TL;DR

  • Tradies are Australia's most-targeted small business sector for cybercrime: The ASD's ACSC Annual Cyber Threat Report 2024–25 confirmed that the average small business cybercrime report costs AUD $49,600 — for a sole trader or small trade business, that is potentially a year's profit.
  • Invoice fraud is epidemic among trade businesses: Fake invoices for materials, subcontractor services, and equipment finance target trade businesses because payment amounts are high, transactions are numerous, and verification processes are often informal.
  • ATO and MyGov impersonation specifically targets small business: Tax time is peak phishing season for Australian tradies — fake ATO emails claiming a tax debt or refund are among the most convincing phishing attacks in Australia.
  • Your mobile and tablet are your biggest vulnerability: Most tradies manage quotes, invoices, and client communications from a smartphone. A lost or stolen phone, or a malicious app installed from a third-party source, can expose your entire business.

Why Trade Businesses Are Cybersecurity Targets

Australian trade businesses — electricians, plumbers, carpenters, concreters, tilers, painters, HVAC technicians, and other licensed trades — are the backbone of the construction and services economy and a primary target for cybercriminals who prey on small businesses with high transaction volumes and limited security awareness. A busy electrical contractor might process 50+ invoices per month — each representing an opportunity for invoice fraud. A plumbing business managing 10 subcontractors on a large commercial project is processing significant payroll and subcontractor payments — each a target for bank account redirection fraud. The ASD's ACSC Annual Cyber Threat Report 2023–24 found that cybercrime cost Australian small businesses an average of AUD $49,600 per incident — and that small businesses are disp

roportionately targeted because they lack the IT resources and security expertise of larger organisations. Trade businesses face specific risks related to their operating model: heavy mobile device use (smartphones and tablets as the primary business device), use of cloud-based quoting and invoicing software (ServiceM8, Tradify, Simpro, Buildxact, Fergus), ATO and myGov credential targeting, and the high-value, high-frequency payment flows associated with materials procurement and subcontractor management. The Privacy Act applies to trade businesses with turnover above AUD $3 million — and many mid-sized trade businesses and construction companies meet this threshold, bringing them under Privacy Act and NDB scheme obligations for the employee and customer data they hold.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌

The Top 3 Cybersecurity Threats for Trade Businesses

1. Invoice Fraud and Business Email Compromise

Invoice fraud is the most common and most costly cybercrime for Australian trade businesses. The attack takes several forms: fake invoices from impersonated suppliers (a plumber receives a realistic invoice from a fake "Reece Plumbing" or "Tradelink" account and pays it); bank account redirection on genuine supplier invoices (the supplier's email is compromised, and a "new banking details" email redirects payment to an attacker's account); and subcontractor payment fraud (an attacker impersonates a subcontractor and changes their banking details before a progress payment). For a trade business managing $50,000–$500,000 in monthly supplier and subcontractor payments, a single redirected payment can be catastrophic. The ACCC's Scamwatch data confirms that payment redirection fraud is one of the highest-loss cybercrime categories for Australian small businesses, with trade and construction businesses consistently overrepresented. The informality of many trade payment processes — approvals by phone, banking changes communicated by email without verification — makes the sector particularly vulnerable.

2. ATO and Government Impersonation Phishing

Tradies are disproportionately targeted by phishing attacks impersonating the Australian Taxation Office (ATO), myGov, Services Australia, and state licensing bodies. These attacks exploit the fact that tradies have complex tax obligations (GST, BAS, quarterly PAYG instalments, vehicle and tool deductions, subcontractor PAYG withholding) and a legitimate anxiety about ATO compliance. A convincing email claiming "you have an outstanding tax debt of $3,400" or "your BAS refund of $2,100 is ready to claim" — with a link to a fake ATO login page — is highly effective at capturing tax agent credentials and myGov login details. Once attackers have ATO or myGov access, they can: redirect tax refunds to attacker-controlled accounts, access Medicare and Centrelink data for identity fraud, and use the compromised account for further attacks. The ATO reports significant volumes of credential phishing targeting trade businesses and self-employed individuals, particularly around BAS lodgement periods (October, February, April, July).​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌

3. Malicious Apps and Insecure Mobile Devices

The tradie's smartphone is their business computer — used for quoting (Buildxact, Fergus), invoicing (Xero, MYOB, ServiceM8), job scheduling (Tradify, Simpro), time tracking, supplier ordering, and customer communication. This creates a significant security risk: a compromised or lost smartphone can expose every client's contact details, all pending quotes and invoices, supplier payment details, and cloud accounting credentials. Malicious apps downloaded from unofficial sources, or legitimate apps that have been compromised in a supply chain attack, can harvest business data and banking credentials from trade workers' devices. Lost or stolen trade vehicles containing unlocked mobile devices are a common entry point for business data theft. Unsecured public WiFi (cafes, suppliers' locations) used for business transactions can expose login credentials to eavesdroppers.

Compliance Requirements for Trade Businesses

Privacy Act 1988 (Cth) Trade businesses with annual turnover above AUD $3 million must comply with the Privacy Act. This applies to employee records (payroll, HR), customer contact data, and subcontractor information. APP 11 requires reasonable security steps. The NDB scheme requires notification for eligible breaches. Penalties up to AUD $50 million for serious breaches (though more relevant for mid-to-large trade businesses).

Fair Work Act and Employment Records Trade businesses employing staff must securely manage employee records — employment contracts, payroll data, time records, and personal information. The Fair Work Act imposes obligations around record-keeping, and a data breach affecting employee records triggers both Privacy Act and Fair Work considerations.

GST and BAS Obligations Trade businesses registered for GST must secure their ATO portal and accounting system credentials. Compromise of these systems enables tax fraud that has direct financial consequences for the business owner.

Licensing Body Requirements State-based trade licensing bodies (Energy Safe Victoria, NSW Electrical Licensing, QBCC) may impose requirements around business record security as part of licensing conditions. Verify your state licensing body's requirements.

Cyber Security Act 2024 From 30 May 2025, trade businesses with turnover above AUD $3 million must report ransomware payments to the ASD within 72 hours.

The lilMONSTER Security Checklist for Trades

  1. Enable a 4-digit PIN or biometric lock on every business device — phones, tablets, laptops — A lost or stolen unlocked smartphone is an immediate business security crisis. Enable strong screen lock (PIN of 6+ digits or biometric), enable remote wipe capability (Find My on Apple devices, Find My Device on Android), and encrypt device storage (enabled by default on modern iOS and Android). This is free and takes 5 minutes to set up.

  2. Enable MFA on your accounting and job management apps — Xero, MYOB, ServiceM8, Tradify, Simpro, Buildxact — all support MFA. Enable it on every account. This means a phished password alone cannot access your business finances. Most platforms prompt you to enable MFA during setup — do it.

  3. Call to verify any request to change a supplier's banking details — Before paying any invoice with banking details that differ from what you have on file, call the supplier on a phone number you already know. Do not call a number provided in the suspect email. This 30-second call prevents the most common payment fraud targeting trade businesses.

  4. Use a separate email for ATO, accounting, and banking — and protect it fiercely — Keep your business tax and banking email separate from your general business communication email. Enable MFA on it. Never enter this email's address in response to an unsolicited contact. Treat any email from "ATO," "myGov," or your bank that contains a login link as suspicious — always go directly to the website by typing the URL yourself.

  5. Keep your phone and business apps updated — Enable automatic updates on your business smartphone. Install app updates promptly. Out-of-date software is the most common way malware gets onto mobile devices. Only install apps from the official App Store (Apple) or Google Play Store.

  6. Use a reputable cloud accounting app rather than local software — Cloud-based accounting (Xero, MYOB Essentials, QuickBooks Online) is more secure than software installed on a local PC, because cloud providers maintain security updates centrally, data is automatically backed up, and you can access it from any device if your main device is lost or stolen. Ensure your cloud accounting app has MFA enabled.

  7. Be suspicious of ATO emails around BAS lodgement dates — Tax time (April, July, October, February) is peak phishing season for tradies. Treat any ATO email containing a login link as potentially fraudulent. Access the ATO always by typing ato.gov.au directly in your browser, never through an email link.

How Much Does Cybersecurity Cost for a Trade Business?

For a small trade business (sole trader to 5 employees), the most important security controls are essentially free:

  • Phone/device security (PIN lock, remote wipe): AUD $0 — built into all modern devices.
  • MFA on accounting apps: AUD $0 — included in all cloud accounting subscriptions.
  • Annual cybersecurity training: AUD $0 — the ASD's ACSC at cyber.gov.au provides free guidance and checklists.
  • Separate banking email: AUD $0–$12/month (Gmail or Microsoft 365 personal).

