When we first wrote this guide back in 2022, the wave of breaches at Optus, Medibank and others felt like a high-water mark. It wasn't. The threat landscape has changed shape since, and so have the tools you can use to defend yourself. This is the 2026 refresh.
The headline numbers from the Australian Signals Directorate's Annual Cyber Threat Report 2024-25 tell the story. Australians lodged over 84,700 cybercrime reports in the last financial year, which works out to roughly one every six minutes. The average self-reported loss for an individual is now $33,000, and for small business $56,600. The Office of the Australian Information Commissioner received 532 notifiable data breach reports in the first half of 2025 alone, with malicious or criminal attacks behind 59% of them.
Two things have shifted since our last guide. First, attackers now have AI on their side, which means scams are cheaper, faster and far more convincing. Second, the rest of us have a much better defensive tool than we did in 2022: passkeys, with a YubiKey as the strongest version of one.
At Trust Panda we work with enterprise customers to secure identity and access at scale. As an individual you don't have a corporate budget, but you can adopt the same principles. Here is the 2026 version of our personal cyber playbook.
Step 1 - Get the Basics Right
The fundamentals haven't changed, even if the threats have.
- Patch and update everything. Windows, macOS, iOS, Android, your router, your smart TV. Turn on automatic updates wherever the option exists. If a device is too old to receive updates, stop using it for anything sensitive.
- Turn on multi-factor authentication (MFA) on every account that offers it. Email and your password manager first, then banking, then everything else. Avoid SMS codes where you can - SIM swap attacks are now common enough that the ACSC calls them out by name. Use an authenticator app at minimum, and a hardware security key for the accounts that matter most. Our YubiKeys are designed for exactly this.
- Back up your important data to something that isn't always connected. Ransomware specifically targets backups it can reach over the network. An "air-gapped" backup - a drive you plug in, copy to, and unplug - is the one ransomware can't touch. We stock a range of encrypted external drives for this.
- Use unique passwords for every account, stored in a password manager. 1Password, Bitwarden and similar tools generate and remember complex passwords for you. Reusing passwords is what turns one breach into ten.
- Watch for scams. See the AI section below for why this is harder than it used to be.
Step 2 - Move from Passwords to Passkeys
This is the biggest change since our 2022 guide. Passwords are on the way out. Passkeys are what's replacing them.
What is a passkey, in plain English?
A passkey is a digital credential that proves it's really you, without you ever typing a password. Instead of a secret you remember (and that an attacker can phish, guess or buy on a leak site), a passkey is a pair of cryptographic keys: one stays on your device or security key, the other is held by the website. To sign in, your device proves it has the matching key by solving a cryptographic challenge. The actual secret never leaves your device, and there is nothing for a fake login page to steal.
Passkey vs password: why the difference matters
| Password | Passkey |
|---|---|
| You type it on every site | Your device proves it cryptographically |
| Can be phished, guessed, reused, leaked | Cannot be phished or reused across sites |
| Stolen in every major data breach | The site only stores a public key, useless to attackers |
| You have to remember it | The device handles it - you just touch, tap or use a fingerprint |
Apple, Google, Microsoft, GitHub, Amazon, Facebook, eBay, PayPal and most major services now support passkeys. If a site offers them, turn them on.
A note on Australian banking: passkey support here is still patchy. Ubank (the NAB-owned digital bank) was the first to roll out full passkey login across app and web, and ANZ Plus offers passwordless web banking using passkeys. The other Big Four - NAB's main brand, CommBank and Westpac - have not enabled passkeys for retail customers yet, and none of the Australian consumer banks currently support hardware security keys like YubiKeys for everyday login. For now, the strongest defence on those accounts is a long unique password from your password manager, app-based login confirmation rather than SMS where offered, and a healthy suspicion of any phone call or message claiming to be from your bank.
How a YubiKey is a physical passkey
Passkeys can live in two places: in software (synced through iCloud Keychain, Google Password Manager or 1Password), or on a physical hardware key like a YubiKey. Both use the same FIDO2/WebAuthn standard. The difference is where the secret lives.
A software passkey is convenient because it syncs across your devices. The trade-off is that it lives inside an account that itself can be compromised. A hardware passkey on a YubiKey can't be copied off the key, can't be synced anywhere, and can't be used remotely. To approve a sign-in, someone has to physically touch the key. Lose the laptop, and your passkeys go with it - but the attacker still needs the key in their hand to do anything with your accounts.
For most people, the right setup is both: software passkeys for convenience on day-to-day accounts, and a YubiKey for the accounts that would ruin your week if they fell over - email, password manager, myGov, work admin accounts, social media, crypto exchanges and any service where account takeover means real damage. Buy two YubiKeys and register both, so a lost key isn't a lockout. Trust Panda is an official Yubico authorised reseller in Australia and ships from our Sydney warehouse - browse the YubiKey range or jump straight to the most popular model, the YubiKey 5C NFC.
