Skip to main content Skip to log on Skip to search Accessibility at CommBank

The simple habits that shut down AI cybercrime

AI is a blessing and a curse in cybersecurity: attackers use it to scale convincing scams and defenders use the same tech to disrupt crime. A recent CommBank webinar revealed what best practice looks like for Australian businesses.

20 March 2026

  • AI is supercharging scam volume and realism, with business email compromise (BEC) leading to account takeover, invoice fraud and payroll redirection.
  • Defence is shifting to interception: for example, CommBank uses AI bots to engage scammers and waste their time.
  • Businesses should focus on people, processes and technology. Foster a questioning culture, and enable multi-factor authentication, automatic updates and offsite backups. Simple, repeatable habits deliver the biggest risk reduction.

As cybercriminals use increasingly sophisticated technologies to develop more complex and convincing scams, the fundamentals of security matter more than ever. CommBank’s Michael Smale and Jess Thomas from the National Office of Cyber Security (NOCS) say that the difference today is that the pace and maturity of modern attacks mean set-and-forget security basics are no longer enough.

The Australian Government’s approach is constantly evolving, as it must. Thomas quoted Australian Minister for Cybersecurity Tony Burke, who said: “Cyberattacks are evolving so quickly that the normal methods of how government would assist just aren’t appropriate.”

In that same speech, Burke went on to say that public-private partnership is vital because the threats and solutions to cybercrime will affect all sectors. That’s why the government is working with businesses and business groups to evolve and innovate at a rapid pace, Thomas says.

Thomas adds that the 2024-2025 Cyber Threat Report from the Australian Signals Directorate reveals the growing economic threat cybercrime presents for Australian businesses: “The average self-reported cost of cybercrime for businesses was $80,850 which is up by 50%.”

Cybersecurity is not a threat that can be countered by government measures alone. There is plenty that businesses must do, Thomas and Smale say, to disrupt and block cyberattacks.

Jess Thomas standing infront of a podium speaking into a microphone
“The average self-reported cost of cybercrime for businesses was $80,850 which is up by 50%.”
- Jess Thomas, Assistant Director, National Office of Cyber Security (NOCS)

Scams arrive at the speed of AI

AI is altering the economics and tempo of cybercrime, but the foundation of a cyberattack is often still mundane. Smale says the humble inbox remains a major crime channel. This part of every staff member’s daily work platform is where “the most common type of attack we see” begins, he says.

Business email compromise (BEC) is often used to either impersonate a trusted identity within the organisation, one of its business partners, or to take over a real account and redirect payments or steal sensitive information.

Imagine a phishing email – far more convincing as criminals use AI to make their approaches more professional and realistic – that lures a user to a fake login page where their username and password are stolen. From there, the attacker conducts reconnaissance, including downloading legitimate documents such as invoices to edit payment details then send the invoice onwards via the legitimate email chain. Alternatively, they might begin communicating with the HR department to change bank account details for the staff member’s salary, introducing a relatively common payroll redirection scam.

Such fraud often succeeds, Smale says, because it exploits normal, legitimate business systems and processes.

right side angled view of person holding a smart phone with the screen turned on

These types of attacks are not exotic. They are process based, he says. They exploit current systems, trust and sometimes culture. And, in an AI-fuelled environment, they’re more numerous and believable than ever.

“A few years ago, phishing emails and messages were largely gibberish,” Smale says. “The advent of generative AI has meant that even the least sophisticated attackers can craft emails and even websites that look and behave like the real deal.”

His advice is as simple as it is blunt. “If someone is asking you for personal or sensitive information in an email or message, stop and take a moment to consider what it is you’re doing … Check with the organisation directly from a trusted number or through an email address that you know and you can find publicly.”

“If someone is asking you for personal or sensitive information in an email or message, stop and take a moment to consider what it is you’re doing.”
– Michael Smale, Manager, Security Outreach and Customer Engagement, CommBank

AI in cyber defence: intercept rather than react

In the cyber defence realm, AI means agents can intercept attacks as they occur. Smale says CommBank is working with apate.ai, a business that uses AI-powered bots to engage scammers in a live environment, gather intelligence and waste criminal time.

“The bots are designed to mimic an authentic Australian accent and respond to real-time questions, making the interaction feel genuine to the scammer,” he says. “Every minute a scammer spends talking to a bot is a minute they’re not targeting another Australian.”

Man in black suit with a yellow and black stripped tie standing infront of a podium speaking into a microphone
“Every minute a scammer spends talking to a bot is a minute they’re not targeting another Australian.”
– Michael Smale, Manager, Security Outreach and Customer Engagement, CommBank

AI bots are not a silver bullet. However, their existence proves the arsenal used in the battle against cybercrime is expanding and innovating too.

On the government side, Thomas says various working groups have partnered with businesses to analyse and mitigate cyber risk. She says NOCS welcomes collaboration with Australian businesses, and recommends reports published at the Australian Signals Directorate’s cyber.gov.au, on topics from data leaks and privacy breaches, to reliability and manipulation of AI outputs to supply-chain vulnerabilities.

“I also encourage you to collaborate with each other,” she says. “Share what you are seeing and experiencing. That's such an effective way to mitigate some of these risks.”

two people in an office looking at a computer screen
“I also encourage you to collaborate with each other. Share what you are seeing and experiencing. That's such an effective way to mitigate some of these risks.”
–  Jess Thomas, Assistant Director, National Office of Cyber Security (NOCS)

What businesses should do right now

Within businesses, Smale says, it’s best to boil cyber defence down to three core ingredients: people, processes and technology.

People: take a long, hard look at culture, Smale says. Poor culture isn’t just bad for retention and productivity, it also means people are less engaged in cybersecurity and less likely to flag issues. “Is it a culture of hiding bad news?” he asks. “Is it a very hierarchical organisation with a culture of not necessarily questioning requests from above?”

Processes: verification beats sophistication. Verify important and private information on a human-to-human basis or via a secure channel. Don’t trust email. Also, minimise the collection of sensitive data. “If it’s sensitive data you don’t need, don’t collect it and don’t store it,” he says.

Technology: Smale’s priority list is refreshingly basic. Enable multi-factor authentication. Turn on automatic updates. Implement reliable backups stored elsewhere. “Turning on multifactor authentication is one of the simplest ways to stop criminals,” Smale says. “Your password may slip, but your second factor won’t.”

Cyber risk reductions come from simple operational habits, backed up by attention and discipline. AI is accelerating the risk landscape, Smale and Thomas say, but businesses that keep pace will be ones that match modern tools with excellent people training and unglamorous, repeatable controls that make it far more difficult for cybercriminals to turn trust and routine into stolen data and money.

Spark brighter ideas

Get the latest research, actionable insights and expert views on the big issues facing businesses.

Brighter Perspectives

Read more CommBank perspectives

Things you should know

  • This article is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as financial product advice. You should consider seeking independent financial advice before making any decision based on this information. The information in this article and any opinions, conclusions or recommendations are reasonably held or made, based on the information available at the time of its publication, but no representation or warranty, either expressed or implied, is made or provided as to the accuracy, reliability or completeness of any statement made in this article. The Commonwealth Bank of Australia (CBA) does not endorse the services or advice of a particular provider. 

    The links within this article will bring you to a third party website, owned and operated by an independent party over which CBA has no control ("3rd Party Website"). Any link you make to or from the 3rd Party Website will be at your own risk. Any use of the 3rd Party Website will be subject to and any information you provide will be governed by the terms of the 3rd Party Website, including those relating to confidentiality, data privacy and security.

    CBA cannot guarantee that by implementing the advice in this article you will never be a victim of fraud.