Email remains the primary entry point for cyberattacks against businesses. According to the FBI's Internet Crime Report, Business Email Compromise — attacks that manipulate employees through fraudulent or impersonated email — accounted for over $2.7 billion in reported losses in a single year. For small businesses without dedicated security teams, email threats represent the highest-probability, highest-impact risk in their entire technology stack. The good news is that the most effective defences are well understood, affordable, and implementable without enterprise-level resources.
How Modern Email Attacks Work
Phishing is the most common form of email attack — a message designed to deceive the recipient into clicking a malicious link, opening an infected attachment, or entering credentials into a fake login page. Modern phishing emails are significantly more convincing than the poorly worded messages that characterised early attacks. Spear phishing — targeted attacks that reference the recipient by name, their company, their role, or a recent event — has become the dominant technique because it dramatically increases the probability of success.
Business Email Compromise (BEC) is a more sophisticated variant in which an attacker either compromises a legitimate email account or spoofs one convincingly enough to deceive a recipient. A common BEC scenario involves an attacker impersonating a company executive and instructing a finance employee to make an urgent wire transfer. Because the email appears to come from a trusted internal source, and the request is framed as urgent and confidential, employees frequently comply before verifying. The FBI reports that BEC attacks cause more total financial damage than ransomware — despite receiving less media attention.
Email spoofing exploits weaknesses in how the email protocol was originally designed. The SMTP protocol does not inherently verify that the sender address matches the domain the email was sent from, which means anyone can send an email claiming to be from any domain. Three authentication standards — SPF, DKIM, and DMARC — were developed specifically to address this weakness, but many small businesses have not implemented all three correctly, leaving their domain spoofable.
Quick Tips
- Check whether your domain has a valid DMARC policy at dmarcian.com or a similar free lookup tool — a missing or permissive DMARC record means your domain can be spoofed by anyone
- Spear phishing attacks are researched from public sources: LinkedIn profiles, company websites, and social media — review what personal and organisational information is publicly visible
- Urgency is the primary manipulation technique in BEC attacks — establish a verbal verification policy for any financial request received by email, regardless of who the sender appears to be
Technical Defences Every Business Should Have in Place
SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are the three foundational email authentication standards. SPF specifies which servers are authorised to send email from your domain. DKIM adds a cryptographic signature to outgoing messages that receiving mail servers can verify. DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do with messages that fail authentication — reject them, quarantine them to spam, or deliver them with a report. All three are configured as DNS records and, once correctly implemented, block the majority of domain spoofing attempts.
Multi-factor authentication (MFA) on every email account is the single most effective technical control against account compromise. Credential theft — through phishing, data breaches, or password reuse — is the primary way attackers gain access to legitimate business email accounts. MFA requires a second verification step beyond the password, which prevents account takeover even when credentials are stolen. Microsoft reports that MFA blocks over 99.9% of automated account compromise attacks. For Microsoft 365 and Google Workspace, enabling MFA is a configuration change that takes minutes and costs nothing.
Email filtering and advanced threat protection add a layer of inspection between the mail server and the recipient inbox. Modern filtering platforms scan links and attachments in real time, detonate suspicious files in sandboxed environments before delivery, and flag messages with unusual sender patterns or deceptive display names. Microsoft Defender for Office 365 and Google Workspace's built-in advanced protection provide this capability within the platforms most small businesses already use. For organisations requiring more granular control, third-party gateways such as Proofpoint or Mimecast provide enterprise-grade filtering as a standalone service.
Quick Tips
- Enable MFA on all email accounts before implementing any other email security measure — it is the highest-ROI control available and blocks the most common attack path
- Set your DMARC policy to p=reject once SPF and DKIM are verified and working — a p=none policy generates reports but does not block spoofed messages
- Audit your email forwarding rules quarterly — attackers who compromise an account frequently create forwarding rules to maintain persistent access even after the password is changed
The Human Layer: Training Your Team to Recognise Threats
Technical controls catch a significant proportion of email threats, but they do not catch all of them — and attackers who invest in targeted, well-researched campaigns are specifically trying to evade automated filtering. The human layer — employees who can recognise suspicious emails and report them correctly — is an essential complement to technical defences. Security awareness training is not a one-time event; it is an ongoing programme that keeps threat recognition skills current as attack techniques evolve.
Phishing simulations are the most effective training method. A simulation involves sending employees realistic-but-fake phishing emails and measuring how many click the link or submit credentials. Employees who fall for the simulation are immediately presented with a short training module explaining what they should have noticed. Over time, repeated simulations measurably reduce the click rate across the organisation. KnowBe4, Proofpoint Security Awareness Training, and Microsoft Attack Simulator are the most widely used platforms for managed phishing simulation programmes.
Clear reporting procedures matter as much as recognition skills. Employees who suspect a phishing email need to know exactly how to report it — to whom, through which channel, and with what information. A reporting culture where staff feel confident flagging suspicious messages without fear of being wrong creates an early warning system that can catch attacks before they escalate. The faster a suspicious email is reported to IT, the faster links can be blocked and potentially affected accounts can be investigated.
Quick Tips
- Run phishing simulations at least quarterly — monthly is better. Frequency matters more than complexity; even simple simulations maintain staff vigilance
- Reward reporting rather than punishing clicks — employees who feel judged for falling for a simulation are less likely to report real threats they are uncertain about
- Include email security in onboarding for every new hire — new employees are statistically the most likely targets in their first 90 days, before they are familiar with internal communication norms
Sources & References
Related Videos
Avoiding Phishing Scams: How to Spot and Prevent Email Phishing Attacks
Across The Board · YouTube
What is & How to Setup SPF & DKIM Records — Easy Guide
SendLayer · YouTube
Written By
Eagletek Visions Tech Team
Our engineering team is composed of certified IT professionals with experience across managed IT, cybersecurity, cloud infrastructure, and systems architecture. Articles are reviewed for technical accuracy before publication.
Credits
Photography
Header and inline images sourced from Unsplash — free-to-use photography under the Unsplash License.
Video Content
- “Avoiding Phishing Scams: How to Spot and Prevent Email Phishing Attacks” by Across The Board · YouTube
- “What is & How to Setup SPF & DKIM Records — Easy Guide” by SendLayer · YouTube