Email Security Risks: What Threatens Your Business Inbox

Email: the attack surface that never closes

Organisations spend considerable effort securing their networks and endpoints, but email remains persistently exposed — by design. Every business needs to receive email from anyone, which means the channel is always accessible to attackers. The UK government's Cyber Security Breaches Survey consistently finds that phishing is the most commonly identified attack type, affecting the majority of businesses that experience a security incident.

Understanding the specific risks — and how they differ from each other — is the foundation for building proportionate defences.

Risk 1: Phishing

Phishing emails deceive recipients into taking a harmful action: clicking a malicious link, opening a compromised attachment, or entering credentials into a fake website. The scale ranges from mass-sent campaigns impersonating HMRC, parcel companies and banks, to carefully crafted targeted attacks on specific individuals.

The NCSC reports that credential phishing — stealing email or Microsoft 365 login details — is the most prevalent form, because a compromised account opens the door to the rest of the business's data and communication. Once inside an email account, attackers can intercept sensitive information, redirect payments, and use the legitimate account to launch further attacks on customers and suppliers.

Risk 2: Business email compromise (BEC)

BEC attacks involve criminals impersonating executives, suppliers or other trusted contacts to manipulate employees into transferring money or sharing sensitive information. What makes BEC particularly dangerous is that it typically involves no malicious payload — no links to scan, no attachments to detonate. The attack succeeds through social engineering alone.

Common BEC scenarios include:

• A "CEO" emailing the finance team requesting an urgent bank transfer to a new account
• A known supplier emailing to say their bank details have changed, requesting all future payments go to a new account
• A legal firm emailing the conveyancing client to say the completion funds should be sent to an updated account

UK businesses lose hundreds of millions each year to BEC fraud. Verification procedures — confirming any payment instruction or account change through a separate, trusted channel — are the primary control.

Risk 3: Ransomware delivery via email

Email is the most common delivery mechanism for ransomware. The attack chain typically follows: phishing email with malicious attachment or link → credential theft or malware installation → lateral movement → ransomware deployment across the network.

Modern ransomware campaigns are often conducted by specialised groups who sell access to compromised networks to ransomware operators (ransomware-as-a-service). Initial access via a single phishing email can ultimately result in the entire organisation's data being encrypted. The average UK SME ransomware recovery cost, including downtime, exceeds £50,000 — before any ransom payment.

Risk 4: Account takeover

When phishing credentials are successfully stolen, attackers typically access the account quietly before making any obvious moves. They may set up email forwarding rules to copy all email to an external address, create filters to hide replies to fraudulent emails, or simply monitor communications to identify the right moment to strike.

Many account takeover victims do not realise their account was compromised until weeks or months later, when a fraud investigation traces the chain back. Multi-factor authentication is the primary preventive control — it means stolen credentials alone are not sufficient to access the account.

Risk 5: Domain spoofing and lookalike domains

Criminals register domains that closely resemble legitimate business domains — amvia.co versus amvia.co.uk, or amv1a.co.uk — and send email from these addresses impersonating the real organisation. Recipients not paying close attention to the sender address are deceived into believing the email is genuine.

DMARC enforcement protects your own domain from being spoofed directly, but it does not prevent lookalike domain attacks. Domain monitoring services — which alert you when new domains similar to yours are registered — provide early warning. Some email security gateways include lookalike domain detection as part of their anti-phishing capabilities.

Risk 6: Malicious email attachments

Despite years of warnings, malicious email attachments remain highly effective. Macro-enabled Office documents, compressed archives containing executable files, and PDFs with embedded malicious scripts are all commonly used. The risk is particularly acute when attachments arrive as part of a contextualised attack — a "purchase order" sent to the accounts team, or a "contract" sent to a legal contact, that appears entirely plausible.

Email security gateways with sandboxing capabilities detonate attachments in an isolated environment before delivery, providing the best available technical control against unknown attachment-based threats. Disabling macro execution by default in Office applications (the Microsoft 365 default policy) removes a significant attack vector.

Mitigating email security risks

No single control addresses all these risks. The effective approach is layered: authentication protocols (SPF, DKIM, DMARC) to prevent spoofing, a properly configured gateway to filter malicious content, MFA on all email accounts to prevent account takeover, user awareness training to catch attacks that technology misses, and clear financial verification procedures to address BEC. AMVIA designs and manages these controls for UK businesses as part of integrated cybersecurity programmes.