Google has warned that a new kind of cyber trick is on the rise as more people use AI tools like Gemini. Security researchers recently showed that hidden instructions inside everyday items like emails or calendar invites can fool an AI assistant into doing the wrong thing. Think reading out sensitive info or taking actions you did not intend. This method is called indirect prompt injection.

In one demo, a calendar invite carried sneaky text in the event title. When the user asked Gemini to summarise the day, the AI read the hidden line and tried to act on it. The point is not that you did something wrong. It is that attackers now hide inside the tools we use to save time. Google has begun adding more checks, but everyone still needs to be careful.

📍⚠️Why regional WA & other states and territories should care

Scammers chase the easiest win. Small businesses are prime targets because email often runs the show for quotes, invoices and bookings. Across Australia, losses to scams remain high this year, and email based fraud keeps featuring in the data.

Closer to home, Consumer Protection WA has warned about seasonal tax time scams and urges regular password changes and multi factor authentication. WA ScamNet is also tracking fresh local scams and offers alerts you can subscribe to.

🫆🕵️‍♀️What this looks like day-to-day

• An email quote or calendar invite looks normal, but a connected AI assistant reads hidden instructions inside it and tries to pull data from your mailbox.

• A fake invoice arrives that copies your supplier’s style, right down to the logo and tone. This is classic business email compromise.

🫵🏆Five quick wins you can do today

1. Turn on multi factor authentication for Google accounts and any system that handles money or customer data. Passkeys are even better where available.

2. Review what your AI tools can read. In Google Account settings, check connected apps and limit access to mail, calendar and files to what you truly need. Keep a human in the loop for anything that touches money.

3. Use invoice rules. For any change of bank details, call a saved number to confirm before payment. Never rely on the number shown in the email. This is the simplest way to stop business email compromise.

4. Keep software updated and back up important files. It is boring and it works. The national guide for small business puts these steps at the top.

5. Do a five minute email health check. Turn on content filtering, make sure spam is not landing in the inbox, and remind staff that email security is not set and forget.

 💪🌟 Extra credit for owners who wear many hats

• If you use your own domain, ask your web or IT person about SPF, DKIM and DMARC. These settings help mail providers spot fakes that pretend to be you.

  
  

• Book a short cyber workshop with the WA Small Business Development Corporation or share their guides with your team. It is practical and local.

  
  

• Contact your marketing agency (hopefully that is us) for latest cyber security tips, updates and solutions.

  
  

🤔🙅‍♀️ If something feels off

• Call the Australian Cyber Security Hotline on 1300 CYBER1 and follow the step by step recovery guide for email compromise. Or;

  
  

• Report a cybercrime, incident or vulnerability online at ASD / ACSD.

  
  

• Report scams to Scamwatch and to WA ScamNet.

📈❗️Bottom line

AI can save time, but it can also make scams look smarter. A few simple habits will carry most small businesses a long way. Turn on multi factor authentication, keep tight control on what AI can read, and confirm bank details by phone before you pay. Your future self will thank you.

Take care of yourself and your business.