Email for business
Email continues to be a popular medium for criminals hoping to target the unwary with scams, phishing and malicious software (malware). You need to know how to detect potentially suspicious messages and steps you can take to protect your business.
Tip: Provide security awareness training for your staff and teach them how to protect your business from suspicious and malicious messages. Information about how to implement your own security awareness program can be found in the Security Awareness Implementation Guide.
How to be safe when using email
A number of different threats utilise email for their success, including malware, phishing and different types of scams. But to some degree they all work the same way and rely on successfully exploiting the same human weaknesses. These threats work as follows:
- You receive a message that contains an appeal or threat – the message tries to convince you to do something.
- You assess the characteristics of the message, decide that the appeal is legitimate and take the requested action.
- The action – which might be clicking a malicious link, opening a malicious file or sending sensitive information like credit card details – results in a negative consequence for you as the receiver of the message and some kind of illegitimate gain for the sender of the message.
Social engineering makes it harder to spot malicious emails.
Malicious emails sometimes use a technique called ‘social engineering’ for their success. Social engineering is a way of manipulating people using misinformation. They use tricks to lower your natural defences against deception, for example by pretending to be from someone you trust, or by making a highly attractive offer.
Criminals are getting better at social engineering and putting more time, effort and money towards researching targets to learn names, titles, responsibilities, and any personal information they can find. Afterwards, the social engineer usually calls or sends an email with a believable, but made-up, story designed to convince the person to give them certain information. These targeted messages are known as spear phishing
Social media accounts provide rich information about events, conferences and travel destinations etc., which can be used to make an approach seem real and accurate. So consider what personal information you share online and learn how to use social media safely.
Note: Social networking sites typically allow you to choose who has access to see your personal details. Consider hiding your email account or changing the settings so that only people that you trust are able to see your details.
It is important to train employees to recognise potential social engineering attempts and know who to notify when one occurs. Often employees in financial and administrative positions are targeted to change banking details, transfer funds, or provide sensitive information. Social engineering attempts may replicate high pressure situations to trick employees into making a mistake, for example, by sending an email from a senior executive who is travelling overseas asking for an urgent payment.
Make sure staff are aware of these techniques and have policies in place that prevent these situations, such as having a two-step process to verify requests to change account information or payments, etc.
Protect yourself from malicious email – reduce spam
Electronic junk mail is commonly known as spam. These are electronic messages you haven’t asked for that are sent to your email account, mobile phone number, or instant messaging account.
The content of spam messages varies. Some messages promote legitimate products or services, while others will attempt to trick you into following a link to a scam website where you will be asked to enter your bank account or credit card details.
The best way to protect yourself from malicious email is to stop it from reaching you. That way, there’s no chance it can influence you into doing something you might regret.
- Don’t share your email address online unless you need to and consider setting up a separate email address just to use for online forms or shopping.
- As much as possible, have separate email accounts for personal and business use.
- Use a spam filter to catch these messages before they get to your inbox. (Most modern email systems have reasonably effective spam filters to prevent spam appearing in your inbox. If you’re not sure, ask your internet service provider.)
- Delete spam messages without opening them.
Other steps you can take to limit spam
- When you sign up for an online account or service be aware of default options to receive additional email about other products and services.
Be careful with the email that does get through to your inbox
Spammers and scammers can be clever though and some messages might still make it through to your inbox. To protect yourself from these malicious messages:
- Don’t open messages if you don’t know the sender, or if you’re not expecting them.
- Be suspicious of messages that aren’t addressed directly to you, or don’t use your correct name.
- Don’t reply to or forward chain letters you receive by email.
- Think carefully before clicking on any links or opening any attachments.
- If a message seems suspicious, contact the person or business separately to check if they are likely to have sent the message. Use contact details you find through a legitimate source and not those contained in the suspicious message. Ask them to describe what the attachment or link is.
- Before you click a link (in an email or on social media, instant messages, other webpages, or other means), hover over that link to see the actual web address it will take you to (usually shown at the bottom of the browser window). If you do not recognise or trust the address, try searching for relevant key terms in a web browser. This way you can find the article, video, or webpage without directly clicking on the suspicious link.
- Ensure you have up-to-date anti-virus software installed on any device used to access email.
Protect your email accounts with two-step verification
Many web email service providers – like Google, Microsoft and Yahoo – provide two-step verification (also known as two-factor authentication) for extra security of account data.
How does it work? A two-step process is where a user must provide more than one type of proof that they are authorised before they can access an account. For example, you might need to provide as a password as well as a second form of identity, like a code sent to a mobile phone that is registered with your account.
Two-step verification makes it more difficult for someone else to sign in to your email account. Even if someone finds your password, they would be stopped from getting into your account unless they have the second form of identity. This security feature is also available for some other systems, for example, when banking online or accessing government services online, such as through myGov.
When possible, we recommend you turn on two-step or two-factor authentication for your accounts.
Find out more: