Share this article on:
The Australian Cyber Security Centre (ACSC) is urging Aussies and Australian businesses to strengthen their email security practices to protect their private information and that of their customers in the lead up to tax time.
As tax time approaches, the ACSC is encouraging individuals, businesses and organisations to be alert, and aware of business email compromise (BEC) threats. BEC occurs when cyber criminals access email accounts aiming to steal sensitive and financial information or commit fraud by impersonating employees or company email accounts to obtain money or data.
While tax scams change from year to year, cyber criminals have been claiming to be from the Australian Taxation Office (ATO), or registered tax agents, or associated with trusted brands like myGov. As taxpayers prepare to lodge their tax returns or await tax refunds, cyber criminals have been using convincing language to trick victims.
Protective measures can help by:
Turn on multi-factor authentication
Having multi-factor authentication increases the security on your email account. Multi-factor authentication means there are two checks in place to prove your identity before you can access your account. For example, you may need to supply an authentication code from an app as well as your password. Remember to use a strong passphrase for your email account if you cannot use multi-factor authentication.
Protect your domain names
A domain name is a string of characters – often words – that identifies you or your business to other people using the internet. This is the text that typically comes after the “@” symbol in an email address.
If your domain name expires, it will become available for anyone to purchase. A criminal could purchase your previous domain name and use it to impersonate you or your business by setting up an email address and contacting your customers. Your customers or contacts may recognise your domain name and believe you are still operating that email address, when in fact, they are really corresponding with a cyber criminal.
Remember to renew your domain names, even if you don't use these anymore. This will stop your digital identity from falling into the wrong hands. Find out when your domain names expire and set a reminder in your calendar to renew them ahead of their expiry.
Register additional domain names
A common fraud method cyber criminals use is to register a domain name which looks very similar to your business name. At a glance, email addresses made through fraudulent domain names may look similar enough to your own that your contacts may not realise they are not emailing the real you.
Consider registering similar domain names that could be used to confuse your contacts.
Using paypal.com as an example, here are some common lookalike domain name tricks that a cyber criminal might use to try and confuse someone:
Set up email authentication measures
If you have your own business domain which you use for emailing, setting up email authentication protocols on your domain may help to prevent email spoofing attacks. This is where a cyber criminal sends an email pretending it's from your email address, without ever having to hack your email account.
Email spoofing is like sending a letter and forging who it was written by. Anyone can write a return address on an envelope; it doesn’t mean that’s where it’s truly from.
Email spoofing occurs when someone forges the “From:” field of an email to say that it was sent from an email address other than their own.
If someone tries to spoof your email address, setting up email authentication protocols will identify that those emails are not legitimate. These protocols help prevent spoofed emails from making it to their destination – these will normally go either to the recipient’s spam folder or won’t be delivered at all.
Have a discussion with your service provider about adding Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) records to your domain name. If your DNS hosting is with a separate provider, you will need to contact them also.
Protect your privacy
Cyber criminals can learn a lot about someone by doing a simple Google search. This information helps a cyber criminal appear more credible if they pretend to be you in an email.
Be careful posting information online that identifies:
Visit the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au for more information about how to manage your information online.
Implement policies and procedures
If a staff member receives an email from a customer, colleague, or supplier with an unusual or unexpected request, they should find out if the email is legitimate before actioning on the request.
To ensure this, introduce policies and procedures to address security risks and help keep your business safe.
The best defence against email scams is training and awareness for your employees, including how to identify scams or phishing attempts.
Ensure your staff knows to always be cautious of emails with the following:
While it is one thing to have built up your defences to protect your information, it is best to remain on the lookout for evolving cyber threats and trends which could impact you at any time.
Stay up to date on cyber security threats and trends by becoming an ACSC partner.
[Related: Hackers exploiting 36 ‘significant’ vulnerabilities, CISA warns]