploit — including browser plugins and legacy browser extensions. 5. Restrict Administrative Privileges The principle of least privilege: users should have only the access they need for their role. Administrative accounts should be used only when administrative tasks are being performed. 6. Patch Operating Systems Operating system vulnerabilities are as critical as application vulnerabilities. Systems running unsupported operating systems — still common among Australian SMBs — have unpatched vulnerabilities that can never be fixed. 7. Multi-Factor Authentication (MFA) The ASD’s updated Essential Eight requires phishing-resistant MFA — a higher standard than SMS codes or basic authenticator apps. Passkeys and hardware security keys provide the highest level of protection. 8. Regular Backups Backups should be current, tested, encrypted, and include offline or immutable copies that cannot be deleted by ransomware. Where Australian SMBs Are Failing on Essential Eight Maturity Level 2 Analysing the 2025 government posture report and industry data, the three most common gaps in Essential Eight implementation for SMBs are: MFA adoption and quality: Many businesses have implemented basic MFA using SMS codes, which can be bypassed through SIM-swapping attacks and phishing-in-the-middle techniques. The ASD now requires phishing-resistant MFA at Level 2. According to the CyberCX 2026 Threat Report, attackers are bypassing most MFA solutions through adversary-in-the-middle session hijacking using low-cost phishing kits. Patching speed: The ASD requires critical patches on internet-facing services within 48 hours. Many SMBs patch on a weekly or monthly schedule at best. The ACSC observed more than 120 incidents associated with attacks on edge devices in FY2024-25, of which 96% were successful. Application control implementation: This is the most technically complex of the eight controls and the one most commonly absent from SMB environments. Without it, ransomware payloads can execute freely once they reach an endpoint The Business Case for Achieving Essential Eight Maturity Level 2 The financial case for Essential Eight implementation is straightforward: Average small business cybercrime cost: $56,600 per incident (up 14% in FY2024-25) Average medium business cybercrime cost: $97,200 per incident (up 55%) Businesses at Essential Eight Maturity Level 2 experience dramatically fewer incidents Cyber insurance now requires demonstrable Essential Eight maturity before honouring claims Beyond insurance, ASIC has taken enforcement action against financial services firms that failed to implement adequate cybersecurity measures under their licence obligations. Reasonable cybersecurity is now a legal expectation, not just a best practice recommendation. How to Reach Essential Eight Maturity Level 2: A Practical Path for SMBs Month 1-2: Foundation Enable phishing-resistant MFA on email, VPN, admin accounts, and cloud platforms Audit and inventory all systems for legacy or unsupported software Implement automated patching for all internet-facing systems Review and document current backup procedures Month 3-4: Technical Controls Deploy endpoint detection and response (EDR) across all devices Implement application allowlisting on servers and critical endpoints Configure Microsoft Office macro controls Set up centralised logging Month 5-6: Validation Conduct a formal Essential Eight assessment against ASD maturity criteria Test backup restoration procedures Run staff phishing simulations Document your maturity baseline for insurance and compliance purposes The ACSC Essential Eight Explained: A Plain-English Guide for Australian Business Owners Vulnerability Management Services – Find Weaknesses Before Attackers Do AI-Powered Endpoint Protection with SentinelOne – Netlogyx Essential Eight Implementation Is Not Optional for Australian Businesses That Want to Survive a Cyber Incident. Netlogyx guides SMBs through Essential Eight assessment and implementation with a practical, phased approach that fits your budget and operational reality. Receive an honest Essential Eight maturity assessment Get a prioritised, costed remediation roadmap Implement at a pace that fits your business Frequently Asked Questions Q: Is the Essential Eight mandatory for SMBs? A: The Essential Eight is mandatory for non-corporate Commonwealth entities at Maturity Level 2. For private sector businesses, it is currently voluntary, but the regulatory environment is tightening rapidly. ASIC has taken enforcement action against businesses that lack adequate cybersecurity under financial licence obligations, and the standard courts are applying is increasingly aligned with Essential Eight Level 2. Q: How long does it take to reach Essential Eight Maturity Level 2? A: For most SMBs starting from a baseline of limited controls, reaching Level 2 across all eight strategies takes between three and nine months, depending on existing infrastructure, budget, and staff readiness. The phased approach above is designed to deliver meaningful risk reduction at every stage, not just at completion. Q: My business is small. Do I really need all eight controls? A: The eight controls are interdependent — each addresses a different attack vector, and gaps in any one create exposure even if the others are well-implemented. The practical starting point is always MFA, patching, and
Read More