Email Security Risks: What Threatens Your Business Inbox
The biggest email security risks for UK businesses in 2026 go far beyond spam. Phishing, business email compromise, ransomware delivery, account takeover and vendor email fraud each present distinct challenges that require specific technical and organisational controls.
Nathan Hill-Haimes
Technical Director
Why is email still the weakest point in your security?
Email is the attack surface that never closes. Every business must accept messages from anyone, so the channel stays open to attackers by design. You can lock down networks and endpoints, but the inbox remains exposed because it has to be usable. That structural openness is what attackers exploit.
The UK government's Cyber Security Breaches Survey 2025 consistently finds phishing is the most commonly identified attack type, affecting the majority of businesses that experience a breach. The NCSC reaches the same conclusion. Understanding how these risks differ from each other is the foundation for proportionate defence — and where most SMEs get it wrong is treating them as one problem.
If you want the single biggest lever, it is treating email as a managed control surface rather than a switch you turn on once. AMVIA runs managed cybersecurity for UK businesses on exactly that principle: one accountable provider, security first, Microsoft-certified engineers.
Risk 1: What is phishing and why does it work?
Phishing emails deceive recipients into a harmful action — clicking a malicious link, opening a compromised attachment, or entering credentials into a fake login page. The range runs from mass campaigns impersonating HMRC, parcel firms and banks, through to targeted attacks crafted for one named individual.
Credential phishing — stealing Microsoft 365 or email logins — is the most prevalent form, because a compromised account opens the door to the rest of the business. Once inside a mailbox, an attacker can read sensitive information, redirect payments, and use the legitimate account to attack your customers and suppliers in turn. This is why phishing protection and credential controls sit at the centre of any serious email defence.
Risk 2: How does business email compromise (BEC) steal money?
Business email compromise involves criminals impersonating executives, suppliers or trusted contacts to manipulate staff into transferring money or sharing data. What makes BEC so dangerous is that it usually carries no malicious payload — no link to scan, no attachment to detonate. It succeeds through social engineering alone, which is why technical filters often miss it.
Common BEC scenarios include:
- A "CEO" emailing finance to request an urgent transfer to a new account
- A known supplier emailing to say their bank details have changed
- A law firm emailing a conveyancing client to redirect completion funds
UK businesses lose hundreds of millions of pounds each year to BEC fraud. The primary control is procedural, not technical: verify any payment instruction or account-change request through a separate, trusted channel — a known phone number, never the one in the email.
Risk 3: How is ransomware delivered through email?
Email is the most common delivery route for ransomware. The chain typically runs: phishing email with a malicious link or attachment, then credential theft or malware install, then lateral movement, then ransomware deployed across the network. A single click can end with every file encrypted.
Many campaigns are run by access brokers who breach a network and sell that foothold to ransomware operators — the ransomware-as-a-service model. The average UK SME ransomware recovery cost, including downtime, typically runs to £40,000–£60,000 before any ransom is paid (typical UK 2026 range). Stopping ransomware therefore means stopping the initial email and catching the follow-on activity, which is where managed detection and response earns its place.
Risk 4: What does an email account takeover look like?
When credentials are stolen, attackers usually access the account quietly before acting. They set up forwarding rules that copy every message to an external address, create filters to hide replies to fraudulent emails, or simply watch communications for the right moment to intervene in a payment. Many victims only discover the compromise weeks later, when a fraud investigation traces the chain back.
Multi-factor authentication is the primary preventive control — stolen credentials alone are not enough to get in. AMVIA hardens this for clients through MFA setup for Microsoft 365, enforced across every mailbox rather than left optional for users to enable.
| Email risk | Primary control | Catches it when filters miss |
|---|---|---|
| Phishing | Gateway filtering + user training | Behavioural/contextual detection |
| BEC | Out-of-band payment verification | Impersonation/display-name analysis |
| Ransomware delivery | Attachment sandboxing + MDR | Endpoint detection and response |
| Account takeover | Enforced MFA | Anomalous sign-in alerting |
| Domain spoofing | DMARC enforcement | Lookalike-domain monitoring |
| Malicious attachments | Macro-blocking + sandboxing | Detonation in isolation |
Risk 5: How do domain spoofing and lookalike domains trick people?
