Phishing Trends in 2025: Why Australian Businesses Need More Than Just Security Awareness Training

The Cost of One Click

In 2025, a single click can take down an entire business. That’s not exaggeration – it’s the reality CIOs, CTOs, and IT managers are facing across Australia.

Phishing attacks have become smarter, faster, and harder to spot. Cybercriminals no longer just use emails with spelling mistakes. Those days are gone. Instead, they create AI-powered traps that mimic your bank, your partners, or even your CEO. All it takes is one employee clicking a link, and your organisation could be facing ransomware, data theft, or compliance fines.

The 2025 Phishing Benchmarking Report by Knowbe4 confirms this risk.

The good news? With the right mix of Security Awareness Training (SAT) and Managed Security as a Service (MSaaS) offering by Exigo Tech, organisations can reduce this risk dramatically.

At Exigo Tech, we work with businesses every day that ask the same question:

“How do we protect our people, our infrastructure, and our reputation from phishing?”

This blog reveals the key findings from the 2025 report, explores what they mean for businesses, and shows how Exigo Tech’s MSaaS offering provides the protection, expertise, and scalability leaders need.

Key Findings & Trends: Where Businesses Stand in 2025

The Phish-prone Percentage (PPP) measures how likely employees are to click on a phishing link. Across Australia and New Zealand, the numbers tell a story of both risk and resilience.

Large Enterprises Are Most at Risk

• Companies with 1,000+ employees in ANZ recorded a PPP of 44.6%, the highest globally.
• Finance and banking sectors faced the highest risks, with almost half of employees likely to click a malicious link before training.

Medium and Small Businesses Not Immune

• Organisations with 250–999 employees had a baseline PPP of 29.2%.
• Even small businesses (1–249 employees) showed 25% susceptibility, proving no one is too small to be targeted.

However, improvement is achievable and the best news: training works.

• After 90 days of Security Awareness Training (SAT), PPP dropped significantly across industries.
• After one year of sustained training, ANZ organisations achieved an average PPP of just 4.9% – a gold standard.

This shows that human risk management, when integrated into culture, pays off.

Why Training Alone Isn’t Enough

The report makes it clear that ongoing SAT is essential, but it also highlights the limits of training in isolation.

• One-off workshops don’t Employees forget, and attackers evolve.
• Consumer services and tech sectors showed that even with training, phishing risk can rebound without continuous reinforcement.
• Real-time coaching and simulations are necessary to keep employees alert to new tactics.

Phishing is no longer just about “don’t click suspicious links.” Today’s attackers use business email compromise (BEC), AI-generated spear phishing, and ransomware-as-a-service to bypass filters.

That’s why training must be paired with active monitoring, endpoint protection, and managed security services.

The Evolving Threat Landscape in Australia and New Zealand

Phishing is only the entry point. Once attackers are inside, the fallout escalates quickly.

Critical Infrastructure in the Crosshairs

In 2024, Australia saw a spike in attacks targeting electricity, water, gas, education, and transport sectors. These are not just IT problems; they are national resilience challenges.

Ransomware on the Rise

The Australian Cyber Security Centre (ACSC) responded to more than 1,100 incidents in a year, with ransomware topping the list. For many businesses, recovery costs ran into millions.

Compliance Gets Tougher

The Cyber Security Act 2024 introduced:

• Mandatory ransomware payment reporting
• Stricter security baselines for smart devices
• Heightened expectations for boards and executives

In other words, regulators now expect businesses to prove they are secure, not just compliant on paper.

Increased Cyber Incidents

New Zealand reported a 15% increase in cyber incidents in 2024, echoing Australia’s trends. Both countries face the same pressure: build cyber resilience or risk falling behind.

The Skills Gap: A Challenge Leaders Can’t Ignore

Even as the threat landscape grows more complex, both Australia and New Zealand face a serious cybersecurity skills shortage.

• The 2023–2030 Australian Cyber Security Strategy prioritises workforce development because demand for skilled talent far outstrips supply.
• Reskilling and education initiatives help, but hiring a full in-house SOC team remains unrealistic for most businesses.

This is where Managed Security as a Service (MSaaS) by Exigo Tech becomes a game-changer.

Managed Security as a Service (MSaaS): The Modern Answer to Phishing Risk

Exigo Tech’s MSaaS offering provides businesses with enterprise-grade security without the overhead of building in-house teams.

Here’s how MSaaS directly addresses the risks revealed in the 2025 Phishing Benchmarking Report:

• 24/7 SOC powered by eSentire: Always-on monitoring to detect phishing, ransomware, and insider threats.
• Microsoft 365 Business Premium + Defender for Endpoint: Industry-leading protection across identities, data, and devices.
• AI-driven threat hunting and automated response: Rapid detection and response, even against sophisticated zero-day phishing attacks.
• Scalable, zero-upfront-cost model: Customised to your size and sector, whether you are a 50-person small firm or a medium-sized business.

With MSaaS, organisations get immediate access to expert SOC analysts, compliance advisors, and AI-driven detection capabilities, all for a predictable monthly cost. Additionally, you get enterprise-grade protection without enterprise overhead.

Linking the Findings to Exigo Tech Services

The 2025 report is more than numbers; it’s a blueprint for where ANZ businesses must focus. Here’s how Exigo Tech aligns with those findings:

• Reduce phishing PPP: By combining SAT with endpoint protection and real-time detection.
• Close the skills gap: With MSaaS taking over monitoring, incident response, and compliance support.
• Meet compliance requirements: Through audits, risk assessments, and alignment with the Cyber Security Act 2024.
• Strengthen identity and access: With Zero Trust Security Assessments to limit lateral movement post-phishing.

We don’t just provide tools; we deliver partnership and strategy so your organisation can stay ahead of threats.

Conclusion: From Risk to Resilience

This is a wake-up call for Australia and New Zealand. Phishing remains rampant, ransomware is increasing like crazy, and compliance rules are tightening.

At Exigo Tech, we believe the combination of ongoing SAT and MSaaS is the key to building resilience. It’s not about ticking compliance boxes, it’s about protecting your people, your customers, and your future.

FAQs

What is PPP?
PPP stands for Phish-prone Percentage—the percentage of employees likely to click on a phishing link.

How do SAT programs reduce phishing risk?
Through simulations, coaching, and reinforcement, SAT lowers the phishing risks.

Why choose MSaaS over in-house solutions?
MSaaS delivers 24/7 SOC monitoring, AI-driven response, and compliance expertise without the cost and complexity of hiring talent.

How does MSaaS adapt to evolving threats?
Exigo Tech’s MSaaS leverages AI, automation, and global threat intelligence to evolve as attackers do.