Protective measures are simple, cost-effective and immediately beneficial Protective measures can help by: preventing your email accounts from being compromised making it harder for a cybercriminal to impersonate you protecting your business from falling victim to email fraud There are many easy steps and actions you can take now. Turn on multi-factor authentication Having multi-factor authentication increases the security on your email account. Multi-factor authentication means there are two checks in place to prove your identity before you can access your account. For example, you may need to supply an authentication code from an app as well as your password. It makes it more difficult for someone to access your files or account. Turn on multi-factor authentication with our helpful guides for: Apple ID Google Accounts Microsoft Accounts Remember to use a strong passphrase for your email account if you cannot use multi-factor authentication. Protect your domain names A domain name is a string of characters ‐ often words ‐ that identifies you or your business to other people using the Internet. This is the text that typically comes after the “@” symbol in an email address. If your domain name expires, it will become available for anyone to purchase. A criminal could purchase your previous domain name and use it to impersonate you or your business by setting up an email address and contacting your customers. Your customers or contacts may recognise your domain name and believe you are still operating that email address, when in fact they are really corresponding with a cybercriminal. Remember to renew your domain names, even if you don’t use them anymore. This will stop your digital identity from falling into the wrong hands. An icon to indicate an area of information Find out when your domain names expire and set a reminder in your calendar to renew them ahead of their expiry. Register additional domain names A common fraud method cybercriminals use is to register a domain name which looks very similar to your business name. At a glance, email addresses made through fraudulent domain names may look similar enough to your own that your contacts may not realise they are not emailing the real you. Consider registering similar domain names that could be used to confuse your contacts. Using paypal.com as an example, here are some common lookalike domain name tricks that a cybercriminal might use to try and confuse someone: Remove letters pypal.com Add letters payppal.com Add additional words paypalonline.com Use a different domain extension paypal.net, paypal.au Rearrange letters payapl.com Add a hyphen pay-pal.com Add www to the start of the domain name wwwpaypal.com Rearrange parts of the domain name paypal-au.com Replace letters with similar characters (e.g. numbers, capital letters or symbols) paypa1.com paypaI.com pàypal.com Set up email authentication measures If you have your own business domain which you use for emailing, setting up email authentication protocols on your domain may help to prevent email spoofing attacks. This is where a cybercriminal sends an email pretending it’s from your email address, without ever having to hack your email account. Email spoofing is like sending a letter and forging who it was written by. Anyone can write a return address on an envelope; it doesn’t mean that’s where it’s truly from. Email spoofing occurs when someone forges the “From:” field of an email to say that it was sent from an email address other than their own. If someone tries to spoof your email address, setting up email authentication protocols will identify that those emails are not legitimate. These protocols help prevent spoofed emails from making it to their destination – they will normally go either to the recipient’s spam folder, or won’t be delivered at all. Have a discussion with your service provider about adding Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) records to your domain name. If your DNS hosting is with a separate provider, you will need to contact them also. To find out more, visit ACSC’s How to Combat Fake Emails. Protect your privacy Cybercriminals can learn a lot about someone by doing a simple Google search. This information helps a cybercriminal appear more credible if they pretend to be you in an email. Be careful posting information online that identifies: where you work what your position is your work email address your personal email address If your email address can be found on various websites or forums, it may become a target for impersonation. For more information about how to manage your information online, visit the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au. Implement policies and procedures If a staff member receives an email from a customer, colleague, or supplier with an unusual or unexpected request, they should find out if the email is legitimate before actioning the request. To ensure this, introduce policies and procedures to address security risks and help keep your business safe. For example: Consider introducing an approval process for requests that ask to change payment details or make a large transfer. Verify any such requests by calling the sender. Call them on a known and verified phone number (not a phone number from the email, as this could be operated by a cybercriminal). Speak with the sender over the phone to verbally confirm the request or change. Ensure workers have clear guidance to verify account details and to think critically before actioning unusual requests. Have a reporting process to report threatening demands for immediate action, pressure for secrecy or requests to circumvent protective business processes. Training and awareness The best defence against email scams is training and awareness for your employees, including how to identify scams or phishing attempts. Ensure your staff know to always be cautious of emails with the following: requests for money, especially if urgent or overdue bank account changes attachments, especially from unknown or suspicious email addresses requests to check or confirm login details unexpected or suspicious links Incorporate, update and regularly repeat cyber security training and awareness amongst your employees to protect your business from cybercriminals. Remain vigilant and informed While it is one thing to have built up your defences to protect your information, it is best to remain on the lookout for evolving cyber threats and trends which could impact you at any time. Stay up to date on cyber security threats and trends by becoming an ACSC Partner. We have three streams of partners: Network Partners - for organisations with responsibility for networks, experts in cyber security such as academics and not-for-profit institutions. Business partners - for businesses, large or small, that would like to be kept up to-date with relevant cyber security information for their businesses. Home partners - for individuals and families who would like to be kept up to-date with relevant information.