Protective measures are simple, cost-effective and immediately beneficial
Protective measures can help prevent your email accounts from being compromised in the first place.
There are many easy steps and actions you can take now.
Turn on multi-factor authentication
Having two or multi-factor authentication increases your cyber security. Multi-factor authentication means there are two checks in place to prove your identity before you can access your account. For example, you may need to supply an authentication code from an app as well as your password.
It makes it more difficult for someone to access your files or account.
Turn on multi-factor authentication with our helpful guides for:
- Apple ID
- Facebook Messenger
- WhatsApp and WhatsApp Business
Remember to use strong passphrases for your accounts.
Protect your domain names
A domain name is a string of characters ‐ often words ‐ that identifies you or your business to other people using the Internet. This is the text that typically comes after the “@” symbol in an email address.
If your domain name expires, it will become available for anyone to purchase. A criminal could purchase your previous domain name and use it to imitate you or your business by setting up an email address and contacting your customers. Your customers or contacts may recognise your domain name and believe you are still operating that email address, when in fact they are really corresponding with a cybercriminal.
Remember to renew your domain names, even if you don’t use them anymore. This will stop your digital identity from falling into the wrong hands.
Find out when your domain names expire and set a reminder in your calendar to renew them ahead of their expiry.
Register additional domain names
A common fraud method cybercriminals use is to register a domain name which looks very similar to your business name. At a glance, email addresses made through fraudulent domain names may look similar enough to your own that your contacts may not realise they are not emailing the real you.
Consider registering similar domain names that could be used to confuse your contacts.
Using paypal.com as an example, here are some common lookalike domain name tricks that a cybercriminal might use to try and confuse someone:
|Add additional words||paypalonline.com|
|Use a different domain extension||paypal.net|
|Add a hyphen||pay-pal.com|
|Add www to the start of the domain name||wwwpaypal.com|
|Rearrange parts of the domain name||paypal-au.com|
|Replace letters with similar characters
(e.g. numbers, capital letters or symbols)
Set up email authentication measures
If you have your own business domain which you use for emailing, setting up email authentication protocols on your domain may help to prevent email spoofing attacks. This is where a cybercriminal sends an email pretending it’s from your email address, without ever having to hack your email account.
Email spoofing is like sending a letter and forging who it was written by. Anyone can write a return address on an envelope; it doesn’t mean that’s where it’s truly from.
Email spoofing occurs when someone forges the “From:” field of an email to say that it was sent from an email address other than their own.
If someone tries to spoof your email address, setting up email authentication protocols will identify that those emails are not legitimate.
Have a discussion with your service provider about adding Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) records to your domain name. If your DNS hosting is with a separate provider, you will need to contact them also.
To find out more, visit ACSC’s How to Combat Fake Emails.
Protect your privacy
Cybercriminals can learn a lot about someone by doing a simple Google search. This information helps a cybercriminal appear more credible if they pretend to be you in an email.
Be careful posting information online that identifies:
- where you work
- what your position is
- your work email address
- your personal email address
If your email address can be found on various websites or forums, it may become a target for impersonation.
For more information about how to manage your information online, visit the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Implement policies and procedures
If a staff member receives an email from a customer, colleague, or supplier with an unusual or unexpected request, they should find out if the email is legitimate before actioning the request. To ensure this, make sure you introduce policies and procedures to address security risks and help keep your business safe.
- If a link in an email looks legitimate, open a web browser window and type the address in manually rather than clicking on a link.
- Consider introducing an approval process for requests that ask to change payment details or make a large transfer.
- Verify any such requests by calling the sender using a known number (not a number from the email) or having multiple staff sign-off on the request. Speak with the sender over the phone to verbally confirm the request or change.
- Ensure workers have clear guidance to verify account details and to think critically before actioning unusual requests.
- Have a reporting process to report threatening demands for immediate action, pressure for secrecy or requests to circumvent protective business processes.
Training and awareness
The best defence against email scams is training and awareness for your employees, including how to identify scams and protect your business from cybercriminals. Ensure your staff know to always be cautious of emails with the following:
- requests for money, especially if urgent or overdue
- bank account changes
- attachments, especially from unknown or suspicious email addresses
- requests to check or confirm login details
Incorporate, update and regularly repeat cyber security training and awareness amongst your employees.
Prepare your Cyber Emergency Plan
To be better prepared for a potential email attack, fill out the Cyber Emergency Plan on page 8 of the Prevention and Protection guide and print it out, to greatly reduce stress and time during a cyber security incident.
Remain vigilant and informed
While it is one thing to have built up your defences to protect your information, it is best to remain on the lookout for evolving cyber threats and trends which could impact you at any time.
Stay up to date on cyber security threats and trends by becoming an ACSC Partner.
We have three streams of partners:
- Network Partners - for organisations with responsibility for networks, experts in cyber security such as academics and not-for-profit institutions.
- Business partners - for businesses, large or small, that would like to be kept up to-date with relevant cyber security information for their businesses.
- Home partners - for individuals and families who would like to be kept up to-date with relevant information.