When people picture a cyber attack, they picture a hacker breaking through a firewall. The reality is far more ordinary. For most Sydney businesses, the attack does not break in at all. It is invited in, through an email that someone opens on a normal Tuesday.
Email is the front door because it goes to a person, and a person can be persuaded. Filters and firewalls are getting better every year, but the inbox is still where an attacker can reach a human directly. If you only fix one area of your security this year, this is the one with the highest payoff.
How Email Attacks Actually Work
Email attacks come in a few recognisable shapes. Knowing them makes the difference between a staff member who pauses and one who clicks.
Phishing. A message that looks legitimate, asking you to log in, confirm details, or open a document. The login page is fake and captures your password. The clever versions copy a real supplier or a real Microsoft prompt closely enough that a busy person does not look twice. Our guide to phishing protection covers the tells.
Business email compromise. This is the expensive one. An attacker gets into a mailbox, watches how the business talks about money, then sends a real-looking request to change bank details or pay an invoice. Because it comes from a genuine account, it sails past technical defences. We break this pattern down in detail in business email compromise.
Malware attachments. A document or spreadsheet that runs something harmful when opened or when you enable editing. Less common than it was, but still around, especially in invoice-themed emails.
The thread running through all of these is that the technology is not always what fails. The person is the target, and the email is the delivery method.
Why the Inbox Is Such a Soft Target
A few things make email uniquely exploitable.
It is trusted. We read dozens of emails a day and act on them quickly. That speed is what attackers rely on. A message that creates urgency, an overdue invoice, a locked account, a request from the boss, pushes people to act before they think.
It is connected to everything. Your email account is usually the reset point for your other systems. Take over the mailbox and you can often reset passwords elsewhere. That is why an email compromise is rarely contained to email.
And it reaches everyone. Every staff member has an inbox, which means every staff member is a potential entry point. Your defences are only as strong as the most rushed person on the busiest day.
The Controls That Shut the Front Door
You cannot remove the human element, but you can make email a far harder way in. A handful of controls do most of the work.
Multi-factor authentication. If a password is phished, MFA is what stops the attacker using it. A code or prompt on the phone means a stolen password alone is not enough. This is the single highest-value control for email, and it belongs on every account with no exceptions. See MFA for small business for how to roll it out.
Strong filtering. Modern email filtering catches a large share of phishing and malicious attachments before they ever reach a person. In Microsoft 365 this is largely a matter of configuring features you are already paying for, rather than buying something new.
Sender authentication. Behind the scenes, a few settings (commonly known as SPF, DKIM, and DMARC) help prove that an email claiming to come from your domain genuinely did. Configured properly, they make it much harder for someone to impersonate your business to your own clients.
A team that knows the patterns. Filtering catches most of it. Your people catch the rest. A short, practical session on what a dodgy invoice or login prompt looks like turns the inbox from your weakest point into a second line of defence. The goal is not suspicion of every email, just a habit of pausing on the ones that ask for money or credentials.
A clear reporting path. When someone spots a suspicious email, they should know exactly who to tell and feel safe doing it quickly. Speed of reporting often decides how bad an incident gets.
What Good Looks Like
A business with its email front door shut looks unremarkable from the outside, which is the point. MFA is on for everyone. Filtering is tuned, not left on defaults. The domain is configured so it cannot be easily spoofed. Staff pause on payment and login requests, and they know how to report a concern. None of this is exotic, and none of it requires an enterprise budget.
Where to Start
If you are not sure how many of these controls are actually in place, you are in the same position as most owners. The honest answer is usually a mix of some on, some assumed, and some never checked.
Start by getting a clear picture. Our IT maturity assessment shows you where your security stands today, including email, in a few minutes. From there, closing the gaps is a short, ordered list rather than a vague worry.
We are a Sydney-based team in Bella Vista, and email security is one of the first things we tighten for new clients, because it is where the most risk hides for the least effort. Talk to our team if you want a hand getting it sorted.
