According to ANZ, cyber losses among small businesses exceeded AUD $84 million in 2024, highlighting how criminals are increasingly targeting smaller, more vulnerable organizations.

The Alarming Trend

Cybercrime continues to challenge businesses across Australia. National figures show that in 2024, companies lost more than AUD $84 million to scams. According to the Australian Signals Directorate’s Cyber Threat Trends Report, over 87,400 cybercrime reports were lodged during the 2023–24 financial year – equivalent to a report every six minutes. While this represents a 7% decrease from the previous year, small businesses remain particularly exposed to substantial financial risks.

One of the most significant threats is Business Email Compromise (BEC), where attackers impersonate trusted contacts to steal money or sensitive data. BEC accounted for 13% of reported incidents. These scams often exploit weaknesses in email systems or business processes, including hacking accounts to alter invoice payment details and redirect funds to cybercriminal-controlled accounts.

Cybercriminals also take advantage of the trust small businesses place in email. Many depend on digital invoices and supplier communication. Attackers can easily mimic these through domain spoofing and fake sender identities. Phishing remains the main cause of financial loss, but BEC is rising rapidly. These attacks often bypass basic spam filters and exploit weak authentication methods, leading to serious breaches.

Why Small Businesses Are Most at Risk

Unlike large corporations with dedicated IT teams, small businesses often lack the resources for proactive security. Poor password management, outdated systems, and the absence of DMARC or SPF policies make them easy targets. ANZ’s recent report reveals that over 70% of small businesses targeted by phishing did not have proper domain authentication, allowing attackers to impersonate them with little effort.

Small businesses are also increasingly targeted by scammers posing as banks, government agencies, or other financial institutions. These attacks aim to trick individuals into sharing personal information, transferring funds, or clicking on malicious links. Data from 2024 shows that small businesses are disproportionately affected, with the average cost per cybercrime incident reaching AUD $49,000, an 8% increase from the previous year.

The Ripple Effect of Email-Based Attacks

Once credentials are stolen, attackers use them to send convincing emails, spread malware, or request fraudulent payments. The reputational damage can outlast the financial loss, as customers who fall for fake invoices or scams lose trust in the brand.

Building Cyber Resilience in 2025

Australia’s financial institutions are urging small businesses to adopt stronger authentication methods and ongoing monitoring tools. Regulatory bodies are also promoting DMARC as a foundational security standard to prevent spoofed emails and phishing attacks. The Australian Cyber Security Centre (ACSC) strongly recommends DMARC as a crucial safeguard against email spoofing and impersonation.

Compliance pressures are also rising. Under global frameworks such as the Payment Card Industry Data Security Standard (PCI DSS), DMARC implementation will become mandatory for businesses handling credit card data, making it essential for organizations within the scope of that standard.

New Zealand has already moved toward mandating strict DMARC enforcement across government domains, setting a strong precedent for regional adoption. As cybercriminals increasingly use AI-generated emails and social engineering tactics, awareness and automation have become indispensable for protecting business communications.

Rethinking Trust: How Modern Tools Can Protect Every Message

Email is vital for business communication, but is also a major attack vector. To safeguard their reputation, small businesses need to move beyond manual defenses.

Skysnag automates DMARC, SPF, DKIM, MTA-STS, and TLS-RPT enforcement, helping organizations shield their domains from impersonation while improving email delivery. Continuous authentication, forensic reporting, and real-time alerts enable small businesses to stop email attacks before they escalate. Start your 14-day free trial.