Staying safe with email

Paul Macpherson from Xero talks about email scams, and recommends an extra layer of security known as two-factor authentication.


I always think of email as being an open postcard rather than a sealed envelope. If it’s out there on the wire, and if somebody wants to sniff it, they can do.

That said, most of your major mail providers do recognise these issues and they’re working with all the other mail providing community to put the controls in place to make life better and more secure for people using email.

I was fortunate enough to go to a conference event recently where I heard someone from Google speak, and through their relationships with other mail providers, over 80 per cent of email that is inbound or outbound to/from Google is now encrypted. As well as being encrypted on their internal network.

But there’s other things that people do — impersonating email and impersonating senders - to try and trick people into clicking on that link, or clicking that document that’s attached.

Some of you have probably heard of the term social engineering — that’s basically manipulating someone to do what you want or provide the information you want. It’s far easier to hack the person than it is to hack the computer. Why go to all that trouble of trying to break through somebody’s firewall and steal their data, if you can just get them to click on something that gives complete control of their computer, and you just carry on and do it.

I think it’s key people understand the risk in emails. I’m not saying we shouldn’t use it — of course we should use it. But just to understand that, and know how to mitigate that to the fullest extent you can.

I think most people will have seen one of these, if not something similar [refers to slide]. This is the FedEx email. There’s probably not a day goes by that I don’t see one of these in my junk. And if it’s not FedEx, it’s New Zealand Post, it’s PayPal, it’s you name it.

People saying you need to do this immediately. You need to take action now. That’s one of the signs of a suspicious, or potentially dodgy, email – that immediate call to action. What I found interesting in this email is if you clicked on “more details” it took you to a malicious site. Also, if you clicked on “unsubscribe” or the “privacy policy”, it took you to that same malicious site. They’re trying to cover all of their bases.

One of the things I would say is, we see email being used to exploit our customers, to exploit the community, all the time.

If you’re using email (and I come back to what Steve said around education and awareness), there’s huge value in educating yourself, and, in your small business, educating your staff around how to spot these emails. Don’t be too quick to click on them.

Also protect your own email account. We’ve seen our customers, and sometimes non-customers, whose email accounts have been hacked.

Certainly, I think it’s been well publicised here in New Zealand happening in the building industry. That the builder’s email gets hacked, and then any recently sent invoices get modified then resent from that builder’s email account with a message — something along the lines of “a bank account is being audited, can you please pay into this account”. And they’re after those big milestone payments. We’ve seen twenty, fifty, seventy thousand dollars paid into a fraudulent bank account. Fortunately, in most of those instances, with cooperation from the banks here in New Zealand, that money has been retrieved.

These are the things you watch out for. And even today it was in the Press or in the paper, another email scam doing the rounds. Emails purporting to be from the DHB (District Health Board) to suppliers, with purchase orders. The purchase is sent to a freight-forwarding company, and shipped off overseas to some dude from wherever, who is now in receipt of a lot of well-made New Zealand goods for no cost.

This sort of things happens all the time. And just a bit of education and a few additional controls.

I’d say for your own email account, as Sai was saying, second-factor authentication is a fantastic protection for preventing people getting access to your accounts. Even if they compromise your password, if you have second-factor authentication enabled, sometimes called multi-factor authentication, we call it two-step authentication at Xero, it’s a really good roadblock to the bad guy getting into your account. I can’t recommend doing that highly enough. If your mail provider doesn’t provide second-level authentication, personally I’d be looking for another mail provider.

Back to video