Email is where most cyberattacks start. We’ve helped businesses recover from breaches that began with a single phishing email. Someone clicks a link, enters their password, and suddenly attackers have access to everything.
The scary part? These attacks are getting more sophisticated. The days of obvious “Nigerian prince” emails are mostly over. Now attackers send emails that look like they’re from your bank, your supplier, even your boss. They’re convincing, and they work.
But you can protect yourself. It’s not complicated and doesn’t require expensive software. It’s mostly about being aware, being cautious, and having the right tools in place.
Learning to Spot Phishing
Phishing emails are designed to trick you into clicking a link, opening an attachment, or giving up information. The best defence is learning to recognise them.
Look for urgency, like “Your account will be closed in 24 hours!” or “Click here immediately!” or “Urgent action required!” because legitimate businesses rarely need immediate action via email. If something’s truly urgent, they’ll call you.
Check the sender address carefully, not just the name but the actual email address, because attackers often use addresses that look similar to real ones, like “support@micr0soft.com” instead of “support@microsoft.com” (notice the zero instead of the letter O). Look closely, because the differences are subtle.
Be suspicious of requests for sensitive information, because your bank isn’t going to email you asking for your password, and your IT department isn’t going to email you asking for your login details. If someone’s asking for passwords, account numbers, or other sensitive info via email, it’s probably a scam.
Poor grammar and spelling can be a red flag, though modern phishing emails are often well-written, so don’t rely on this alone. But if an email from a supposedly professional organisation is full of errors, be suspicious.
Unexpected attachments are dangerous, so if you weren’t expecting a file, don’t open it. Even if it’s from someone you know, their email might be compromised. When in doubt, ask by sending a separate email (don’t reply to the suspicious one) and asking “did you send me this file?”
Using Email Filtering Properly
Your email service should be filtering out most of the bad stuff before it reaches you. Business email services like Microsoft 365 include spam filtering, malware scanning, and phishing detection.
But these filters aren’t perfect. They catch maybe 95-99% of threats, but some still get through. That’s why you need to be aware even with filtering in place.
Make sure filtering is actually enabled. Log into your email admin panel and check the security settings. Spam filtering should be on, malware scanning should be on, link scanning should be on. These are usually enabled by default, but it’s worth checking.
You can also adjust the sensitivity. If you’re getting too much spam in your inbox, increase the filtering. If legitimate emails are going to spam, decrease it slightly. It’s a balance that you might need to adjust over time.
Some email services let you create custom rules. For example, you might block emails from certain domains, or automatically flag emails with certain keywords. This can help catch threats that slip through the standard filters.
Multi-Factor Authentication: Essential for Email
If someone gets your email password, they can read your emails, send emails as you, and potentially access other accounts (since password resets often go to email). Multi-factor authentication stops this.
Even if an attacker gets your password, they can’t log in without your phone. It’s that simple. Enable MFA on your email account. It takes two minutes and dramatically improves your security.
Most email services support MFA. Microsoft 365 calls it “multi-factor authentication.” Enable it and make sure everyone in your business does too.
Being Smart About Attachments
Attachments are how malware gets onto your computer. A malicious file attached to an email can infect your system when you open it. Be very careful with attachments.
Never open attachments from people you don’t know. Just don’t. Delete the email and move on.
Even from people you know, be cautious. If the email seems out of character, maybe your normally formal colleague is suddenly very casual, or they’re asking you to do something unusual, be suspicious. Their email might be compromised.
If you weren’t expecting an attachment, don’t open it. Ask first. Send a separate email or call them and confirm they actually sent it.
Watch out for dangerous file types. Executable files (.exe, .scr, .bat) should never be opened from email. Office documents can contain macros that run malicious code, so be cautious, especially if your email client warns you about macros.
When in doubt, scan it first. Most antivirus software can scan email attachments. Or upload it to VirusTotal (a free service that scans files with multiple antivirus engines) before opening it.
Verifying Suspicious Requests
One common attack is the “CEO fraud” or “business email compromise.” An attacker sends an email that looks like it’s from your boss, asking you to transfer money or share sensitive information. These can be very convincing.
If you get an email requesting something unusual, especially involving money or sensitive data, verify it through a different channel. Don’t reply to the email. Instead, call the person, or send a new email to their known address. Ask “did you just email me asking for X?”
Check the sender’s email address very carefully. Attackers often use addresses that look almost identical to real ones. Look for subtle differences. A letter replaced with a number, a different domain, extra characters.
Look for inconsistencies. Does the email signature match what they usually use? Is the writing style different? Are they asking you to do something they’ve never asked before? Trust your instincts. If something feels off, it probably is.
When in doubt, don’t comply. It’s better to ask and be wrong than to fall for a scam. If it’s legitimate, they’ll understand your caution. If it’s a scam, you’ve just saved yourself (and your business) from a major problem.
Keeping Everything Updated
Your email client (Outlook, Apple Mail, whatever you use) needs to be kept updated. So does your operating system and any email-related software. Updates often include security patches that fix vulnerabilities attackers can exploit.
Enable automatic updates if possible. If you need to update manually, do it regularly. Don’t put it off. Those updates are protecting you.
Training Your Team
Email security isn’t just about you, it’s about your whole team. One person clicking a malicious link can compromise your entire network.
Regular training helps. But make it practical, not scary. Show real examples of phishing emails. Explain what to look for. Make it a conversation, not a lecture.
Consider running phishing simulations. Send your team fake phishing emails and see who clicks. Don’t use this to shame people. Use it as a teaching moment. “Hey, you clicked this one. Here’s what gave it away, and here’s what to look for next time.”
Create a culture where people feel comfortable reporting suspicious emails. Make it easy. Maybe a “Report Phishing” button in email, or a simple process for forwarding suspicious emails to IT. The faster people report threats, the faster you can respond.
Putting It All Together
Email security isn’t one thing, it’s a combination of technology (filtering, MFA) and awareness (recognising threats, being cautious). You need both.
Start with the basics: enable MFA, make sure filtering is on, and train your team to be suspicious. That alone will protect you from most email threats.
If you want help setting up email security, or if you’re not sure your current setup is adequate, get in touch. We’ve helped businesses improve their email security and can help you too.