Cybersecurity

Email Security Risks: What Threatens Your Business Inbox

The biggest email security risks for UK businesses in 2026 go far beyond spam. Phishing, business email compromise, ransomware delivery, account takeover and vendor email fraud each present distinct challenges that require specific technical and organisational controls.

NH

Nathan Hill-Haimes

Technical Director

8 min read·Mar 2026

Why is email still the weakest point in your security?

Email is the attack surface that never closes. Every business must accept messages from anyone, so the channel stays open to attackers by design. You can lock down networks and endpoints, but the inbox remains exposed because it has to be usable. That structural openness is what attackers exploit.

The UK government's Cyber Security Breaches Survey 2025 consistently finds phishing is the most commonly identified attack type, affecting the majority of businesses that experience a breach. The NCSC reaches the same conclusion. Understanding how these risks differ from each other is the foundation for proportionate defence — and where most SMEs get it wrong is treating them as one problem.

If you want the single biggest lever, it is treating email as a managed control surface rather than a switch you turn on once. AMVIA runs managed cybersecurity for UK businesses on exactly that principle: one accountable provider, security first, Microsoft-certified engineers.

Risk 1: What is phishing and why does it work?

Phishing emails deceive recipients into a harmful action — clicking a malicious link, opening a compromised attachment, or entering credentials into a fake login page. The range runs from mass campaigns impersonating HMRC, parcel firms and banks, through to targeted attacks crafted for one named individual.

Credential phishing — stealing Microsoft 365 or email logins — is the most prevalent form, because a compromised account opens the door to the rest of the business. Once inside a mailbox, an attacker can read sensitive information, redirect payments, and use the legitimate account to attack your customers and suppliers in turn. This is why phishing protection and credential controls sit at the centre of any serious email defence.

Risk 2: How does business email compromise (BEC) steal money?

Business email compromise involves criminals impersonating executives, suppliers or trusted contacts to manipulate staff into transferring money or sharing data. What makes BEC so dangerous is that it usually carries no malicious payload — no link to scan, no attachment to detonate. It succeeds through social engineering alone, which is why technical filters often miss it.

Common BEC scenarios include:

  • A "CEO" emailing finance to request an urgent transfer to a new account
  • A known supplier emailing to say their bank details have changed
  • A law firm emailing a conveyancing client to redirect completion funds

UK businesses lose hundreds of millions of pounds each year to BEC fraud. The primary control is procedural, not technical: verify any payment instruction or account-change request through a separate, trusted channel — a known phone number, never the one in the email.

Risk 3: How is ransomware delivered through email?

Email is the most common delivery route for ransomware. The chain typically runs: phishing email with a malicious link or attachment, then credential theft or malware install, then lateral movement, then ransomware deployed across the network. A single click can end with every file encrypted.

Many campaigns are run by access brokers who breach a network and sell that foothold to ransomware operators — the ransomware-as-a-service model. The average UK SME ransomware recovery cost, including downtime, typically runs to £40,000–£60,000 before any ransom is paid (typical UK 2026 range). Stopping ransomware therefore means stopping the initial email and catching the follow-on activity, which is where managed detection and response earns its place.

Risk 4: What does an email account takeover look like?

When credentials are stolen, attackers usually access the account quietly before acting. They set up forwarding rules that copy every message to an external address, create filters to hide replies to fraudulent emails, or simply watch communications for the right moment to intervene in a payment. Many victims only discover the compromise weeks later, when a fraud investigation traces the chain back.

Multi-factor authentication is the primary preventive control — stolen credentials alone are not enough to get in. AMVIA hardens this for clients through MFA setup for Microsoft 365, enforced across every mailbox rather than left optional for users to enable.

Email riskPrimary controlCatches it when filters miss
PhishingGateway filtering + user trainingBehavioural/contextual detection
BECOut-of-band payment verificationImpersonation/display-name analysis
Ransomware deliveryAttachment sandboxing + MDREndpoint detection and response
Account takeoverEnforced MFAAnomalous sign-in alerting
Domain spoofingDMARC enforcementLookalike-domain monitoring
Malicious attachmentsMacro-blocking + sandboxingDetonation in isolation

Risk 5: How do domain spoofing and lookalike domains trick people?

Criminals register domains that closely resemble a legitimate one — amvia.co instead of amvia.co.uk, or amv1a.co.uk — and send mail impersonating the real organisation. Recipients skim-reading the sender address are fooled. There are two distinct problems here, and they need two distinct controls.

DMARC enforcement protects your own domain from being spoofed directly, instructing receiving servers to reject mail that fails authentication. It does not stop lookalike domains, which only resemble yours. Domain monitoring — alerts when similar domains are registered — gives early warning. If you are unsure how the authentication piece works, our guide on what DMARC is and how to configure it explains the SPF, DKIM and DMARC chain in plain English.

Risk 6: Why are malicious attachments still effective?

Despite years of warnings, malicious attachments remain highly effective. Macro-enabled Office documents, compressed archives hiding executables, and PDFs with embedded scripts are all common. The danger spikes when the attachment arrives in context — a "purchase order" to accounts, a "contract" to legal — that looks entirely plausible to the person opening it.

Email security gateways with sandboxing detonate attachments in isolation before delivery, the best available control against unknown attachment threats. Disabling macros by default — now the standard policy in Microsoft 365 — removes a major attack vector at no cost. AMVIA's stack pairs Microsoft Defender with the Barracuda email suite to cover both detection and filtering.

How do you actually mitigate email security risks?

No single control addresses all six risks. The effective approach is layered: authentication protocols (SPF, DKIM, DMARC) to block spoofing, a properly configured gateway to filter malicious content, enforced MFA to stop account takeover, user-awareness training to catch what technology misses, and financial verification procedures to defeat BEC. AMVIA designs and manages these controls for UK businesses as part of integrated cybersecurity programmes — one provider, accountable for the whole stack.

Treat email security as a programme, not a product. The controls above only work when someone owns them, monitors them, and reviews them as threats shift. That ownership is the difference between a clean configuration on day one and a defence that still holds twelve months later.

Understand Your Email Threat Exposure

AMVIA can map your current email security controls against the real-world threat landscape and identify which risks your business is most exposed to.

Frequently Asked Questions