For a mid-sized trade business (5–20 employees, subcontractors):

  • Microsoft 365 Business with MFA and email security: AUD $2,000–$8,000 per year.
  • Endpoint protection for all business devices: AUD $1,000–$4,000 per year.
  • Annual security assessment: AUD $2,000–$6,000.
  • Total: AUD $5,000–$18,000 per year for a solid baseline.

Compare this to the ASD's figure of AUD $49,600 average loss per small business cybercrime incident — a single invoice fraud event can wipe out a year of security investment savings.

FAQ

For a sole trader or very small trade business (1–3 employees), the most critical security controls — MFA on accounting and email apps, phone PIN lock, and a verbal verification process for payment changes — cost nothing to implement. For a mid-sized trade business with staff and subcontractors, budget AUD $5,000–$18,000 per year for business-grade email security, endpoint protection, and an annual assessment. The ASD's ACSC at cyber.gov.au also provides free resources specifically for small businesses.

Invoice fraud and BAS/ATO phishing are the most common and financially damaging threats for Australian tradies. A single fraudulent invoice payment or redirected subcontractor payment can cost $5,000–$100,000. The most effective prevention is also the simplest: call to verify any banking detail change before making any payment, and never click login links in emails claiming to be from the ATO or myGov.

ISO 27001 is not relevant for most small trade businesses. The ASD's Essential Eight — particularly MFA, patching, and backup — is a much more accessible and appropriate framework for tradies. Larger trade businesses (over $5M revenue) working on government projects may face increasing security expectations from head contractors and government clients.

Rather than formal penetration testing, small trade businesses should: conduct an annual self-assessment using the ASD's Small Business Cyber Security Guide (free at cyber.gov.au); ensure all apps and devices are updated monthly; and review who has access to their accounting and job management systems every 6 months (removing ex-employees or subcontractors who no longer work with them).

If customer or employee personal information is compromised and your turnover is above AUD $3 million, you must notify the OAIC and affected individuals within 30 days. For most small trade businesses below this threshold, the primary consequences are direct financial loss (from fraud), loss of client trust, and the time and cost of recovering access to business systems. Contact your bank immediately if payment fraud is discovered — prompt notification gives the best chance of recovering funds before they are transferred internationally.

References

[1] Australian Signals Directorate, "Annual Cyber Threat Report 2023–24," ASD/ACSC, November 2024. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2023-2024

[2] ASD's ACSC, "Small Business Cyber Security Guide," Cyber.gov.au, 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/small-business-cyber-security/small-business-cyber-security-guide

[3] ACCC, "Scamwatch Annual Report 2023–24," ACCC, 2024. [Online]. Available: https://www.scamwatch.gov.au/research-and-resources/statistical-data

[4] Australian Taxation Office (ATO), "Protect yourself from ATO impersonation scams," ATO, 2024. [Online]. Available: https://www.ato.gov.au/general/gen/protecting-yourself-from-tax-scams/

[5] Office of the Australian Information Commissioner (OAIC), "Notifiable Data Breaches Report: January to June 2024," OAIC, September 2024. [Online]. Available: https://www.oaic.gov.au/privacy/notifiable-data-breaches/notifiable-data-breaches-publications/notifiable-data-breaches-report-january-to-june-2024

[6] IBM Security, "Cost of a Data Breach Report 2024," IBM Corporation, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

[7] Australian Government, "Privacy and Other Legislation Amendment Act 2024 (Cth)," Federal Register of Legislation, 2024. [Online]. Available: https://www.legislation.gov.au

[8] Australian Government, "Cyber Security Act 2024 (Cth)," Federal Register of Legislation, 2024. [Online]. Available: https://www.legislation.gov.au

[9] Australian Small Business and Family Enterprise Ombudsman (ASBFEO), "Cybersecurity for small businesses," ASBFEO, 2024. [Online]. Available: https://www.asbfeo.gov.au/business-toolkits/cyber-security

[10] Council of Small Business Organisations Australia (COSBOA), "Small Business Cybersecurity Report," COSBOA, 2024. [Online]. Available: https://www.cosboa.org.au

Need help securing your Trade business? Book a free consultation with lilMONSTER — we make cybersecurity simple and affordable for Australian tradies and small businesses.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation