Email is still how the overwhelming majority of attacks start. A few fundamentals stop most of them before they reach an inbox — or a click.
Why email is still the front door
Despite every new threat, email remains the number one entry point for attacks. Industry research consistently finds that the large majority of cyber incidents begin with a phishing email or a malicious attachment. The reason is simple: it is far easier to trick a busy person than to break encryption. Business Email Compromise in particular — where attackers impersonate a supplier or executive to redirect a payment — costs Australian organisations enormous sums each year, according to ACSC reporting.
Lock down the technical basics
Three records do most of the heavy lifting: SPF, DKIM, and DMARC. Configured correctly, they make it far harder for anyone to spoof your domain and send email that looks like it came from you. Add MFA on every mailbox and a modern filtering layer — Microsoft Defender for Office 365 or ESET Mail Security — in front of every inbox, and you have stopped the bulk of automated threats before a human ever sees them.
AI has changed the threat
The old advice to watch for bad spelling is obsolete. Attackers now use AI to write flawless, context-aware messages that reference real projects and people. The tells that still work are structural, not grammatical: hover over the real sender address, distrust any message that manufactures urgency, and never act on an unexpected request to pay, change bank details, or log in without verifying through a separate channel.
Train the humans
Technology catches most threats; your people catch the rest. Regular, short security-awareness training and occasional phishing simulations measurably reduce click rates over time. The goal is not to catch staff out — it is to build the reflex of pausing on anything that asks for money or credentials. That single habit prevents most successful attacks.
Have a plan for when one gets through
Assume someone will eventually click, because eventually someone will. What separates a scare from a breach is a clear, rehearsed response: who to tell immediately, how fast you can reset the password and revoke sessions, and how quickly the account can be locked. For managed clients we build and test this process. At Elevate, email security is layered — technical controls, filtering, training, and response — because no single layer is ever enough on its own.
The Business Email Compromise problem
One category deserves special attention because it bypasses most technical defences: Business Email Compromise. Rather than malware, the attacker simply impersonates a supplier, director, or staff member and asks for a payment or a change of bank details. The ACSC and Scamwatch report that BEC and payment-redirection scams cost Australian businesses tens of millions of dollars every year, with average losses per incident running into the tens of thousands. The defence is part technical and part procedural: lock down your domain so it cannot be spoofed, and adopt a simple rule that any change to payment details is verified by a phone call to a known number, never by replying to the email. At Elevate we implement both the controls and the process, because the most expensive email attacks are the ones that never contain a virus at all.