Email scams and email security

Estimated reading time
 6 min

Key points

• An email scam can take many forms, but it usually occurs when a scammer contacts you through email with a malicious link or request.
  
  
• Being locked out of your email account and having a full ‘sent’ folder with messages you didn’t send are just two of the signs of an email scam.
  
  
• Some measures you can take to help protect your inbox include changing your passwords regularly, turning on the spam filter, and verifying the information or request in an email before doing anything.

Many of us use email to connect with loved ones, share important information with colleagues, and access our bank accounts. That’s a lot of personal information linked together through just an email address.

This is why it’s so important to be vigilant about email security, know how to send secure emails and report scam emails when you inevitably encounter them.
 

What is email security?

Email security refers to using tools and security practices to help protect your email accounts and communications from unauthorised access by cybercriminals. This includes using anti-virus software and spam filters, as well as solid password practices or email encryption to add additional layers of protection to your inbox.

Good email security can help protect your private communications and personal information from being used without your permission. 

Why is email security important?

Imagine giving someone you don’t trust the keys to your home, car or workplace. You wouldn’t do it, right? For most of us, our email is a gateway into our most important accounts and sensitive data. So when email security is insufficient, we open the virtual doors for cybercriminals to get into our email to steal our data or lock us out of our accounts.

If that’s not enough to convince you, according to Scamwatch, Australians lost $77 million to email scams last year alone.¹ And it’s not just your security that is at risk – once a cybercriminal has control of your email, they can contact friends and family with malicious links or compromise the security of an entire company.

Just one malicious email can compromise an organisation's entire online network. According to Check Point,² a global leader in cyber security solutions, this access can lead to:

• Credential theft – via a phishing email designed to steal a person’s username and password.
• Fraudulent payments occur when a business email compromise (BEC) scam redirects payment to the cybercriminal.
• Trojan installation, which is where malicious emails contain a ‘Trojan’ file designed to get a foothold on your computer, where it can do further harm by downloading malware or ransomware.
• Ransomware delivery via phishing emails can compromise your computer’s files and operating system.

What is an email scam? 

An email scam can take many forms, but it most often involves a scammer contacting you through your email with a deceptive link or request. Scammers might be looking for access to your email account to use your email to scam others with malicious links sent from you, or they may be looking to steal your personal information or log in to other services like your online banking.

Email scams are used by cybercriminals in a variety of ways – to gain access to your private data, infiltrate company networks, access accounts associated with your email, or for identity theft. When this happens to a business, it’s called a business email compromise (BEC) scam. In this scenario, a cybercriminal might impersonate a known service provider or an executive instructing you to transfer funds or reveal sensitive data.

But it’s not just businesses that should monitor their email. Your personal email can also be a hotbed for criminal activity. For example, you might an email from a cybercriminal pretending to be a trusted organisation, like the government. In the email, they might encourage you to click on a specific link, so they can try and steal your personal information to use for their own gain.

If you think your email might have been compromised, the Australian Signals Directorate (ASD)³ suggests you watch out for these signs:

• You cannot access your email as the password is incorrect.
  
  
• Your sent folder contains emails you didn’t write.
  
  
• You receive notifications to reset your passwords.
  
  
• You notice emails are deleted or moved to different folders. 

5 tips to help protect your inbox

While not everyone wants to be, or can be, an ‘inbox zero’ person, an overloaded and ignored inbox can make email scams harder to detect. For example, if your inbox has hundreds of ‘unread’ emails, you might receive a scam email that says, ‘Your inbox is full’. If you see this email, you might believe it and click a malicious link within the email. Or you may not see the notifications or signs that someone is trying to access your other accounts because your inbox is so full.

It is best to keep an eye on your bank statements, review your email activity, and clean your inbox regularly to keep on top of security alerts and other activity before it goes too far. In addition, you can protect your inbox through:

1. Regular email security checks

Performing these regular checks might help to ensure your email security stays tight:

• Change your passwords frequently, ensuring they differ from those you use for other accounts.
  
  
• Log out of all ‘ongoing sessions’ across different devices regularly. This way, you don’t risk someone accessing your account through a public device you may have used to log in to your email.
  
  
• Check that multi-factor authentication (MFA) is active on all accounts. Always keep account recovery details up to date with your current phone number and a secure, alternative email account. 

2. Learn about tactics used by cybercriminals

Knowledge is power, right? When it comes to cybercrime, the more you know, the safer your data could be. Read up on the tactics cybercriminals can use to gain your trust on the ASD website.

3. Verify before you act

When you receive an email from someone you know asking you to transfer funds, reveal sensitive info, or click on a link, pause and contact the sender using your phone or another messaging service to ensure the instructions have come from them. 

4. Make a PACT to secure your virtual valuables

Make a PACT to be as security-conscious online as you are in real life. This approach to personal cyber security reminds you to:

• Pause before acting.
• Activate multiple levels of security.
• Call out suspicious messages.
• Turn on automatic software updates.

5. Turn on the spam filter

Most email servers have a spam filter that you can activate through ‘settings’. These filters help identify unwanted marketing emails and potentially malicious emails from cybercriminals.

What do I do if my email is compromised?

If you suspect your email account has been hacked, you can take the below steps to minimise the damage.

• If your password is no longer valid, you can select the ‘forgot password’ button and use your recovery email address to log in and change it to a new, more secure password. If you don’t have a recovery email setup, you will need to contact your email provider’s support channels to start a manual recovery process – this usually involves answering questions like previous passwords or using a trusted device to reset your account.
• Change your password (or use a passphrase) and ensure multifactor authentication is enabled on your account. It’s a good idea to also change passwords on other accounts connected with that email and look out for suspicious activity on those accounts.
• Review and reset the approved devices connected to your account so that the cybercriminal will be forced to log out and will no longer have access once you change the password.
• If you can get back into your email account, review the settings, password, and recovery account info. Make sure the cybercriminal has not changed these details so they can regain control of your account.

Security tip: You check if your email has been compromised by a data leak on https://haveibeenpwned.com. 

What can you do if you think you’ve been scammed? 

• If you’ve shared financial information or transferred money, contact your bank immediately. If you’re an ANZ customer, contact us immediately to report the fraud.
  
  
• If you shared credit card details, ‘block’ or cancel those cards immediately. If your cards are with ANZ, you can report the stolen card through the ANZ app or by calling us. 

How to report scam emails

• Help others by reporting to Scamwatch or to the Australian Signals Directorate’s Australian Cyber Security Centre’s ReportCyber.
  
  
• For phishing or identity theft associated with government accounts such as Centrelink, Medicare, or Child Support, contact the Services Australia scams and identity helpdesk on 1800 941 126 or visit their website.
  
  
• You can also contact IDCare, a not-for-profit organisation providing support to those experiencing identity and cyber security concerns.
  
  
• Contact your bank immediately if you have shared personal or financial information.
  
  
• If you’re an ANZ customer, you can report fraud or suspicious activity in multiple ways, such as through the ANZ app or by calling us