Step 3 - Understand How AI is Changing the Threat
The biggest shift in the last 18 months is that generative AI has handed attackers a massive productivity boost. The ACSC's 2024-25 report explicitly warns that "AI allows threat actors to scale phishing, data analysis, and impersonation activity more efficiently than ever before." What does that look like in practice?
- Phishing emails are no longer obvious. The classic giveaways - broken English, mismatched logos, weird formatting - have largely been written out by AI. Australian-targeted phishing now comes in fluent local English, with the right tone, the right brand voice and personalised details scraped from leaked data and LinkedIn.
- Voice clone scams ("AI voice scams") are real and rising. Around 30 seconds of audio is enough to clone a voice convincingly. Scammers use this to impersonate family members in distress calls, or executives demanding urgent payments. If a call sounds like a loved one asking for money in a hurry, hang up and call them back on a number you already have.
- Deepfake video and image scams. Fake video calls of "the CEO" approving a transfer, fake celebrity endorsements driving investment scams, and AI-generated identity documents used to open accounts in your name.
- Faster, smarter business email compromise. AI makes it trivial for attackers to write convincing follow-ups, mimic your supplier's invoice template, and respond in real time when you ask a clarifying question.
The defensive principle is simple: assume that anything that arrives in writing or audio could be fake. Verify out-of-band - meaning by a different channel from the one the request arrived on. Got an email asking for an urgent payment? Call the person on the number you already have, not the one in the email. Got a voice call from "your son"? Hang up and call back on the number stored in your phone.
This is also where passkeys and hardware security keys do their best work. Even the most convincing AI-generated phishing site can't trick a YubiKey, because the key cryptographically checks the website domain before it will sign in. If the domain is wrong - even by one character - the key simply refuses. That is phishing resistance in a way that no human attention span can match.
Step 4 - Manage Your Information and Be Diligent
Businesses legitimately need information from you - to deliver an order, run a fraud check, or meet identity verification rules. That's reasonable. What's not reasonable is handing over more than is needed, or handing it to a system that doesn't deserve your trust. A few things to check:
Is the way they collect information secure? The browser padlock and an https:// address are now table stakes, not a green light - phishing sites have valid certificates too. Check the actual domain carefully. If something looks off, type the address yourself rather than clicking a link.
Are they asking you to fill in a Google Form, Microsoft Form or generic survey tool for sensitive details? Don't. Those tools are not built for collecting financial or identity data and the information typically sits in the operator's spreadsheet in clear text. Banking, ID and payment information should only be entered into a dedicated payment processor or a secure portal.
Card payments over the phone. The card number should go directly into the merchant's payment system as you read it, not be written down "to enter later." If you're being asked to email card details or send a photo, walk away.
Consider the purpose. An online store asking for name, address, email and a phone number for delivery is normal. The same store asking for your driver's licence and Medicare number is not.
Check for a real privacy policy. It should be easy to find, list what's collected, explain how it's stored, and tell you how to contact a privacy officer. Ours is here as a reference.
Reduce your blast radius. The less data a company holds about you, the less can leak when (not if) they get breached. Use email aliases for low-trust signups, decline optional fields, and close accounts you no longer use.
If the Worst Happens
If you think your data has already been exposed in a breach:
- Change the password on the affected account immediately, and on any other account where you reused that password.
- Turn on MFA - ideally a passkey or YubiKey - on the affected account and your email.
- Watch for scam follow-ups. Breached data is often used to make subsequent phishing far more believable.
- If financial information was exposed, contact your bank and consider a credit ban with the credit reporting agencies.
- If your identity has been used fraudulently, contact IDCARE - Australia's free identity and cyber support service.
- Report the incident at cyber.gov.au/report.
Useful Resources
- Australian Signals Directorate's Cyber Security Centre - alerts, guidance and incident reporting
- Scamwatch alerts - free email alerts when new scams are circulating
- eSafety Commissioner - online safety for individuals and families
- IDCARE - free help if your identity has been compromised
- Kids Helpline - staying safe online
The Bottom Line
You can't make yourself an impossible target, but you can make yourself a hard one. Patch your devices, use a password manager, and put a passkey - ideally backed by a YubiKey - on every account that matters. Be sceptical of anything urgent, especially when AI-generated voice or video is in play. And keep a clean backup somewhere your computer can't reach.
If you'd like to talk through what hardware-based security looks like for you or your business, our team in Sydney is happy to help. Get in touch at support@trustpanda.com.
