Phishing Attack Prevention: What the Booking.com and Super Fund Attacks Teach Australian SMBs
When hackers compromised Booking.com’s supply chain in April 2026, the real attack started the next day with a flood of hyper-targeted phishing emails to genuine customers. When 20,000 Australian superannuation accounts were drained in the April 2025 super fund attacks, the attackers did not hack the funds. They used credentials stolen from unrelated breaches to log in as the real members. Every day in Australia, phishing emails, smishing texts, and vishing calls are bypassing technology and walking straight into inboxes that belong to trusted staff. Phishing attack prevention is no longer about training staff to spot bad grammar. It is about rebuilding the layers of defence that assume one email will get through, because it will. Why 2025 Was the Year Phishing Got Personal The modern phishing attack is almost unrecognisable compared to five years ago. In 2025 and 2026, Australian businesses are facing: The ACSC recorded over 84,700 cybercrime reports in FY2024-25, with business email compromise, identity fraud, and phishing dominating the categories. The Booking.com Supply Chain Phishing Attack In April 2026, Booking.com confirmed that attackers had accessed customer names, emails, addresses, and booking details via a compromised third party. The immediate follow-up was a wave of convincing phishing emails to those customers, referencing real bookings and asking for payment “verification.” This is the phishing attack of 2026: legitimate data stolen from one source, weaponised against real customers the next day, with specific and verifiable detail that defeats traditional detection. The Super Fund Credential Stuffing Attack In April 2025, more than 20,000 super accounts across AustralianSuper, REST, Hostplus, Australian Retirement Trust, and Insignia Financial were compromised. Attackers did not breach the super funds. They used credentials stolen from unrelated data breaches, betting that users had reused the same password. Four AustralianSuper members lost a combined $500,000. A 74-year-old Queensland woman lost $406,000 overnight. The attack was pure phishing-derived credential harvesting combined with password reuse. The Six Layers of Modern Phishing Attack Prevention Technology alone will not stop phishing. People alone will not either. Modern phishing attack prevention requires six overlapping layers: Recommended Link: Security Awareness Training That Actually Works The Process Controls That Matter as Much as Technology Technology stops the easy attacks. Process stops the sophisticated ones: Recommended Link: Email and Office 365 Security for Australian Businesses How Confident Are You That Your Next Phishing Email Will Be Caught?Phishing attack prevention is now a layered discipline. A single control is not enough. Frequently Asked Questions Q: What is the single most effective phishing attack prevention control?A: Phishing-resistant MFA on every business system. Microsoft’s own data shows it blocks more than 99.9% of automated credential attacks. It is not perfect, but nothing else comes close. Q: How often should staff receive phishing training?A: Quarterly at minimum, with monthly phishing simulations for high-risk roles such as finance, executive assistants, and HR. Annual training alone is not enough. Q: If a staff member falls for a phishing email, who is responsible?A: This is why a “pause and verify” culture matters. Staff who report incidents quickly should be supported, not punished. Blame cultures make phishing worse because staff hide mistakes. The Booking.com incident, the super fund attack, the Qantas call-centre compromise, and every other major 2025-2026 Australian breach share one common feature: phishing, in some form, was the entry point. Phishing attack prevention is no longer an IT checkbox. It is the front line of your entire business. The question is whether you are treating it that way today, or whether you will be explaining to customers why you did not. (We are not looking to replace your current provider, just offering an alternative perspective) Written by Neil Frick Sources & References
Read MoreAustralia’s Superannuation Funds Under Fire: What SMBs Must Learn from the 2025 Credential Stuffing Attack
In early April 2025, Australian retirement savers woke up to a nightmare. Over 20,000 superannuation accounts across AustralianSuper, REST, Hostplus, Australian Retirement Trust, and Insignia Financial were compromised in a wave of credential stuffing attacks. Four AustralianSuper members lost a combined $500,000. One Queensland woman aged 74 had $406,000 drained from her retirement account overnight. If cybercriminals can breach institutions managing hundreds of billions of dollars, the message for Australian small and medium businesses is crystal clear: no one is immune. What Actually Happened in the Super Fund Attack? Credential stuffing is not sophisticated hacking. Attackers simply obtained lists of stolen usernames and passwords from previous data breaches, then used automated tools to try those same credentials against super fund login portals. People who reused passwords across multiple platforms became the victims. This is the critical point for SMB owners. The technique used against institutions managing $4.2 trillion in retirement savings is the same technique being used against your email systems, accounting platforms, and cloud services every day. The attack chain was simple: Why SMBs Are Even More Vulnerable Superannuation funds, despite their gaps, had security teams, incident response protocols, and regulatory oversight. Most Australian SMBs have none of these safeguards. According to the ASD Annual Cyber Threat Report 2024-25, SME owners experienced significantly higher rates of cybercrime than other business types, with an average cost of $56,600 per incident for small businesses, up 14% from the previous year. If your team is using the same password for Microsoft 365, your CRM, your accounting software, and their personal email — you are one data breach away from this exact scenario playing out in your business. The Five Steps Every SMB Must Take Now 1. Deploy Multi-Factor Authentication (MFA) on everythingThe super fund attack succeeded partly because MFA was not mandatory across all platforms. If your team can log in to business systems using only a username and password, you have a critical gap. Phishing-resistant MFA, such as authenticator apps or hardware keys, should be non-negotiable. 2. Audit your credential exposureDark web monitoring services can alert you when your business credentials appear in breach databases. By the time attackers are attempting logins, the credentials are often months old. Proactive monitoring gives you time to act before the attack begins. 3. Enforce unique passwords across all systemsPassword reuse is the entire mechanism that makes credential stuffing possible. Deploy a business password manager and enforce strong, unique credentials for every system. This single step eliminates the primary vector used in the super fund attacks. 4. Implement access controls and least privilegeNot every staff member needs access to every system. Restricting access limits the blast radius if a credential is compromised. A compromised account with limited privileges causes significantly less damage. 5. Have an incident response planWhen AustralianSuper detected the attack, they locked accounts and notified members within hours. Most SMBs would have no structured response. A documented plan, tested annually, dramatically reduces the damage from any breach. Ready to find out if your business credentials are already exposed? Netlogyx offers a no-obligation cybersecurity consultation where we check your dark web exposure, review your access controls, and identify your highest-risk gaps before an attacker does. Frequently Asked Questions Q: What is credential stuffing and how is it different from hacking?A: Credential stuffing does not involve breaking into a system. Attackers use usernames and passwords already stolen from other breaches and test them at scale against new platforms. It works because people reuse passwords. It requires no special hacking skill — just automation and purchased data. Q: How do I know if my business credentials have been exposed?A: Dark web monitoring services continuously scan criminal marketplaces and breach databases for your domain and email addresses. A managed IT provider like Netlogyx can set this up as part of your security stack and alert you immediately when your credentials appear. Q: Is MFA enough to prevent credential stuffing?A: Yes, in almost all cases. Even if an attacker has your correct username and password, they cannot pass the MFA challenge without physical access to your authenticator device. Phishing-resistant MFA stops credential stuffing almost completely. The super fund attack was a national wake-up call. The same tools and techniques used to steal retirement savings are targeting Australian SMBs every day. The difference is that large institutions, despite their flaws, had teams and systems in place to detect and respond. Most small businesses do not – yet. Netlogyx Technology Specialists works with businesses across Brisbane, the Gold Coast, and Southeast Queensland to close exactly these gaps. We build cybersecurity that fits your business, not your IT provider’s product catalogue. (We are not looking to replace your current provider, just offering an alternative perspective) Written by the Netlogyx Technology Specialists Team Sources & References
Read More