During 2025, companies around the world endured significant cyber crime challenges, with research from the Australian Signals Directorate showing increasing artificial intelligence (AI) driven attacks and an ever-evolving range of threats.

This resulted in an average cost of $97,200 for medium-sized businesses, and $56,600 for small businesses – up 55% and 14% respectively on the 2023-24 period, while large businesses saw a staggering 219% increase in average event costs, up to $202,700.

An average of 116 calls are made every day to the Australian Cyber Security Hotline, and almost 85,000 cybercrime reports were made in the year – highlighting the frequency with which attacks are happening. And that’s potentially just the tip of the iceberg, as the number of unreported cyber attacks are unknown.

So, what are the new cyber threats you need to be especially aware of in 2026? Here’s the lowdown.

New cyber threats 2026

The use of AI

AI continued to steamroller itself into our lives during 2025, and unsurprisingly it’s been a gift for cyber crooks, who now have the ability to generate high quality deep fake videos, voices and websites, among other things.

The giveaway typos and errors in phishing emails are becoming a thing of the past too, as AI polishes and refines everything. AI is being used to analyse data at speed and scale, and its inbuilt logic is being used to spot weaknesses on macro and micro levels.

Make no mistake about it, AI has changed cyber threats forever, and more than ever you need to be on guard for anything and everything that comes through online.

Supply chain vulnerabilities exposed

In 2025, we also saw just how vulnerable companies are when their third party suppliers are breached. Take Qantas, for example – millions of customer records were lost when a third party supplier was hacked.

For contractors, this is a potential threat, based on the data you store about customers, and where you store it. If you use third party CRM or email providers, what are their safety protocols? It’s essential to ask the question.

Growing incidences of identity attacks

During the past 12 months, there’s been a sharp increase in identity attacks to gain access to companies’ systems. Traditional malware (you know, the click on a dodgy email and a bit of software gets downloaded that gives people access) is being replaced by social engineering (tricking people into revealing sensitive info), vishing (fake voice calls or texts) and access broker services. Continue reading for more.

What is vishing?

We’re all familiar with phishing, but vishing? It’s the use of voice calls to gain access to a company’s infrastructure, and during 2024 we saw a 40% compounded monthly growth in observed vishing operations, and a 442% increase between detections in the first half of 2024 and the second half.

In essence, a vishing attack will look something like this – a call is received from someone pretending to be from IT support and the person on the other end of the line convinces you to download something, or visit a webpage. Recorded incidents have seen hundreds of ‘spam’ emails arrive in an inbox, and then someone from ‘IT support’ calls to warn it’s happened and they need to take steps to rectify it.

Add in the prospect of AI-enabled deepfake video or voice calls, and you can understand how this happens and why it works.

Broker services come to the fore

The rise of broker services is another big threat here, however it’s an indirect one as there’s nothing much you can do about it, bar keep your systems and digital infrastructure as solid and updated as possible. This is exactly what the name  suggests. People are identifying ways into organisations, and then advertising access to cyber criminals, who’ll pay for the access. The number of ads placed for access increased by almost 50% at the last count, with almost 5000 ads being placed online in 2024.

‘Regular’ threats still remain

Of course, in addition to these emerging threats, the regular threats we know about still remain – and we need to stay mindful of them. Business email compromise (BEC) remained top of the threat list in some reports for 2025, while the ‘insider threat’ – disgruntled or manipulated employees – still remains key. As too does human error.

For contractors, it’s essential to cover the basics – multifactor authentication as standard (including on mobiles), ensuring software is always up-to-date and educating employees on what threats actually look like are hugely important.

Because, one misjudgement, and you’re likely looking at a loss of between $50,000-$100,000, not to mention the time lost in trying to deal with the event too – and the reputational damage you’ll face.

Ensure cyber security is at the top of your list in 2026 – because, if you don’t, you may not have a business in 2027.