Phishing: The Greatest Cyber Threat to Small Business in WA

Phishing is the highest frequency and impact cyber threat facing small businesses in WA. Technical defences alone aren’t enough. The best value— highest ROI — action any business can take is regular, high-quality phishing awareness training for all staff.

Henry Oliver

Henry Oliver

5 min read
Phishing: The Greatest Cyber Threat to Small Business in WA

Phishing remains the most frequent and damaging cyber threat faced by small and medium businesses in Western Australia and beyond. The combination of high attack frequency and significant financial loss makes phishing the “highest impact” risk for Australian organisations, including those in WA.

Phishing’s Frequency and Harm

Phishing attacks — fraudulent emails, texts or messages masquerading as trusted contacts — are now at record levels in Australia. In 2025, phishing represented the most widespread and persistent cyber threat to Australian businesses, accounting for the majority of data breaches and security incidents[1]. Over 80% of phishing campaigns aim to steal credentials, often targeting cloud-based services used by small businesses such as Microsoft 365 and Google Workspace[1].

According to the National Anti-Scam Centre, losses from phishing scams surged in early 2025, quadrupling year-on-year to $13.7 million between January and April alone[2]. It’s not just the frequency: phishing leads to direct financial theft, lengthy recoveries from data breaches, loss of customer trust, and regulatory costs. In WA alone, scam losses hit a record $22 million in 2023, with social media and email scams surging 36% year-on-year[3].

Data breaches driven by phishing are increasing in both scale and severity. Australia saw 1.8 million accounts compromised in Q1 2024—a 388% increase over the previous quarter—with small businesses particularly vulnerable due to limited security budgets and resources[4][5]. The average financial loss for a small business incident is around $50,000[6], often compounded by lost productivity, reputational harm, and legal exposure.

Why Technical Defences Aren’t Enough

Modern phishing is sophisticated. Attackers use advanced social engineering, AI-powered personalisation, and ever-changing impersonation tactics. While email filters and security software catch many threats, human error is still the primary pathway for successful attacks[7]. Employees accidentally clicking malicious links or disclosing sensitive information unlock the door for attackers, irrespective of other controls.

The Case for Phishing Awareness Training

Given the scale and cost of phishing, cybersecurity awareness training—especially focused on phishing—is the most important “next layer” of defence for small and medium businesses[8][7][9][10]. The Australian Cyber Security Centre (ACSC) and leading agencies worldwide recommend regular phishing awareness training as a foundational control for all organisations[9][1][7].

Benefits of phishing awareness training for small businesses:

  • Reduces breach risk: Regular training can cut phishing susceptibility by up to 90%, making staff an active line of defence[11][10][9].
  • High ROI: Studies show that modest investments in security awareness yield a median annual return five times greater than the training cost, with up to a 50% reduction in annualised phishing risk[12][13].
  • Protects reputation and operations: Quick recognition and reporting of phishing attempts reduces downtime, legal liability, and loss of customer trust[1][7].
  • Supports compliance: Training helps meet regulatory requirements for data protection and risk management[9][7].
  • Builds security culture: Staff feel empowered and responsible to defend the business, not just rely on technology[8][9][7].

A 2025 Keepnet Labs study found awareness training improved phishing detection by 40% and slashed risk scores by more than 70%, with businesses saving up to $5 million annually versus potential attack costs[10][11]. Similar analysis by Proofpoint and Aberdeen confirmed a 72% likelihood of significant risk reduction for a typical small business—well beyond what’s achievable by technical means alone[12].

Tying Back to Small Businesses in WA

WA small businesses—retailers, local services, trades, community organisations—face the same (and often heightened) risks as those in larger states, but with fewer resources. The rise in cyber scams locally demonstrates the real monetary and reputational stakes[3][6]. Phishing attacks that succeed are not simply technical issues; they are business-critical incidents that impact jobs, customer relationships, and long-term viability.

Code Monkey Cybersecurity’s Phishing Awareness Training

Code Monkey Cybersecurity (cybermonkey.net.au), based in South Fremantle, delivers continuous phishing awareness training tailored for WA small businesses[14][15]. Their program uses realistic simulations, up-to-date threat information, and regular refresher courses to ensure staff stay vigilant. Importantly, evidence shows benefits largely disappear if training stops, so ongoing engagement is key[14].

How Code Monkey can help small businesses in WA:

  • Localised training with real-world examples from WA and Australia-specific scams.
  • Regular, interactive phishing email simulations so staff learn by doing.
  • Minimal onboarding costs, no hidden fees, and discounts for Chamber of Commerce members[15].
  • Continuous updates incorporating the latest scams and social engineering techniques.
  • Dedicated support and analytics to measure staff improvement and program effectiveness.