Criminals register domains that closely resemble a legitimate one — amvia.co instead of amvia.co.uk, or amv1a.co.uk — and send mail impersonating the real organisation. Recipients skim-reading the sender address are fooled. There are two distinct problems here, and they need two distinct controls.
DMARC enforcement protects your own domain from being spoofed directly, instructing receiving servers to reject mail that fails authentication. It does not stop lookalike domains, which only resemble yours. Domain monitoring — alerts when similar domains are registered — gives early warning. If you are unsure how the authentication piece works, our guide on what DMARC is and how to configure it explains the SPF, DKIM and DMARC chain in plain English.
Risk 6: Why are malicious attachments still effective?
Despite years of warnings, malicious attachments remain highly effective. Macro-enabled Office documents, compressed archives hiding executables, and PDFs with embedded scripts are all common. The danger spikes when the attachment arrives in context — a "purchase order" to accounts, a "contract" to legal — that looks entirely plausible to the person opening it.
Email security gateways with sandboxing detonate attachments in isolation before delivery, the best available control against unknown attachment threats. Disabling macros by default — now the standard policy in Microsoft 365 — removes a major attack vector at no cost. AMVIA's stack pairs Microsoft Defender with the Barracuda email suite to cover both detection and filtering.
How do you actually mitigate email security risks?
No single control addresses all six risks. The effective approach is layered: authentication protocols (SPF, DKIM, DMARC) to block spoofing, a properly configured gateway to filter malicious content, enforced MFA to stop account takeover, user-awareness training to catch what technology misses, and financial verification procedures to defeat BEC. AMVIA designs and manages these controls for UK businesses as part of integrated cybersecurity programmes — one provider, accountable for the whole stack.
Treat email security as a programme, not a product. The controls above only work when someone owns them, monitors them, and reviews them as threats shift. That ownership is the difference between a clean configuration on day one and a defence that still holds twelve months later.
Understand Your Email Threat Exposure
AMVIA can map your current email security controls against the real-world threat landscape and identify which risks your business is most exposed to.
Frequently Asked Questions
Business email compromise and email-delivered ransomware are consistently the most financially damaging. BEC results directly in fraudulent transfers, while ransomware encrypts business data and forces operational shutdown, with SME recovery costs that frequently run into six figures including downtime, remediation and reputational impact. One 2025 industry benchmark reported a 47% rise in attacks evading native and gateway defences (KnowBe4 2025 Phishing Benchmark Report).
DMARC instructs receiving mail servers to quarantine or reject messages that claim to come from your domain but fail SPF and DKIM checks. This blocks criminals from sending convincing phishing emails that appear to originate from your genuine domain. DMARC does not protect against lookalike domains, which resemble but do not match your domain and require separate monitoring to catch.
Yes, and it is increasingly common. Attackers abuse trusted services like Microsoft 365, Google Workspace, Dropbox and SharePoint to send or host phishing content, because email filters trust their strong reputations. This is why behavioural and contextual detection matters alongside reputation-based filtering. Egress reported that the large majority of phishing passed standard authentication in 2024 (Egress Phishing Threat Trends Report).
After compromising a mailbox, attackers often create silent forwarding rules that copy all incoming email to an external address, sometimes paired with rules hiding those messages from the owner. This lets them monitor communications for payment instructions and intervene in transactions unnoticed. Egress found a high share of advanced phishing attacks bypass multi-factor authentication entirely (Egress 2024).
Personal email accounts typically lack the controls applied to business mailboxes — no gateway scanning, no DLP policies, no centralised MFA, no audit logging. Using personal email for work creates both security and compliance exposure, particularly where business and personal data mix under UK GDPR obligations. It also puts data outside any monitoring your provider can apply.
An email worm is malware that, once it infects a system, automatically emails copies of itself to contacts in the victim's address book. This self-propagating behaviour can spread an infection rapidly across an organisation and its supply chain. Modern endpoint protection and email scanning catch known worm signatures, though novel variants may initially evade detection until samples are analysed.
Related Reading
Email Security Gateway
How email security gateways filter the threat landscape before it reaches your staff inboxes.
Email Spoofing: How to Detect and Prevent It
A detailed guide to email spoofing attacks and the technical controls that stop them.
Business Backup & Avoiding Ransomware
How proper backup architecture helps UK businesses recover from ransomware without paying the ransom.
Protect your business → Get Cybersecurity Assessment