Email Is the Number One Attack Vector
More than 90 per cent of cyber attacks begin with an email. Phishing, business email compromise (BEC), and malware-laden attachments are the primary tools attackers use to breach Australian businesses. The ACSC reported a 25 per cent increase in BEC incidents in the past year, with losses averaging $64,000 per incident.
For SMEs, a single successful phishing attack can result in stolen credentials, ransomware deployment, fraudulent wire transfers, or data breaches that trigger mandatory reporting under the Notifiable Data Breaches scheme.
Understanding the Threats
Phishing
Phishing emails impersonate trusted entities — your bank, the ATO, Australia Post, or even a colleague — to trick recipients into clicking malicious links or entering credentials on fake websites. Modern phishing emails are sophisticated, often using legitimate branding and realistic sender addresses.
Business Email Compromise (BEC)
BEC is more targeted and more damaging. Attackers either compromise a legitimate email account or create a convincing lookalike domain. They then send emails requesting urgent payment, changes to bank details, or sensitive information. Because the email appears to come from a trusted source — a supplier, solicitor, or director — staff comply without questioning.
Common BEC scenarios include a supplier emailing new bank details for an outstanding invoice (the supplier’s email was compromised), a CEO requesting an urgent wire transfer while travelling, and a solicitor’s email directing a conveyancer to send settlement funds to an altered account.
Malware and Ransomware via Email
Malicious attachments — often disguised as invoices, delivery notifications, or job applications — deliver malware when opened. Macro-enabled Office documents and password-protected ZIP files are common delivery mechanisms because they bypass basic email scanning.
Technical Controls
Email Authentication: SPF, DKIM, and DMARC
These three protocols work together to prevent email spoofing. SPF (Sender Policy Framework) specifies which mail servers are authorised to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) adds a digital signature to outgoing emails, verifying they have not been tampered with. DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving servers what to do with emails that fail SPF or DKIM checks — quarantine or reject them.
Implementing all three significantly reduces the chance of attackers spoofing your domain to target your clients or staff.
Advanced Threat Protection
Microsoft 365 Defender (included in Business Premium licences) and similar services provide safe links that scan URLs at the time of click, safe attachments that detonate suspicious files in a sandbox before delivery, anti-phishing policies that use machine learning to detect impersonation attempts, and zero-hour auto purge that removes malicious emails even after delivery.
Multi-Factor Authentication on Email
If an attacker obtains a staff member’s email password through phishing, MFA prevents them from accessing the account. This single control stops the majority of account compromise attempts. Every email account in your organisation should have MFA enabled — no exceptions.
Human Controls
Technical controls catch most threats, but some will get through. Staff awareness is your last line of defence.
Security awareness training: Regular training — not a one-off session during onboarding — keeps email threats front of mind. Simulated phishing exercises help staff recognise suspicious emails in a safe environment.
Verification procedures: Establish a policy that any request to change payment details, transfer funds, or share sensitive information must be verified via a phone call to a known number — not a number provided in the email. This simple step prevents the majority of BEC losses.
Reporting culture: Make it easy and consequence-free for staff to report suspicious emails. A culture of “better safe than sorry” is far more effective than one where staff fear being blamed for clicking a link.
Industry-Specific Risks
Law Firms
Legal practices are high-value BEC targets because they regularly handle large financial transactions. Conveyancing fraud — where settlement instructions are intercepted and bank details altered — has cost Australian law firms millions. Implement verification procedures for every financial instruction received via email.
Construction and Trades
Invoice fraud targets the construction supply chain. An attacker compromises a supplier’s email and sends invoices with altered bank details. With large volumes of supplier invoices, accounts staff may not notice the change. Require verbal confirmation for any changes to supplier banking details.
What to Do If You Are Compromised
If a staff member’s email is compromised, act immediately. Reset the password and revoke all active sessions. Enable MFA if not already active. Review sent items and rules for forwarded emails or auto-replies the attacker may have created. Notify affected clients or contacts. Report to the ACSC via ReportCyber. Assess whether the breach triggers mandatory notification under the Privacy Act.
Speed matters. The longer an attacker has access, the more damage they can do. Contact TechAssist to review your email security posture.
