By Matt Caffery, Senior Solutions Architect for Australia and New Zealand at Barracuda Networks
For years, cybersecurity leaders have warned that email would remain the most effective pathway into organisations, not because inboxes are inherently insecure, but because email sits at the intersection of identity,urgency, trust and human behaviour. What has changed in 2026 is not simply the scale of the threat, but the economics behind it. AI and phishing-as-a-service (PhaaS) have transformed social engineering from a labour-intensive criminal activity into an industrialisedbusiness model capable of generating convincing attacks at extraordinary speed and volume.
New research from Barracuda reinforces just how rapidly this shift is accelerating. Based on analysis of more than 3.1 billion emails globally, the 2026 Email Threats Report found that nearly half of all maliciousemail activity is now phishing-related, while 90 per cent of high-volume phishing campaigns rely on PhaaS kits.
We are seeing the barrier to entry for cybercrime reduce, at the same time AI is making deception easier and harder to detect. The implications of this are hard to overstate.
From crude scams to precision targeting
Gone are the days of poorly written scam emails littered with spelling mistakes and outrageous requests. AI-generated phishing campaigns can replicate tone, context and language patterns specific to organisationswith alarming precision, enabling attackers to convincingly impersonate executives, colleagues, suppliers, and trusted institutions at scale. Modern phishing campaigns now closely resemble professional sales and marketing operations that are data-driven, automatedand optimised for conversion.
Barracuda’s findings show attackers steadily abandoning traditional file-based malware in favour of stealthier techniques such as malicious URLs embedded within legitimate-looking emails, QR codes hidden insidetrusted document formats, and account takeover campaigns originating from compromised inboxes. According to the report, 70 per cent of malicious PDFs now contain QR codes directing users to phishing sites, while more than one-third of organisations experienceat least one account takeover incident every month.
The scale of the problem in Australia
The Australian Cyber Security Centre (ACSC) has warned that social engineering is a significant threat to local individuals and organisations, and that advances in AI are amplifying the effectiveness of social engineering by weaponising trust, urgency and familiarity to make malicious communications much harder for individuals and employees to identify.
We are seeing the impact of this targeted approach already unfold in Australia. Phishing, impersonation and account compromise attacks continue to rise despite years of public awareness campaigns and organisationaltraining initiatives. The government’s ScamWatch has recorded $4.2 billion in losses and 13,428 scams in 2026 so far, from phishing attacks alone.
Phishing is a cyber resilience problem
The current moment is particularly dangerous because the threat is evolving faster than many organisations’ security architectures. AI-powered phishing attacks are bypassing many of the controls businesses havespent the last decade building. Traditional secure email gateways, for example, were designed to detect suspicious attachments and known malicious domains, but they are virtually useless against context-aware phishing lures or AI-generated messages that closelymirror internal communications.
The uncomfortable reality is that many organisations continue to approach phishing as an employee awareness problem rather than a resilience one. Security training remains important, but now that attackers haveaccess to generative AI, stolen credentials, behavioural data, and industrial-scale automation, it is just unrealistic to expect employees to constantly distinguish between legitimate and malicious communications.
The case for integrated cyber resilience
Australian boards and executives should resist the temptation to treat AI-driven phishing as simply another incremental cyber risk. The broader concern is that AI is fundamentally changing the asymmetry betweenattackers and defenders. Cybercriminal groups can now scale operations globally with minimal overheads, automate reconnaissance, personalise attacks instantly, and continuously refine campaigns based on victim behaviour. Defenders, meanwhile, are still constrainedby fragmented tooling, skills shortages, procurement cycles, and organisational silos.
Cyber resilience has become critically important in this context. Email security can no longer operate as a standalone control sitting on the edge of the network. It must be integrated into a broader identityand incident response strategy that assumes compromise is not only possible, but likely. The future of defence will rely on layered detection, behavioural analysis, identity verification and automated response capabilities to limit the blast radius when compromise inevitably occurs.
