At a glance
- AI is supercharging cybercrime, making digital threats smarter and more relentless.
- Cybersecurity teams can also use AI to detect suspicious patterns and insider risks.
- Accountants are prime targets due to the sensitive client information they hold.
- Basic cybersecurity hygiene and practical controls are crucial for defending against attacks.
As AI supercharges cybercrime in 2026, governments and professional services firms are bracing for smarter and more relentless digital threats.
Google’s Cybersecurity Forecast 2026 predicts an acceleration of AI-enabled social engineering that enhancing the speed, scope and impact of threats. This includes more sophisticated “vishing” attacks in which scammers use deepfake voice or video communication to trick people into disclosing personal information.
Such threats are not new. But many experts say AI-driven cloning will heighten such risks through “hyper-realistic impersonations” of executives or IT staff, making attacks harder to detect and defend.
Checklist 1: The Google report suggests that:
- Cyber thieves will adopt agentic systems– autonomous AI systems that can perceive, reason, plan, and act independently – to streamline and scale their attacks.
- Ransomware threats will keep evolving.
- We will see an increase in “shadow-AI” threats, as employees use AI tools without IT leaders’ knowledge at a time when nation states are exploiting cloud and cryptocurrency vulnerabilities.
- We will also see more “shadow agent” issues, where companies’ use of AI agents for work tasks exposing them to potential data leaks, compliance violations and intellectual property theft.
- There will be a rise in “prompt injection” threats – attacks that manipulate AI to make it bypass security protocols and follow an attacker’s hidden commands.
Simone Herbert-Lowe, who leads the cyber, media and technology practice in Australia for global law firm Clyde & Co, says the flip side is that cybersecurity teams can also draw on AI to bolster security operations.
“AI can be used to detect suspicious patterns, including insider risks if there is an unusual amount of sensitive information or data being exfiltrated or exported out of a system,” she says.
Herbert-Lowe urges accounting firms to treat cyber threats as a professional and business risk, not just a technology risk. “Accountants are in a real position of trust with their clients and they often collect information that is sensitive and can be used for financial crimes.”
They should also be mindful of obligations to report notifiable data breaches under Australia’s Privacy Act.
New and ‘refined’ threats
There is a growing fear that AI will lower the barrier to entry for cyber criminals while enabling them to better research targets and generate ever-more convincing cyber-attack communications that go well beyond the old scam emails and accidental malware downloads.
Mark Whittley is co-founder and managing director of Sicarius, an Australian cyber defence firm specialising in small and medium enterprises (SMEs). He believes 2026 is shaping as a “James Bond moment” when voice cloning, deepfakes and vishing make cybersecurity “feel like an espionage thriller”.
However, he says the biggest risk for governments and businesses will come from the refinement of cyber attacks that exploit routine business behaviour, rather than the emergence of new threats. “Vishing, business email compromise and AI-assisted impersonation are effective precisely because they look ordinary,” Whittley says.
Attackers understand that they do not need to breach sophisticated systems if they can persuade employees to compromise security protocols with tailored and believable scams.
C-suites on edge
In such an environment, AI-driven threats have C-suite teams in a sweat. The 2026 Tech Trends and Priorities Global Pulse Poll from global IT organisation ISACA indicates that regulatory complexity and business continuity will dominate the agendas of Australia’s technology and security leaders in 2026.
“Many businesses still think … ‘we’re too small to matter.’ Attackers do not think in those terms.”
Mark Whittley, Sicarius
The survey findings reveal that fewer than half of respondents are extremely or very confident their organisation can successfully navigate a ransomware attack. In Oceania, 67% of respondents say AI-driven cyber threats and deepfakes will be their main headache, while 45% worry most about reputational damage caused by failing to detect or respond to a major breach.
Checklist 2– ISACA identifies key steps to stay cyber-safe, including:
- establishing robust AI governance and risk frameworks;
- accelerating workforce upskilling and talent pipeline development;
- modernising legacy systems to reduce vulnerabilities;
- developing and regularly testing incident-response plans; and
- focusing on regulatory complexity and international compliance requirements.
Whittley adds that smaller entities, in particular, need a change of mindset. “Many businesses still think, ‘we’re not Medibank or Optus – why would anyone target us?’, or ‘we’re too small to matter.’ Attackers do not think in those terms.”
Cybersecurity hygiene the key
As part of its 2026 Planning Guide for Cybersecurity, Gartner warns that many organisations are focusing “too much on sophisticated attacks and not enough on basic cybersecurity hygiene and incident response practices”. That, it says, leaves them exposed to ransomware and account takeover risks.
Given the volume of financial information and data that accounting firms collect and store, Herbert-Lowe says getting the basics right will be especially crucial as threats rise.
Checklist 3 – Herbert-Lowe’s list of basics includes:
- exchanging sensitive information through a secure portal, not standard email platforms;
- using multi-factor authentication to safeguard emails and data; and
- educating staff on cyber safeguards.
Herbert-Lowe warns that payment redirection fraud will be a particular risk for accounting firms in 2026 as cyber criminals try to deceive employees into transferring funds to a bogus account.
Whittley agrees that significant risks for accounting firms will include impersonation, payment redirection fraud and unauthorised access to sensitive client data. “These risks are amplified by trust – both the trust clients place in their accountant and the trust accountants place in familiar communications,” he says.
He says protecting firms and clients requires an emphasis on controls that are practical and provable.
Checklist 4 – Whittley lists the critical client controls as:
- strong identity management;
- verification steps for financial transactions;
- restricted access to sensitive systems; and
- regular review of logs and alerts.
“Just as importantly, firms must be able to explain and evidence these controls when clients, insurers, or regulators ask how risk is being managed,” Whittley adds.
Checklist 5 – The Google report also warns of increasing cyber threats from nation states including:
- Russia, concentrating on intelligence collection to support its global political and economic interests;
- China, prioritising cyber espionage tactics;
- Iran, focusing on cyber espionage, disruptive attacks and information operations targeting Israel and its allies; and
- North Korea, targeting cryptocurrency organisations and users.
However, Whittley says such nation-state activity should not be the primary driver of risk for most SMEs in Australia. “The overwhelming majority of incidents affecting this segment are caused by financially motivated criminal groups,” he says. “These groups operate on volume. They make thousands of attempts knowing only a small number need to succeed.”
Be proactive
In a sign that technology and cyber threats are now whole-of-society factors, Scouting America, the group formerly known as the Boy Scouts, will be giving scouts the chance to earn merit badges related to AI and cybersecurity. That is part of an effort to stay relevant in a digital world.
Herbert-Lowe encourages businesses to be similarly pre-emptive as they seek to repel cyber threats, rather than responding to government or regulatory demands. “At the end of the day, it’s really up to the businesses themselves to take the lead because of their position of trust. Every accounting practice has a legal duty to take reasonable care to prevent loss to its clients.”
Whittley notes that cybersecurity cannot eliminate all risk.
“But it’s about changing the economics so attackers move on to easier targets,” he concludes. “For most SMEs, demonstrable, well-managed controls are enough to achieve that – and to stand up confidently to scrutiny when it matters.”
Better to be stirred now, it seems, rather than shaken later.
Develop a clear, practical understanding of how artificial intelligence (AI) can complement and enhance their existing workflows with this on-demand CPD.
