The ACSC has provided a new step-by-step email security guide in their new stage of the ‘Act Now Stay Secure’ cyber security campaign, helping in the prevention of cyber criminals from stealing sensitive information and money through business email compromises and ransomware attacks.
“In the 12 months to 30 June this year, around 4,600 reports of business email compromise have been made to the Australian Cyber Security Centre. Of these, around a third have reported financial losses totalling approximately $81 million,” Assistant Minister for Defence Andrew Hastie said.
“As part of the ‘Act Now Stay Secure’ campaign, the Australian Cyber Security Centre has released new email security guides to help prevent email compromise, and advice to help victims recover from an email attack.”
The ACSC’s new step-by-step guide provides the steps needed for an individual to protect their email accounts and limit the damage caused by email compromises.
1. Turn on multi-factor authentication (MFA)
An MFA requires a combination of something a user knows and something a user has, such as combining one’s PIN with a biometric.
Having an MFA makes it harder for cyber criminals to gain initial access to your email accounts, services and information as it forces them to jump through more security hoops and additional authentication layers.
If an MFA is unavailable, creating a strong passphrase can be the only way to protect your valuable information and accounts. Passphrases are most effective when they are long, complex, unpredictable and unique.
2. Protect your domain names
A domain name is a string of characters that identities you or your business to other people using the Internet. It is usually found after the “@” symbol on an email address.
Anyone can purchase a domain name once it expires and a criminal can purchase and use it to imitate someone or a business online.
If there are accounts or services attached to the domain name, the criminal can use it to gain further control of one’s information and online identity.
To prevent such occurrences, it is important to repurchase or renew old and expired domain names even if they are no longer being used.
3. Register additional domain names
A common method cyber criminals do is to register a domain name that looks similar to their target’s legitimate domain name. Email addresses made through these fraudulent domain names are subtle enough to fool victims into thinking it’s the real email.
Consider registering similar domains that could be used to mislead someone in order to prevent such attacks from happening.
4. Set up email authentication measures
Email spoofing occurs when the “From:” field of an email is forged, saying that it was sent from another email address. With email spoofing, cyber criminals would no longer need to hack an email account to commit a crime.
Setting up email authentication protocols will help stop such attacks. This will identify the illegitimate emails and prevent spoofed emails from reaching the victim’s inbox.
The Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) are email authentication protocols that can be used to strengthen email security.
5. Protect your privacy
Be careful posting public information online such as workplace, job position or work email address. Since cyber criminals can learn a lot about someone by doing a simple Google search, the availability of these details can be easily used for impersonation.
Avoid having personal and business email addresses publicly listed on the internet by reviewing one’s social media accounts and online presence. The ACSC also provides advice and security tips for social media and networking applications.
6. Implement policies and procedures
Staff members are the last line of defence against fraudulent email attacks, so it is important to introduce policies and procedures that address security risks. Consider introducing an approval process for requests such as asking to change payment details or making a large transfer.
An organisation must create a good cyber security culture by rewarding and recognising employees who report potential threats. They must also encourage regular cyber security discussions to increase the staff’s awareness.
7. Training and awareness
In line with the previous step, organisations should ensure that their employees are aware and trained against email scams. Employees should be made cautious of urgent requests for money, bank account changes, email attachments and confirmation of login details.
Employees should also be taught to not reuse passwords or passphrases on different accounts, to be careful with sharing information online and to think before clicking on links.
8. Prepare your cyber emergency plan
Organisations should always have a cyber emergency plan in case a cyber attack happens. It is important to know one’s critical information and devices in order to figure out which assets are to be prioritised and saved.
The ACSC has provided a cyber emergency plan guide on their website.
9. Remain vigilant and informed
It is best to remain on the lookout for evolving cyber threats and trends which could impact an organisation at any time.
The ACSC recommends organisations join their Partnership Program, which will give access to timely information to assist in keeping digital systems and networks safe.
Act Now Stay Secure campaign
Emails have become a common tool for the delivery of ransomware attacks, with cyber criminals impersonating employees or companies through “legitimate” email accounts to fraudulently obtain money or goods from victims.
Cyber criminals also use these compromised email accounts to steal sensitive and personal information, leading to the victim being blackmailed.
“A business or individual who has their email account compromised or targeted by scammers and cybercriminals could suffer catastrophic financial losses through scams or ransomware,” Minister Hastie said.
“There are things everyone can and should be doing to protect themselves and their email accounts – use complex passwords and multifactor authentication, back up your data and keep a copy offline, and don’t click on suspicious links.”