Email remains the primary attack vector in cybersecurity. Its effectiveness doesn’t stem from weak technology, but from the fact that it targets people — and people make mistakes under pressure.
Business Email Compromise (BEC) is a specific attack type that, according to the FBI, caused $2.77 billion in losses in 2024 alone and accounted for 73% of all reported cyber incidents in the United States. Roughly 80% of data breaches originate from an employee falling victim to a phishing email.
In 2025, 40% of phishing emails were generated using artificial intelligence, raising their sophistication to the point where traditional anti-spam tools struggle to detect them.
The good news: by implementing the right measures, most email-based attacks can be prevented. Here are seven steps every business should take.
1. Configure SPF, DKIM, and DMARC
These three protocols form the foundation of email authentication. Without them, anyone can send emails appearing to come from your domain, and recipients have no way to tell the difference.
SPF (Sender Policy Framework) is a DNS record published by the domain owner that specifies which servers are authorized to send email on behalf of your domain. When a receiving mail server gets an email from your domain, it checks this list. If the email doesn’t originate from an authorized server, it’s rejected or flagged as spam.
DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to every outgoing email. The receiving server verifies this signature against a public key published in the sender’s DNS records. If the email content was altered in transit, the signature validation fails — proving the message was tampered with.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together by instructing the receiving server how to handle authentication failures. It also provides reporting on unauthorized attempts to send email from your domain.
As of 2026, DMARC is required by all major email providers. Google, Yahoo, and Microsoft reject unauthenticated bulk email outright. PCI DSS v4.0 mandates DMARC for businesses handling payment card data. Yet at the time of writing, only 11% of domains globally enforce a DMARC reject policy.
What to do: Verify your domain’s SPF, DKIM, and DMARC configuration. If nothing is configured, start with SPF and DKIM, then implement DMARC in monitoring mode (p=none) to observe email activity. Once validated, gradually progress to p=quarantine and finally p=reject.
If you don’t have the technical staff to handle this, our email security and anti-phishing service can manage the entire process.
2. Enable multi-factor authentication (MFA)
Your password is not enough. Credential phishing — where users are tricked into entering their credentials on fake login pages — accounted for 74% of all BEC attacks in 2025. Once an attacker obtains your password, they can access your inbox, monitor your conversations, and wait for the right moment to intervene.
Multi-factor authentication adds a second verification layer (such as a code sent to your phone) on top of your password. Even if someone has your credentials, they still need access to your device to log in. This eliminates the vast majority of credential-based attacks.
However, MFA is no longer bulletproof. In 2025, adversary-in-the-middle (AitM) attacks — which steal session cookies after authentication — surged by 146%. Platforms like Tycoon 2FA intercept the MFA process itself, capturing session tokens in real time.
What to do: Enable MFA on every email account in your organization — no exceptions. For higher-security requirements, use hardware security keys (FIDO2/passkeys) instead of SMS-based codes. These keys are cryptographically bound to the legitimate website and simply don’t work on fake login pages.
3. Train your team to recognize phishing
Technology catches most threats, but the ones that get through are specifically designed to deceive people. The difference between a secure organization and a compromised one often comes down to whether one employee recognizes a suspicious email.
Modern phishing bears no resemblance to the “businessman who left you an inheritance.” Today’s campaigns are crafted using AI, producing highly convincing scenarios with flawless grammar, sent at precisely the right time, and closely mimicking legitimate correspondence.
Threat actors study the target’s communication patterns, writing style, and behavioral habits. Phishing emails are timed strategically — early Monday mornings when inboxes are full and attention is low, or during year-end reporting when finance teams are under pressure.
The data is clear: organizations that run regular phishing simulations reduce successful attacks to as low as 5%. After six months of training, half of employees report real threats. After one year, two-thirds do.
What to do: Run regular simulated phishing exercises using realistic scenarios. Every click should be treated as a learning opportunity, not a punishment. Build a culture where reporting suspicious emails is encouraged and valued.
Train your team to watch for these red flags:
- unexpected urgency
- requests to change payment details
- sender addresses that look almost right but aren’t
- links that redirect somewhere different from what the text claims
4. Establish verification procedures for financial requests
The most damaging email attacks don’t use malware. They exploit trust.
