Email Security Introduction

When it comes to cybersecurity, prevention is far, far better (and cheaper) than cure. Learn about safe email and Internet practices, and apply what you learn.

TIP One of the best protections for your business is to train staff and principals about cybersecurity, and do regular refresher training.

The Australian Cyber Security Centre has very good materials on online safety for businesses of all sizes, online learners and home Internet users. You can also subscribe to their Stay Smart Online emails, which alert you to new and growing threats.

Email encryption

Set up SSL/TLS

Like your website, your emails can be protected in transit from hackers and snoops via secure encryption. The technology commonly in use is TLS encryption (also referred to as SSL - which is actually the older version of this technology - or SSL/TLS).

TLS encloses the email in an encrypted 'outer layer'. It's something like your email travelling inside a safe, with impregnable walls and a complex combination lock. Using current technology, it could take longer than a human lifetime to break in. (When quantum computing arrives, security geeks will have to up the ante; but that's not yet.)

SuttonNet supplies the right configuration instructions to use SSL/TLS encryption for your emails. Apply these settings carefully in the Account Settings area of your mail software, on each device (phone, computer) that you use for email.

Don't rely on SSL/TLS alone
  • There are sections of the email journey which neither you nor your mail host has control over.
    1. For your outgoing mail, this is from the addressee's mail server to their own device.
    2. Your incoming mail could come from an email address that doesn't use SSL/TLS. It is unencrypted and vulnerable for much of its Internet journey.
  • You have no control over security of your email recipients' mail servers, which contain copies of your emails.
  • Cybercrooks can set up TLS encryption just like you can. An email which is encrypted by SSL/TLS could contain some very unsafe content.

Other mail protocols & software can address these gaps or add other protection. They have benefits & some downsides, and may cost you (although probably not as much as a cybersecurity breach would). Find out more about securing your email.

Spam, phishing and all that

What's what

Email spoof: You've been spoofed when someone else sends out email as if it's 'from' your email address. You can guarantee the emails will be criminal, crooked &/or embarrassing.

Compromised password: Worse case is if someone obtains your email password and really does send their spam out using your mail account. They could read your incoming mail too.

Spam: Spam is email that you didn't invite into your mailbox. It is often sent out to many, equally reluctant addressees. It often appears to be selling (or giving away) stuff. Its real intent is usually:

  • to rob, rip off, deceive, annoy, frighten or distress recipients; or
  • to install malware on their computers/phones.

Sending spam is illegal in Australia and many other places in the world.

In Australia it's illegal to send ANY 'unsolicited' business email, spammy or not. You can only send a marketing email to someone if:

  • they have invited you to do so, by showing an interest in your wares and providing their email address; and
  • they have not asked you to 'unsubscribe' them from your mailing list.

Phishing: email version of an oldtime con. The sender presents himself/herself as a legitimate contact, often from a wellknown business, charity or government entity. The email asks the recipient to click on a link which goes, not to the real Woolworths, Paypal or ATO site, but to the phisher's website. The website's domain name &/or appearance might be very like the genuine site. There the hapless victim is fleeced of personal ID or credit card details, or enticed to download malware.

The email's 'from' address may be spoofed. The website may have a lookalike domain name (such as A sophisticated phishing webpage will be styled to look like the genuine one: eg a fake Paypal login page.

Add to that Vishing & Callback Phishing - the phone ('voice') version of phishing - and Smishing - which has nothing to do with kisses, but a lot to do with SMS.

Keeping safe

If you suspect that your password has been stolen or guessed: the only cure is a new password.

  • get onto your Axmail webmail link and change the email password there, if you can
  • or contact us asap to change the password.

Your computer's or phone's anti-spam and anti-virus/anti-malware programs help guard against spam and phishing emails, if you keep them up to date. Spammers constantly invent ways to get their emails through anti-spam filters. Security software vendors constantly update their products, to outwit the spammers.

DMARC protocols helps confirm that the emails you send are genuinely from your hand; and it helps mail servers to reject emails apparently 'from' you that really originated from some other, nefarious source. Not all mail servers use it yet. All our email hosting clients are being changed over to DMARC protection at time of writing.

Take sensible precautions, regardless of how good you think your protective software is. No anti-spam software keeps out dangerous emails entirely.

  • Never open any attachments on a suspect email.
  • Beware of mail from senders you don't know. Of course, a business can't ignore mail from an unknown email address: it's more likely a new customer than a spammer.
  • Keep your hand off the mouse while reading emails. Avoid email programs that litter the screen with ads. Then you can't accidentally click on a dodgy link.
  • The sooner you Junk bad emails and then Delete from Junk folder, the less trouble they can cause you. If you aren't 100% sure: you can keep the mail in Junk until you get some clarification.

Find out more about email security and website and general IT security.

Last updated 27 September 2022