Australians lost over $128 million to business email compromise crimes in 2020.1 Yet how many emails will you send today? And how often will you stop to consider that a criminal could be lurking in your client’s inbox – or even worse – in your inbox? When it comes to professional communications, email still reigns supreme; but email was never designed to be secure.
Email isn’t as secure as you might think
Email gives anyone with an internet connection an easy way of contacting anyone else, at any time, for free. Unfortunately these benefits also extend to cyber criminals, who can quickly and easily make contact with their would-be targets. Email related fraud remains stubbornly prevalent. For every story about homebuyers being swindled out of their deposit or sellers failing to receive settlement funds there are many near-misses that don’t reach the headlines. Email is also one of the largest contributors to data breaches of personal information.
Beyond the obvious financial impact of email related cyber crime lies the potential for reputational damage to your brand, ongoing legal disputes, and the health impact of dealing with all the resulting stress.
How email incidents happen
Email is designed to be highly accessible. You can log in from your computer, your phone, your tablet, or via a web browser from anywhere in the world. But this online accessibility also means that anyone who can guess, crack, or steal your password can log in to your email account to send and receive messages on your behalf. Short, common, guessable, or reused passwords are commonly exploited by cyber criminals to steal personal information or tamper with payment requests.
It would be a mistake to assume that email compromise attacks are all cyber security incidents and are therefore highly sophisticated and technical. In many cases fraudsters will simply register domains similar to a genuine domain (think ‘comnbank.com.au’) in a bid to trick victims into thinking that their emails are legitimate. Attackers can also ‘spoof’ the email sender address to trick your clients into thinking that they’re communicating with you or another trusted party. The solutions, technologies called Sender Policy Framework (SPF) and Domain-based Message Authentication Reporting and Conformance (DMARC), are not always enabled for many businesses.
An astounding 38% of data breaches Australia-wide don’t even involve a malicious actor.2 Data leaks like these happen because senders forget to double-check email addresses, fail to encrypt sensitive information properly, or don’t apply the correct controls around sensitive data.
A percentage of the billions of emails sent each day are malicious ‘phishing’ emails containing malware, spyware, or links to credential harvesting websites. Victims who open attachments, download malware, or enter credentials into malicious websites give criminals an opportunity to access their inbox.
Locking down your inbox
Here are some simple steps you can take right now to make your communications more secure.
- Set up multifactor authentication (MFA) for your email account. Rather than relying on a password alone, MFA ensures that no one can log into your email account without also providing a second-factor of authentication – usually a code generated by an app on your phone. MFA is free and only takes a minute to set up.
- Consider investing in a secure way to transfer files. Tools that allow clients to upload documents directly can remove or reduce the need for email and all of its associated risks.
- Develop a level of healthy scepticism about email. A benign-looking email could be from a criminal. An email from your client could actually be from an attacker lurking in their inbox. Navigate to websites rather than clicking on email links, and talk to your staff, business partners, clients, and suppliers about the dangers of email fraud.
- Mitigate the risks of email fraud by calling clients to verify account numbers and payment instructions. Delete sensitive information from your inbox when it’s no longer needed, and investigate other options for sharing sensitive data rather than putting all your faith in email.