Cyber Security for Tradies

Guidance, not advice. General cyber-security information for small trade businesses. As at May 2026.‍‌‌‌‌‌‌‌‌‌‌‌‌‍

Australian small businesses get hit by phishing, business email compromise and ransomware more than most realise, and each incident typically costs tens of thousands in downtime, lost payments and recovery. The good news: most attacks still exploit very basic weaknesses, so a simple baseline — the kind the Australian Cyber Security Centre (ACSC) recommends — stops the bulk of them. Invoice and ATO scams are covered separately in Invoice Fraud & Tax Scams; this is the broader picture.

The threats beyond invoice fraud

Business email compromise (BEC) — crooks break into or spoof your email, watch your job and payment threads, then slip in fake bank details that look like they came from you or your client. (A redirected invoice is one of the most common outcomes of BEC.)
Ransomware — malware that scrambles your files and job data and demands a ransom, usually arriving via a phishing email or dodgy attachment and spreading to shared drives and cloud-sync folders.
Account takeover — your trade software, quoting tool or cloud storage is taken over via a weak or reused password, exposing quotes, client details and ID documents.
Brand impersonation — scammers stand up a fake website, social account or email mimicking your business to trick your customers into paying deposits or handing over details.

The baseline that actually helps

Strong unique logins and MFA — long passphrases and multi-factor authentication on email, accounting, quoting and cloud storage. This is one of the ACSC's top controls for stopping account compromise and BEC.
Keep everything updated — auto-update phones, tablets, laptops and your business apps so known holes get patched (a core part of the ASD Essential Eight).
Back up your key data — three copies, two media types, one off-site or disconnected, so ransomware can't wipe you out (see Backing Up Your Business).
Lock down devices — screen locks, disk encryption and remote-wipe for lost phones and laptops, and no crew-wide shared logins so one stolen device doesn't expose everything.
Secure your cloud and quoting tools — turn on MFA, review who has access, and remove old or generic accounts.

A simple baseline checklist: MFA on email and accounting, auto-updates on every device, a daily cloud backup of jobs and invoices, and unique passwords in a password manager.

Staff awareness for a small crew

Train everyone to pause on emails with urgent payment demands, bank-detail changes, "view invoice" links or unexpected attachments — and to verify any big money move by phone on a known number, not one in the email. Put it in writing that any request to change bank details or pay a large invoice is double-checked on a separate channel. And tell your customers how you will and won't contact them ("we'll never send a payment link by SMS") so a fake is easier to spot. A two-minute phone call beats losing a month of invoices.

What to do after a breach or scam

Move on the money first — contact your bank or card provider immediately to try to stop or recall the transaction, and stop sending any more money (Scamwatch).
Secure the systems — change passwords, turn on MFA where it was missing, check your email for sneaky mail-forwarding rules (a classic BEC trick), and scan the affected devices before using them normally.
Report it — scams to Scamwatch (the National Anti-Scam Centre) and cyber incidents like ransomware or email compromise to the ACSC via cyber.gov.au, which can give guidance and help protect others.
For brand impersonation — report the fake site to its host and the platforms, and warn your customers through your own channels.
For identity exposure — IDCARE is the free national identity and cyber support service that helps individuals plan their recovery.