In a typical BEC scenario, an attacker compromises a legitimate email account (using stolen credentials) or creates a convincing impersonation. They then insert themselves into an existing financial thread and alter invoice details — most commonly changing the bank account number.
Since the email comes from a trusted address and references a real transaction, the recipient has no reason to question it.
A more sophisticated variant is Vendor Email Compromise (VEC), where the attacker compromises a supplier’s actual mailbox. They monitor financial conversations for weeks, then send a modified invoice to the client at exactly the right moment.
What to do: Implement mandatory verification for any request involving changes to bank details, transactions above a defined threshold, or new payment methods from a supplier.
Verification must happen through a separate channel — a phone call to a known number (not one from the email), an in-person confirmation, or a pre-agreed verification code.
These simple measures, consistently enforced, eliminate the vast majority of BEC losses.
5. Secure the endpoints where email is configured
Strong email authentication and well-trained staff become irrelevant if the endpoints themselves are compromised. If an attacker gains access to a user’s phone or computer, they can read emails after decryption, extract credentials, and send messages on the user’s behalf.
In 2025, several zero-day vulnerabilities in iOS and Android were exploited through messaging applications to compromise devices. The same principle applies to email: a malicious attachment or link can exploit a vulnerability in the email client or operating system to gain full control of the endpoint.
What to do: Update applications and operating systems regularly and promptly. Enable automatic updates wherever possible.
Endpoints used for business email should be protected with antivirus/EDR solutions, and screens should lock automatically after inactivity.
On mobile devices, use only trusted applications for email access. Disable automatic downloading of attachments.
6. Configure email filtering and anti-spam protection
Your email provider includes basic spam filtering, but default configurations are rarely sufficient against targeted attacks. Modern email security requires behavioral analysis and URL sandboxing — capabilities that go well beyond basic filters.
Microsoft 365 scans approximately 5 billion emails per day, yet sophisticated attacks still bypass these controls. No single control can fully protect a system, which is why email security must be layered. A defense-in-depth approach is the only one that works.
What to do: Review your email provider’s security settings (Microsoft, Google, etc.) and ensure advanced protection features are enabled — they are often inactive by default.
Enable URL rewriting and time-of-click protection, which rescans links at the moment they are clicked rather than only when the email arrives.
Enable attachment sandboxing. Block executable file types (.exe, .scr, .bat) from being delivered as attachments.
Configure a warning banner on emails originating from outside the organization to keep staff alert.
7. Have an incident response plan ready
Despite all preventive measures, someone will eventually click a malicious link or open a harmful attachment. What happens in the first 30 minutes determines whether the incident stays minor or escalates into a full breach.
The faster the response, the lower the cost. According to IBM, breaches detected more than 200 days after the initial compromise cost an additional $1.2 million on average.
What to do: Develop a simple incident response plan and make sure every employee knows it. The plan should include:
- Immediately disconnect the affected device from the network (disable Wi-Fi, unplug the network cable, or turn off mobile data)
- Do not power off the device (preserving forensic evidence is critical)
- Notify IT or the security team immediately
- Change the compromised account’s password from a different device
- Check whether MFA was triggered from an unknown location
- If the compromised account has access to financial systems, immediately review recent transactions and notify banks or relevant parties
Document this plan and make it easily accessible to everyone. The worst time to look for your incident response plan is during an active incident.
Our incident response service provides businesses with ready-made response plans and expert support when it matters most.
The bottom line
Email security is not a single measure — it is seven measures working together. SPF, DKIM, and DMARC protect your domain. MFA protects your accounts. Training protects your people. Verification procedures protect your finances. Endpoint security protects your devices. Email filtering reduces the volume of threats. And an incident response plan limits the damage when everything else fails.
No single control is sufficient. But together, they reduce your risk by orders of magnitude.
Sources:
- FBI — Business Email Compromise
- Verizon — 2025 Data Breach Investigations Report (DBIR)
- IBM — Cost of a Data Breach Report 2025
- Google Workspace — Set up DMARC
- Red Sift — Global Mandates and Guidance for DMARC in 2026
- Foley Hoag LLP — “Business Email Compromises: Current Legal Trends” (April 2026)
