Email Security Risks for Businesses: AMVIA Threat Guide

The scale of the email threat problem

The UK's Cyber Security Breaches Survey 2024 found that phishing was the most prevalent type of cyber attack, experienced by 84% of businesses reporting a breach. Action Fraud data shows that email-related fraud — including business email compromise — results in losses running to hundreds of millions of pounds annually across UK businesses. Despite significant investment in technical controls, the fundamental challenge of email security persists: the channel is designed for open communication, which makes it inherently difficult to lock down without disrupting legitimate use.

Understanding the threat landscape in detail — what attackers are trying to achieve, how they operate, and where controls are most effective — is the practical starting point for improving your defences.

Phishing: volume and targeting

Phishing remains the most common email threat by volume. Mass-sent campaigns impersonating trusted brands — HMRC, Royal Mail, NHS, Microsoft, banks — are sent in their millions daily and catch a small but significant proportion of recipients. The economics are compelling for attackers: send ten million emails, deceive 0.01%, and you have a thousand successful compromises.

Volume phishing relies on plausibility at scale. Targeted spear phishing — where attackers research a specific individual or organisation and craft a tailored message — requires more effort but delivers much higher success rates. LinkedIn and Companies House make it straightforward to identify targets, map reporting lines, and find the names of colleagues and suppliers to reference convincingly.

Credential phishing statistics

The NCSC identifies credential theft as the primary objective of most phishing campaigns. Microsoft reports that account takeover attacks using phished credentials represent a significant proportion of all cloud service compromises. Once credentials are stolen, attackers typically access the account within hours, set up forwarding rules to monitor communications, and wait for the right opportunity to intervene in financial transactions.

Business email compromise: the high-value attack

BEC fraud targets businesses rather than individuals, aiming for single high-value transactions rather than many small ones. The typical attack targets the accounts payable or finance function, using an impersonated email from a CEO, a supplier, or a legal adviser to authorise a fraudulent payment.

FBI IC3 data — which tracks internationally — consistently ranks BEC as the highest-loss category of cybercrime. UK data from Action Fraud reflects the same pattern at a national level. Critically, many BEC attacks contain no malware and no malicious links, meaning email security gateways may do nothing to prevent them. The countermeasure is procedural: any instruction to transfer funds or change payment details must be verified through a separate, confirmed communication channel.

Ransomware via email: the operational risk

Ransomware is most commonly delivered via phishing email, either as a malicious attachment or a link to a compromised download. Once executed, modern ransomware families identify and encrypt data across connected drives, network shares and cloud storage before displaying a ransom demand.

For UK SMEs, the operational impact of a ransomware infection is frequently more damaging than the ransom amount itself. Businesses that cannot access their systems for days or weeks face lost revenue, broken client contracts, recovery costs, and — where personal data is involved — potential ICO fines. The NCSC advises against paying ransoms and recommends that businesses maintain tested backup and recovery capabilities as their primary defence.

Account takeover: silent and persistent

When a phishing attack successfully captures credentials and MFA has not been enabled, attackers gain full access to the victim's email account. Rather than immediately taking obvious action, sophisticated attackers operate quietly — forwarding emails to external addresses, searching for payment instructions, supplier banking details and sensitive client information, and waiting for the right opportunity.

Signs of account takeover include unexpected password reset notifications, colleagues reporting unusual emails from your address, email forwarding rules you did not create, and sent items you do not recognise. Regular review of account login history and active sessions — both available in Microsoft 365 — helps detect compromise early.

Email-borne data leakage

Not all email security risks involve inbound attacks. Outbound email is a significant data leakage vector — personal data, commercially sensitive information and regulated financial data all regularly leave organisations via email, sometimes accidentally and sometimes deliberately. A misdirected email — sending client data to the wrong address — is the most common type of data breach reported to the ICO.

Data loss prevention (DLP) policies in email security gateways can identify and block or flag outbound messages containing defined sensitive data patterns. Combined with clear staff training on email data handling, this significantly reduces the risk of accidental disclosure.

Vendor and supply chain email fraud

A growing category of email fraud targets the supplier-customer relationship. Attackers compromise a supplier's email account, monitor invoicing conversations, and at the right moment send a convincing email from the legitimate supplier account requesting that future payments be redirected to a new bank account. Because the email comes from a genuine account the business has communicated with before, it passes technical filters and often the human judgement check too.

AMVIA recommends that any bank account change request from a supplier be verified by phone — using a number from your own records, not one provided in the email — before processing, regardless of how authentic the email appears.