Phishing Attack Prevention: What the Booking.com and Super Fund Attacks Teach Australian SMBs
When hackers compromised Booking.com’s supply chain in April 2026, the real attack started the next day with a flood of hyper-targeted phishing emails to genuine customers. When 20,000 Australian superannuation accounts were drained in the April 2025 super fund attacks, the attackers did not hack the funds. They used credentials stolen from unrelated breaches to log in as the real members. Every day in Australia, phishing emails, smishing texts, and vishing calls are bypassing technology and walking straight into inboxes that belong to trusted staff. Phishing attack prevention is no longer about training staff to spot bad grammar. It is about rebuilding the layers of defence that assume one email will get through, because it will. Why 2025 Was the Year Phishing Got Personal The modern phishing attack is almost unrecognisable compared to five years ago. In 2025 and 2026, Australian businesses are facing: The ACSC recorded over 84,700 cybercrime reports in FY2024-25, with business email compromise, identity fraud, and phishing dominating the categories. The Booking.com Supply Chain Phishing Attack In April 2026, Booking.com confirmed that attackers had accessed customer names, emails, addresses, and booking details via a compromised third party. The immediate follow-up was a wave of convincing phishing emails to those customers, referencing real bookings and asking for payment “verification.” This is the phishing attack of 2026: legitimate data stolen from one source, weaponised against real customers the next day, with specific and verifiable detail that defeats traditional detection. The Super Fund Credential Stuffing Attack In April 2025, more than 20,000 super accounts across AustralianSuper, REST, Hostplus, Australian Retirement Trust, and Insignia Financial were compromised. Attackers did not breach the super funds. They used credentials stolen from unrelated data breaches, betting that users had reused the same password. Four AustralianSuper members lost a combined $500,000. A 74-year-old Queensland woman lost $406,000 overnight. The attack was pure phishing-derived credential harvesting combined with password reuse. The Six Layers of Modern Phishing Attack Prevention Technology alone will not stop phishing. People alone will not either. Modern phishing attack prevention requires six overlapping layers: Recommended Link: Security Awareness Training That Actually Works The Process Controls That Matter as Much as Technology Technology stops the easy attacks. Process stops the sophisticated ones: Recommended Link: Email and Office 365 Security for Australian Businesses How Confident Are You That Your Next Phishing Email Will Be Caught?Phishing attack prevention is now a layered discipline. A single control is not enough. Frequently Asked Questions Q: What is the single most effective phishing attack prevention control?A: Phishing-resistant MFA on every business system. Microsoft’s own data shows it blocks more than 99.9% of automated credential attacks. It is not perfect, but nothing else comes close. Q: How often should staff receive phishing training?A: Quarterly at minimum, with monthly phishing simulations for high-risk roles such as finance, executive assistants, and HR. Annual training alone is not enough. Q: If a staff member falls for a phishing email, who is responsible?A: This is why a “pause and verify” culture matters. Staff who report incidents quickly should be supported, not punished. Blame cultures make phishing worse because staff hide mistakes. The Booking.com incident, the super fund attack, the Qantas call-centre compromise, and every other major 2025-2026 Australian breach share one common feature: phishing, in some form, was the entry point. Phishing attack prevention is no longer an IT checkbox. It is the front line of your entire business. The question is whether you are treating it that way today, or whether you will be explaining to customers why you did not. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read MoreMandatory Ransomware Reporting Australia: What the New Law Means for Your Business
On 30 May 2025, the Cyber Security (Ransomware Payment Reporting) Rules 2025 commenced, making Australia one of the first countries in the world to legally require businesses to report ransomware payments to the government within 72 hours. If your business has an annual turnover of $3 million or more, or you are responsible for any critical infrastructure asset, the mandatory ransomware reporting Australia regime now applies to you. Get it wrong and you face fines, regulatory scrutiny, and potentially criminal exposure. Get it right and you unlock “limited use” protections that can shield your business from downstream enforcement. Most Australian SMBs have no idea this law exists. Here is what you need to know. What the Mandatory Ransomware Reporting Australia Law Actually Requires Under Part 3 of the Cyber Security Act 2024 (Cth), reporting business entities must submit a formal report to the Australian Signals Directorate (or another designated Commonwealth body) within 72 hours of: A “reporting business entity” includes: The report must include specific information about the incident, the extortion demand, the payment, and the parties involved. Why the Government Introduced This Obligation The Australian government’s rationale is straightforward. Before the law, the vast majority of ransomware incidents in Australia went unreported, meaning: The law creates a national dataset that the ASD, the National Cyber Security Coordinator, and the Cyber Incident Review Board can use to protect other Australian businesses. The “Limited Use” Safeguard You Need to Understand The law includes an important protection known as “limited use.” Information reported under the mandatory ransomware reporting