In Summary

Phishing is the highest frequency and impact cyber threat facing small businesses in WA. Technical defences alone aren’t enough. The best value—highest ROI—action any business can take is regular, high-quality phishing awareness training for all staff[9][10][11][12][13]. Code Monkey Cybersecurity provides an effective, locally-focused solution, helping business owners and teams defend themselves, their customers, and their livelihoods.

If you operate a business in WA, don’t wait for an incident—get in touch with Code Monkey Cybersecurity to test your cyber defences and start training today[6][14][15].

Data cited from Australian Cyber Security Centre[16], National Anti-Scam Centre[2], WA ScamNet[3], Keepnet Labs[10][11], Proofpoint/Aberdeen[12], and other reputable sources.

Sources
[1] Don't Take the Bait: Best Practices to Spot Phishing Emails ... https://www.bitsgroup.com.au/resources/recognising-phishing-email-scams-best-practices-2025/
[2] National Anti-Scam Centre calls for stronger business role ... https://www.accc.gov.au/media-release/national-anti-scam-centre-calls-for-stronger-business-role-to-disrupt-scams
[3] Record year for WA cybercrime as Facebook scams surge https://www.wa.gov.au/government/media-statements/Cook-Labor-Government/Record-year-for-WA-cybercrime-as-Facebook-scams-surge--20240326
[4] 15 Biggest Data Breaches in Australia [2025] - Corbado https://www.corbado.com/blog/data-breaches-australia
[5] The Complete List Of Data Breaches In Australia 2025 - Borderless CS https://borderlesscs.com.au/2025-data-breach-lists/
[6] Code Monkey Cybersecurity's Phishing Awareness TrainingFor ... https://www.instagram.com/code_monkey_cyber/p/DNQzN6bP7sP/
[7] Why cyber security training is essential for businesses in ... https://cyberwardens.com.au/why-cyber-security-training-is-essential-for-businesses-in-australia/
[8] Why Small Businesses Should Invest In Staff Cybersecurity ... https://bridgeit.com.au/blog/why-small-businesses-should-invest-in-staff-cybersecurity-training/
[9] Cyber Security & Phishing Awareness Training https://aucyber.com.au/phishing-awareness-training/
[10] 2025 Security Awareness Training Stats and Trends - Keepnet Labs https://keepnetlabs.com/blog/security-awareness-training-statistics
[11] Why Phishing Awareness Training Is Essential for Business Security https://keepnetlabs.com/blog/why-phishing-awareness-training-is-essential-for-business-security
[12] SMALL INVESTMENT, LARGE REDUCTION IN RISK https://www.proofpoint.com/sites/default/files/wombatsecurity/2017 Aberdeen Campaign/Wombat_ResearchPaper_SecurityAwarenessTrainingRiskReduction_August2017.pdf
[13] Calculating The ROI Of Cybersecurity Awareness Programs https://www.metacompliance.com/blog/cyber-security-awareness/roi-of-cybersecurity-awareness-programs
[14] Phishing 101 - Code Monkey Cybersecurity https://cybermonkey.net.au/phishing-101/
[15] Code Monkey Cybersecurity's Phishing Awareness Training https://cybermonkey.net.au/code-monkey-cybersecuritys-phishing-awareness-training/
[16] Annual Cyber Threat Report 2023-2024 | Cyber.gov.au https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2023-2024
[17] [PDF] ACSC Annual Cyber Threat Report https://www.cyber.gov.au/sites/default/files/2023-03/ACSC Annual Cyber Threat Report - 2020-2021.pdf
[18] Australians better protected as reported scam losses fell by almost ... https://www.nasc.gov.au/news/australians-better-protected-as-reported-scam-losses-fell-by-almost-26-per-cent
[19] [PDF] targeting-scams-report-2024.pdf - Scamwatch https://www.scamwatch.gov.au/system/files/targeting-scams-report-2024.pdf
[20] Scams cost Australian small businesses AUD $7.9 million https://securitybrief.com.au/story/scams-cost-australian-small-businesses-aud-7-9-million
[21] Australians face cyber attacks every six minutes, says ASD https://www.eftsure.com/en-au/blog/cyber-crime/australians-face-cyber-attacks-every-six-minutes-says-asd/
[22] [PDF] Cybercrime in Australia 2023 - Australian Institute of Criminology https://www.aic.gov.au/sites/default/files/2023-07/sr43_cybercrime_in_australia_2023_v2.pdf
[23] Phishing awareness training - yay or nay? : r/cybersecurity - Reddit https://www.reddit.com/r/cybersecurity/comments/1h8yx93/phishing_awareness_training_yay_or_nay/

Read more