Why Email Is Still the Biggest Threat to Your Business
Despite all the advances in cyber security over the past decade, email remains the single most common way that attackers breach business defences. According to the UK government's Cyber Security Breaches Survey, phishing attacks continue to be the most prevalent threat facing organisations of all sizes - and email is the primary delivery mechanism for the overwhelming majority of those attacks.
The reason is simple: email is universal, trusted, and deeply embedded in business operations. Every employee uses it, it is often the first point of contact with customers and suppliers, and people are conditioned to open and respond to messages quickly. Attackers exploit this trust ruthlessly. A single malicious email, opened by a single employee, can lead to stolen credentials, ransomware deployment, financial fraud, or a full-scale data breach.
For small businesses, the stakes are particularly high. You may not have a dedicated IT security team, your staff may not have received formal security training, and you may be relying on the default settings of your email platform without realising how exposed you are. The good news is that effective email security does not require a massive budget or enterprise-grade infrastructure. It requires the right configuration, the right tools, and a team that knows what to look out for.
Understanding Email Threats
Before you can defend against email threats, you need to understand the different types of attack you are facing. Each requires a slightly different combination of technical controls and human awareness.
Phishing
Phishing is the most common email attack. The attacker sends an email designed to trick the recipient into clicking a malicious link, opening an infected attachment, or entering their credentials on a fake login page. Modern phishing emails are increasingly sophisticated - they impersonate trusted brands like Microsoft, Royal Mail, or HMRC, use convincing formatting and logos, and create urgency to pressure recipients into acting without thinking. Spear phishing takes this further by targeting specific individuals with personalised messages based on their role, recent activities, or relationships.
Business Email Compromise (BEC)
BEC attacks are among the most financially damaging email threats. The attacker either compromises a legitimate email account or creates a convincing lookalike, then uses it to request payments, redirect invoices, or extract sensitive information. A common scenario involves an attacker impersonating the Managing Director and emailing the accounts team with an "urgent" payment request. BEC attacks often do not contain malware or malicious links, which makes them particularly difficult for automated tools to detect. They rely entirely on social engineering and the natural tendency of employees to comply with requests from senior colleagues.
Malware and Ransomware Delivery
Email remains a primary delivery mechanism for malware, including ransomware. Malicious attachments disguised as invoices, delivery notifications, or documents "requiring review" can install malware on the recipient's device when opened. Modern malware can also be delivered through links that download a payload or through weaponised Office documents containing malicious macros. Once installed, the malware can steal data, encrypt files for ransom, or establish persistent access for the attacker to exploit later.
Email Spoofing
Email spoofing involves forging the sender address to make an email appear to come from someone it did not. Without proper email authentication in place, it is trivially easy for an attacker to send an email that appears to come from your domain - to your own employees, your customers, or your suppliers. This can be used to impersonate your business in phishing campaigns, damage your reputation, or facilitate BEC attacks. The technical controls to prevent spoofing are well established, but a surprising number of businesses have not implemented them.
Email Authentication: SPF, DKIM, and DMARC
Email authentication is the foundation of email security, yet many small businesses have either not implemented it or have configured it incorrectly. Three protocols work together to verify that emails claiming to come from your domain are actually legitimate.
SPF (Sender Policy Framework)
SPF allows you to publish a DNS record that lists which mail servers are authorised to send email on behalf of your domain. When a receiving server gets an email claiming to be from yourdomain.co.uk, it checks your SPF record to verify that the sending server is on the authorised list. If it is not, the email can be flagged as suspicious or rejected. SPF is straightforward to implement - it is a single TXT record in your DNS configuration - but it must be kept up to date as you add or change email services.
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to outgoing emails that receiving servers can verify against a public key published in your DNS. This proves that the email was genuinely sent from your domain and has not been tampered with in transit. DKIM is slightly more complex to set up than SPF because it requires your email platform to sign outgoing messages, but most modern email services (including Microsoft 365) support it natively. You simply need to enable it and publish the appropriate DNS records.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do with emails that fail authentication checks. Without DMARC, a receiving server might detect that an email fails SPF or DKIM but still deliver it anyway. DMARC allows you to specify a policy: monitor (report failures but still deliver), quarantine (send failures to spam), or reject (block failures entirely). DMARC also provides reporting, so you can see who is sending email on behalf of your domain - both legitimate services and attackers attempting to spoof you.
The recommended approach is to start with a DMARC policy of "none" (monitoring only) to identify all legitimate email sources, then gradually tighten to "quarantine" and eventually "reject" as you gain confidence that your SPF and DKIM records are comprehensive. This phased approach prevents legitimate emails from being blocked during the transition.
If you are not sure whether your domain has SPF, DKIM, and DMARC correctly configured, this should be a priority. These are free to implement, they protect your brand from being impersonated, and they significantly reduce the risk of spoofing attacks targeting your customers and partners.
Microsoft Defender for Office 365
If your business uses Microsoft 365, you have access to Microsoft Defender for Office 365, which provides advanced protection against email threats that go beyond the basic Exchange Online Protection included in all Microsoft 365 plans. Defender for Office 365 adds several critical capabilities.
Safe Attachments opens email attachments in a sandbox environment to detect malicious behaviour before delivering them to the recipient. This catches malware that signature-based scanning might miss, including zero-day threats and polymorphic malware that changes its code to evade detection.
Safe Links rewrites URLs in emails and checks them at the time of click, not just at the time of delivery. This is important because attackers frequently send emails with benign links that are later redirected to malicious sites. Safe Links also protects against links in Office documents and Teams messages.
Anti-phishing policies use AI and machine learning to detect impersonation attempts. Defender can identify when someone is trying to impersonate one of your users, a known brand, or a domain that is visually similar to yours. It can also detect when an email exhibits characteristics typical of BEC attacks, even when the message contains no malicious links or attachments.
Attack simulation training allows you to run simulated phishing campaigns against your own employees to test their awareness and identify those who need additional training. This is built into Defender for Office 365 Plan 2 and provides a risk-free way to measure and improve your human defences.
Many businesses have Microsoft 365 licences that include Defender for Office 365 but have not enabled or configured all of its features. If that applies to you, there is significant security value sitting unused in your existing subscription.
Email Encryption and Data Protection
Email encryption ensures that sensitive information remains confidential even if an email is intercepted in transit or if an unauthorised person gains access to a mailbox. For UK businesses handling personal data, client information, or commercially sensitive material, encryption is not just good practice - it may be a regulatory requirement.
Microsoft 365 provides several encryption options. Office 365 Message Encryption (OME) allows you to send encrypted emails to anyone, including recipients outside your organisation who do not use Microsoft 365. The recipient accesses the encrypted message through a secure web portal. For internal communications and B2B scenarios, S/MIME provides certificate-based encryption that integrates with Outlook.
Microsoft Purview (formerly Microsoft Information Protection) takes data protection further by allowing you to classify and label sensitive data, then apply automatic protection policies. For example, you can create a policy that automatically encrypts any email containing a National Insurance number, payment card details, or other sensitive data patterns. This removes the reliance on individual users remembering to encrypt sensitive messages and ensures consistent protection across the organisation.
Data Loss Prevention (DLP) policies complement encryption by preventing sensitive data from leaving the organisation through email. You can configure DLP to block or warn users when they attempt to send emails containing specific types of sensitive information, such as financial data, health records, or personal identifiers.
Employee Training: Your Most Important Defence
No amount of technology can fully protect you if your employees are not aware of the threats they face. Technical controls catch the vast majority of malicious emails, but the most sophisticated attacks are specifically designed to bypass automated defences and exploit human judgement. Security awareness training is not a one-time event - it must be an ongoing programme that keeps pace with evolving threats.
Effective email security training should cover:
How to identify phishing emails - checking the sender's actual email address (not just the display name), hovering over links before clicking, being suspicious of urgency or pressure, and verifying unexpected requests through a separate channel.
BEC awareness - understanding that email addresses can be spoofed or compromised, and that any unusual request involving payments, sensitive data, or changes to supplier details should be verified by phone using a known number.
Safe attachment handling - not opening unexpected attachments, being cautious with Office documents that request macros to be enabled, and reporting suspicious attachments to IT.
Password hygiene - using unique, strong passwords for every account, enabling multi-factor authentication, and never sharing credentials via email.
Reporting procedures - making it easy and non-punitive for employees to report suspicious emails. The faster a potential threat is reported, the faster your IT team can respond and protect others.
Regular phishing simulations are one of the most effective ways to reinforce training. Sending realistic but harmless phishing emails to your team and measuring the response rate provides hard data on your human vulnerability and helps identify individuals who need additional support. Over time, simulation click rates should decrease as awareness improves.
Email Archiving and Compliance
Email archiving is often overlooked in discussions about email security, but it plays an important role in both compliance and incident response. UK businesses are subject to various regulations that may require them to retain email communications for specific periods. Financial services firms must comply with FCA record-keeping requirements, legal firms have obligations under the Solicitors Regulation Authority, and all businesses handling personal data must be able to respond to Subject Access Requests under UK GDPR.
Microsoft 365 includes built-in archiving and retention capabilities through Exchange Online Archiving and Microsoft Purview retention policies. You can configure automatic retention policies that preserve emails for a defined period, apply litigation holds that prevent deletion during legal proceedings, and use eDiscovery to search across archived communications when you need to find specific emails for compliance or investigation purposes.
From a security perspective, email archives also provide a valuable forensic resource. If you suspect an account has been compromised, having a complete archive of past communications allows you to determine what the attacker accessed, what they sent, and what data may have been exposed. Without proper archiving, this kind of investigation is often impossible.
Incident Response for Email Compromises
Despite your best defences, email compromises can still occur. Having a clear incident response plan for email-related security events ensures you can contain the damage and recover quickly. Here is what your response plan should include.
Immediate containment. If an account is compromised, reset the password immediately, revoke all active sessions, and review recent mailbox activity. Check for mail forwarding rules that the attacker may have created to maintain access even after the password is changed - this is an extremely common tactic that many businesses miss during incident response.
Scope assessment. Determine the extent of the compromise. Was only one account affected, or did the attacker move laterally? Review sign-in logs to identify the attacker's access pattern, check whether they accessed sensitive data or sent emails from the compromised account, and assess whether any other accounts may have been targeted using information from the compromised mailbox.
Notification. If the compromised account was used to send fraudulent emails to customers or suppliers, notify them immediately. If personal data was accessed or exfiltrated, assess whether the breach is reportable to the ICO under UK GDPR. You have 72 hours from becoming aware of a reportable breach to notify the ICO, so this assessment must happen quickly.
Root cause analysis. Understand how the compromise occurred. Was it a phishing email that the user clicked? A weak or reused password? A missing MFA requirement? Identifying the root cause allows you to address the vulnerability and prevent recurrence.
Post-incident improvements. Every incident is a learning opportunity. Update your security controls, revise your training programme, and adjust your policies based on the lessons learned. Share relevant findings with your team (while protecting sensitive details) to raise awareness of real-world threats.
A Practical Email Security Checklist
Here is a practical checklist of email security measures that every small business should have in place. If any of these are missing from your setup, they should be addressed as a priority.
SPF, DKIM, and DMARC - configured correctly on all domains you own, with DMARC set to at least "quarantine" for active domains and "reject" for domains you do not use for email.
Multi-factor authentication - enabled for every user, with no exceptions. Use the Microsoft Authenticator app or hardware security keys rather than SMS-based MFA where possible.
Advanced threat protection - Microsoft Defender for Office 365 (or equivalent) with Safe Attachments, Safe Links, and anti-phishing policies enabled and configured.
Email encryption - available for sending sensitive information externally, with DLP policies to catch sensitive data that might be sent unencrypted.
Admin account security - separate admin accounts for Microsoft 365 administration, with strong MFA and Conditional Access policies that restrict admin access to trusted devices and locations.
Mail forwarding controls - external mail forwarding disabled by default, with exceptions only where genuinely needed and approved.
Audit logging - mailbox audit logging enabled so you can track who accessed what and when, which is essential for investigating compromises.
Regular training and simulations - ongoing security awareness training with periodic phishing simulations to measure and improve staff resilience.
Incident response plan - a documented, tested procedure for responding to email compromises, including containment, investigation, notification, and recovery steps.
Secure Your Email with Coffee Cup Solutions
Email security is not a set-and-forget exercise. Threats evolve constantly, and your defences need to evolve with them. Coffee Cup Solutions helps UK small businesses implement comprehensive email security that covers technical controls, user training, and ongoing monitoring.
Our team can audit your current email security posture, configure SPF, DKIM, and DMARC correctly, optimise your Microsoft Defender for Office 365 settings, implement encryption and DLP policies, and deliver security awareness training that gives your team the skills to recognise and report threats. As part of our managed IT support, we provide continuous monitoring of your email environment, alerting on suspicious activity and responding to incidents before they escalate.
Whether you need a full email security overhaul or a targeted review of your existing setup, we can help. Explore our cyber security services or get in touch for a free email security assessment. Your inbox is the front door to your business - make sure it is properly locked.