Australia regime generally cannot be used to investigate or enforce against the reporting business, except for: This means cooperating with the law actually protects your business in most regulatory contexts. Failing to report, however, exposes you to enforcement with no protection. What This Means Practically for Your Incident Response Plan Every Australian SMB with turnover above $3 million needs to update its incident response plan to include: Recommended Link: Business Continuity and Incident Response Planning Should You Actually Pay the Ransom? The mandatory ransomware reporting Australia law does not prohibit paying ransoms, but paying is almost always the wrong decision: The Australian government’s position, and the position of the ASD, is that prevention, tested backups, and structured response are always the better option. Recommended Link: Business Cyber Security Policies and Legal Compliance Is Your Business Ready to Report Inside 72 Hours?The mandatory ransomware reporting Australia regime is now live. Non-compliance carries real penalties and real exposure. Frequently Asked Questions Q: What happens if I do not report a ransomware payment?A: You face civil penalties and potentially criminal exposure, depending on circumstances. You also lose the “limited use” protections that would otherwise apply. Q: Does the mandatory ransomware reporting Australia law apply to small businesses under $3 million?A: Not currently for the turnover threshold, but if you are responsible for a critical infrastructure asset, you must still comply regardless of size. Voluntary reporting is also encouraged for all businesses. Q: Does reporting the payment protect me from OAIC privacy enforcement?A: No. Privacy Act obligations around notifiable data breaches are separate. You may need to report to both the ASD (for the payment) and the OAIC (for the data breach). The mandatory ransomware reporting Australia law marks a significant shift in how ransomware is treated in this country. It is no longer a quiet, negotiated problem handled between victims and criminals. It is a national intelligence matter with formal obligations. Every Australian SMB above $3 million in turnover needs to know the rules, update its plans, and decide now, not during the crisis, how it will respond when the ransom demand arrives. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read MoreQantas Data Breach 2025: What Scattered Spider Teaches Every Australian SMB
In July 2025, Australia woke up to news that up to 6 million Qantas customer records had been stolen through a single phone call to a third-party call centre. The Qantas data breach was not the result of zero-day exploits or state-sponsored malware. It was social engineering. A hacking group known as Scattered Spider convinced a help-desk operator they were a legitimate employee, bypassed multi-factor authentication, and walked out with names, emails, phone numbers, dates of birth, and frequent flyer numbers. If Australia’s flag carrier can be taken down by one phone call, your SMB needs to understand exactly how this happened and what to do about it. How the Qantas Data Breach Actually Unfolded The Qantas data breach began on 30 June 2025, when attackers targeted a third-party contact centre used by the airline. Using a technique known as voice phishing (vishing), the attackers impersonated a staff member needing urgent access recovery. The help-desk operator followed standard verification questions. The attackers had already harvested those answers from LinkedIn, data broker sites, and previous breaches. Within minutes, credentials were reset and MFA was reregistered to a device controlled by the attacker. The lesson for Australian SMBs is brutal. Your weakest link is rarely your firewall. It is the human being answering the phone when someone sounds stressed and authoritative. Who Is Scattered Spider and Why Are They Targeting Australia? Scattered Spider is a loose collective of native-English-speaking cybercriminals specialising in social engineering attacks against help desks, IT support functions, and outsourced service providers. The Australian Signals Directorate issued a formal advisory on the group in July 2025. Their preferred playbook includes: Security Awareness Training for Australian Businesses Why SMBs Are Just as Exposed as Qantas Most Australian small businesses outsource something: bookkeeping, IT support, payroll, or customer service. Every one of those relationships is a potential Scattered Spider entry point. The Qantas data breach happened through a third party, not through Qantas’ own systems. Ask yourself: Five Controls That Would Have Stopped Scattered Spider Business Cyber Security Policies for SMBs Is Your Help Desk a Hacker’s Front Door? The Qantas data breach shows that even $20 billion companies fall to one phone call. Your SMB has less margin for error. Frequently Asked Questions Q: Was the Qantas data breach caused by a Qantas system failure?A: No. The breach occurred through a third-party contact centre. This is exactly why vendor risk management is now a front-line cyber security control for every business. Q: Would MFA alone have stopped this attack?A: Not by itself. Scattered Spider specifically targets MFA re-enrolment. Phishing-resistant MFA combined with strict help-desk verification processes is required. Q: How quickly should my business act on this?A: Immediately. Scattered Spider is actively targeting Australian organisations across retail, hospitality, financial services, and professional services right now. The Qantas data breach is not an airline problem. It is a wake-up call for every Australian SMB that relies on people, phones, and third-party vendors. The attackers are already here, and they are calling. The only question is whether your team knows what to say when they do. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read More