On a Tuesday afternoon in August 2024, the accounts payable team at a mid-sized Brisbane logistics firm called Verada Freight received an email from what appeared to be the company's managing director. The message requested an urgent supplier payment of $187,000 to a new bank account. The writing style was consistent, the email domain appeared correct at a glance, and the request was time-sensitive. A staff member processed the transfer.

The managing director had sent no such email. The domain was one letter off — a technique known as typosquatting. By the time the fraud was identified, the funds were offshore and unrecoverable. The Australian Federal Police later confirmed the attack had been generated using a large language model trained on publicly available emails attributed to the executive, scraped from conference bios, press releases, and LinkedIn.

It is a case study in what the cybersecurity industry now calls AI-augmented business email compromise, and it is becoming more common at precisely the rate that AI tools are becoming cheaper and more accessible to criminal organisations.

The AI threat is not theoretical

For most of the past decade, Australian businesses were told the biggest threat was unsophisticated phishing: generic emails with spelling errors, implausible pretexts, and obvious red flags. That threat has not disappeared, but it has been joined by a more capable generation of attacks built on the same large language models powering legitimate business productivity tools.

Researchers at Darktrace, a Cambridge-based cybersecurity firm with significant Australian operations, published analysis in early 2025 showing that AI-generated phishing emails now clear internal spam filters at a 78 percent higher rate than human-authored equivalents, largely because they lack the linguistic tells that filter algorithms were trained to detect. The same researchers found that the average time between initial network compromise and lateral movement — an attacker moving from one system to another within the same organisation — had fallen from 48 hours in 2022 to under three hours in 2024, as attackers automate reconnaissance and exploitation steps.

For a business without 24/7 monitoring, three hours is often longer than the entire working day remaining when an incident is detected. For a business with a managed security operations centre, it is usually longer than detection and initial containment take.

Zero trust as operational reality

The phrase "zero trust" has been circulating in enterprise security circles since John Kindervag at Forrester Research codified the framework in 2010. For most of the subsequent decade, it remained an aspiration for large organisations and an abstraction for everyone else. In 2025, it is increasingly a practical baseline that mid-market businesses can implement through managed security service providers at costs that were not feasible five years ago.

The principle is straightforward: no user, device, or application is implicitly trusted based on network location. Every access request is authenticated, authorised, and logged. Every device is verified before connecting. Lateral movement — the technique that turned what should have been a contained incident at Verada Freight into a total loss — becomes dramatically harder when network segments cannot communicate freely and privileged access is tightly scoped.

For Australian businesses, the regulatory backdrop has sharpened the commercial case considerably. The amended Privacy Act 1988 now imposes obligations around data handling that presuppose meaningful access controls. APRA's CPS 234 information security standard, mandatory for APRA-regulated entities and increasingly adopted as a benchmark by non-regulated firms working with them, requires information security capability commensurate with the size and extent of data held. The Office of the Australian Information Commissioner reported 527 eligible data breach notifications under the Notifiable Data Breaches scheme in the second half of 2024, a 19 percent increase on the same period the prior year.

What managed security services actually provide

The managed security services model bundles several capabilities that are individually difficult to staff for. A security operations centre provides continuous log monitoring across endpoints, networks, and cloud environments, correlating signals that would appear innocuous in isolation but indicate attack patterns when viewed together. Threat intelligence feeds update detection rules in near real-time as new indicators of compromise are published. Incident response retainer agreements mean a team can be engaged within hours rather than days when something serious occurs.

For a business like Verada Freight — approximately 85 employees, $42 million in annual revenue, no dedicated security staff — building this capability internally would require at minimum a security analyst at $120,000 per year, a SIEM platform licence at $40,000 to $80,000 annually, and endpoint protection tooling at a further $15,000 to $30,000. A managed security service covering equivalent scope typically runs between $3,500 and $7,000 per month for an organisation of that size.

The economics are not the only argument. The skills shortage in Australian cybersecurity is acute. The Australian Computer Society's 2024 Digital Pulse report estimated a shortfall of 30,000 cybersecurity professionals nationally, with demand growing at roughly twice the rate of domestic graduate supply. Businesses competing for that talent against banks, government agencies, and large technology firms are at a structural disadvantage.

Verada Freight has since engaged a managed security provider. The engagement began with a forensic review of their email environment and identity infrastructure, implementing multi-factor authentication across all accounts and deploying an email security layer that flags lookalike domain attempts before they reach staff inboxes. The $187,000 loss is not recoverable. The probability of a repeat is substantially lower.