Some of the main concerns of small businesses who engage IDCARE are business email compromise and false invoicing fraud.
Business Email Compromise (BEC)
Business Email Compromise is a targeted cyberattack where a threat actor gains access to a company’s email account to impersonate employees, executives,or vendors. Threat actors often use this access to manipulate financial transactions, redirect payments, or steal sensitive information. Small businesses can be particularly vulnerable to BEC due to potentially less robust security measures.
False Invoicing Fraud
False invoicing fraud occurs when a threat actor sends fake invoices that appear legitimate, tricking businesses or customers into making payments to fraudulent accounts. Cybercriminals may compromise vendor accounts or spoof their email addresses to closely resemble trusted suppliers.
Additionally, we see that a compromised email account carries many other risks which may allow an attacker the ability to:
Spread scam messaging or malware to your contacts;
Obtain password reset codes to other online accounts, such as social media, allowing for account takeover events;
Create fraudulent online accounts;
Aid in social engineering of call centre employees when seeking information from your financial services provider or other organisations (such as superannuation or telecommunications providers);
Automatically forward any received email to a different address.
The steps outlined in this document will help your business to mitigate these risks in relation to email account security.
IDCARE highly recommends you also understand any exposures your business email address may have had by visiting haveibeenpwned.com and changing any associated passwords that appear to be breached.
Tips for Securing your Email
Forwarding Rules
Check your email forwarding settings regularly. Unauthorised changes could indicate a breach.
Gmail:
Please see Google’s guidance regarding email forwarding rules. Note that you will likely need to login via a web-browser, as forwarding rules do not seem to be available directly via the mobile app.
Outlook (incl @hotmail.com @live.com @outlook.com):
Please see Microsoft’s guidance regarding email forwarding rules. Note that you will likely need to login via a web-browser, as forwarding rules donot seem to be available directly via the settings page of the mobile app.
iCloud (Apple Mail):
Please see Apple’s guidance regarding email forwarding rules.
Multi-Factor Authentication (MFA)
MFA adds an extra layer of security, requiring a second factor beyond your password. Set this up to reduce unauthorised access risks.
Gmail: Go to Security > 2-Step Verification and follow the setup steps to use SMS, an authenticator app, or a security key. Please also see Google’s guidance online.
Outlook: Visit Security > Additional Security Options > Set Up MFA. Please also see Microsoft’s guidance online.
Apple Mail: Enable two-factor authentication through your Apple ID at appleid.apple.com under Security. Please also see Apple’s guidance online.
Password Resets
Ensure that your password is strong and unique, and update it regularly, especially if you suspect your account has been compromised.
Again, we recommend you visit haveibeenpwned.com to understand if your email address has been involved in any known online data breaches.
Gmail: Access Security > Password to change your password. Please also see Google’s guidance online.
Outlook: Go to Security > Password Security to update. Please also see Microsoft’s guidance online.
Apple Mail: Update your Apple ID password at appleid.apple.com under Sign-In & Security. Please also see Apple’s guidance online.
Backup Emails
Keep your recovery email updated to help recover access to your account if you get locked out.
If you lose access to your password, or find yourself unable to login, a recovery email allows you to receive a one-time-password (OTP) which will aid in regaining access to your account.
Gmail: Go to Security > Ways we can verify it’s you > Recovery Email. Please also see Google’s guidance online.
Outlook: In Account Settings, set or update your backup email. Additionally, check the ACSC’s reference material for helpful information in relation to any Outlook, M365, Live, Hotmail & MSN security settings.
Apple Mail: Update recovery information through your AppleID settings. Please also see Apple’s guidance online.
Signed-In Devices
Regularly review devices signed into your email to spot suspicious activity.
Gmail: Visit Security > Your Devices to view and remove unfamiliar devices. Please also see Google’s guidance online.
Outlook: Check My Microsoft Account > Devices and remove any that you don’t recognise. Please also see Microsoft’s guidance online.
Apple Mail: On appleid.apple.com, under Devices, review and manage all linked devices. Please also see Apple’s guidance online.
What to check if your account has been accessed
1. Recent Activity:
Gmail: Visit Security > Recent Security Events to identify unusual logins. Please also see Google’s guidance online.
Outlook: Check Security > Recent Activity for unfamiliar access points. Please also see Microsoft’s guidance online.
AppleMail: On appleid.apple.com, review the last login locations and devices.
2. Review Security Settings:
Ensure MFA is enabled, that recovery methods are correct, and there are no unauthorised forwarding rules.
If suspicious activity is detected, reset your password immediately and notify your contacts of the potential breach.
3. Linked online accounts.
If you believe your email has been accessed, you should immediately review the online accounts associated with it. An attacker may have reset one of the passwords to these accounts and deleted any evidence of the password reset email sent to you.
Be vigilant and be sure to check your social media, business website, online banking, government accounts (including ATO and myGov), superannuation, insurance and any other accounts you believe the email is associated with.
Changes made may be subtle (such as a change in contact details associated with your myGov) or overt (such as scam posts made to your social media accounts),or you may be locked out of these accounts altogether.
If you do believe any of the above has occurred, feel free to contact IDCARE for assistance.
Disclaimer
Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:
- IDCARE is Australia and New Zealand’s national identity and cyber incident community support service. IDCARE is a not-for-profit and registered Australian charity.
- The Services provided do not constitute legal advice. IDCARE recommends that you consult your own legal counsel in relation to your legal rights and obligations, including but not limited to your legal rights or obligations under Australian and international privacy and data protection laws.
- While every effort has been made to ensure the accuracy of the content provided, to the maximum extent permitted by law all conditions, terms, representations, and warranties (in each case, whether express or implied) in connection with the provision of the Services which might otherwise be binding upon IDCARE are excluded.
- IDCARE’S liability for any loss or damage suffered by any person or organisation (including, without limitation, any direct, indirect or consequential loss or damage) arising out of or in connection with the Services (including without limited liability for any negligent act or omission, or statement, representation or misrepresentation of any officers, employees, agents, contractors or consultants of IDCARE) shall be limited to the fees paid by you to IDCARE in respect of the Services. For the avoidance of doubt, this limitation of liability extends to any liability arising from any actions performed or not performed as a result of any recommendations made in the course of providing the Services.
- If you would like to provide feedback please use our Feedback Form.
