Email for business
Pronounced ‘fishing’, phishing is scam emails sent from individuals or organisations you ‘think’ you know. They mimic phrasing, branding and logos to appear ‘real’ and trick you to click on a link or attachment. Here, they deceive you by asking you to provide or confirm your personal information, such as passwords and credit card numbers, or to pay a fake account. They can also send an attachment, designed to look genuine, with malware inside.
Tip: Provide security awareness training for your staff and teach them how to protect your business from suspicious and malicious messages. Information about how to implement your own security awareness program can be found in the Security Awareness Implementation Guide.
How to be safe when using email
Malicious emails sometimes use a technique called ‘social engineering’ for their success. Social engineering is a way of manipulating people using misinformation.
Cyber criminals are getting better at social engineering and putting more time, effort and money towards researching targets to learn names, job responsibilities, client contacts and any other personal information they can find before making contact.
Social media accounts can provide rich information about your personal and work life, including events, conferences and travel destinations etc which can be used to make an approach seem real and accurate. So consider what personal information you share online and learn how to use social media safely.
Note: Social networking sites typically allow you to choose who has access to see your personal details. Consider hiding your email account or changing the settings so that only people that you trust are able to see your details.
It is important to train employees to recognise potential social engineering attempts and know who to notify when one occurs. Often employees in financial and administrative positions, like the business owner, receptionist, finance or payroll manager, are targeted to change banking details, transfer funds, or provide sensitive information.
Be cautious of:
- requests for money, especially if they claim to be ‘urgent’ or ‘overdue’, or appear to come from a senior executive in the organisation that you wouldn’t usually get these type of requests from
- unexpected notification of supplier bank account changes
- suspicious email attachments
- requests to check or confirm login details.
Make sure staff are aware of these techniques and have policies in place that prevent these situations, such as having a two-step process to verify requests to change account information or payments, etc.
Protect yourself from malicious email – reduce spam
Electronic junk mail is commonly known as spam. These are electronic messages you haven’t asked for that are sent to your email account, mobile phone number, or instant messaging account.
The content of spam messages varies. Some messages promote legitimate products or services, while others will attempt to trick you into following a link to a scam website where you will be asked to enter your bank account or credit card details.
The best way to protect yourself from malicious email is to stop it from reaching you. That way, there’s no chance it can influence you into doing something you might regret.
- Don’t share your email address online unless you need to and consider setting up a separate email address just to use for online forms or shopping.
- As much as possible, have separate email accounts for personal and business use.
- Use a spam filter to catch these messages before they get to your inbox. (Most modern email systems have reasonably effective spam filters to prevent spam appearing in your inbox. If you’re not sure, ask your internet service provider.)
- Delete spam messages without opening them.
Other steps you can take to limit spam
- When you sign up for an online account or service be aware of default options to receive additional email about other products and services.
Be careful with the email that does get through to your inbox
Spammers and scammers can be clever though and some messages might still make it through to your inbox. To protect yourself from these malicious messages:
- Don’t open messages if you don’t know the sender, or if you’re not expecting them.
- Be suspicious of messages that aren’t addressed directly to you, or don’t use your correct name.
- Don’t reply to or forward chain letters you receive by email.
- Think carefully before clicking on any links or opening any attachments.
- If a message seems suspicious, contact the person or business separately to check if they are likely to have sent the message. Use contact details you find through a legitimate source and not those contained in the suspicious message. Ask them to describe what the attachment or link is.
- Before you click a link (in an email or on social media, instant messages, other webpages, or other means), hover over that link to see the actual web address it will take you to (usually shown at the bottom of the browser window). If you do not recognise or trust the address, try searching for relevant key terms in a web browser. This way you can find the article, video, or webpage without directly clicking on the suspicious link.
- Ensure you have up-to-date anti-virus software installed on any device used to access email.
Protect your email accounts with two-step verification
Many web email service providers – like Google, Microsoft and Yahoo – provide two-step verification (also known as two-factor authentication or 2FA) for extra security of account data.
How does it work? A two-step process is where a user must provide more than one type of proof that they are authorised before they can access an account. For example, you might need to provide as a password as well as a second form of identity, like a code sent to a mobile phone that is registered with your account.
Two-step verification makes it more difficult for someone else to sign in to your email account. Even if someone finds your password, they would be stopped from getting into your account unless they have the second form of identity. This security feature is also available for some other systems, for example, when banking online or accessing government services online, such as through myGov.
When possible, we recommend you turn on two-step or two-factor authentication for your accounts.
Two-factor authenticator apps
There are also free two-factor authentication apps provided by third parties that you can use instead of having a SMS code sent to your mobile. Do your research and find a solution that is right for you.
Download our step-by-step guides on how to turn on two-factor authentication for: