Cybersecurity

Email Security Risks for Businesses: AMVIA Threat Guide

Email-based threats cost UK businesses billions annually. This guide examines the most prevalent risks — phishing, BEC, ransomware, account takeover and data leakage — with statistics, real patterns, and the prevention strategies that actually work.

AT

AMVIA Team

Editorial

9 min read·Mar 2026

Email is still the channel attackers reach for first, because it is built for open communication and sits at the centre of every payment, contract and supplier conversation. The UK government's Cyber Security Breaches Survey 2025 found phishing was the single most common type of breach, identified by 85% of businesses that reported one. If you want a defended inbox rather than a hopeful one, start with managed cybersecurity that treats email as a primary attack surface, not an afterthought.

What are the main email security risks for businesses?

The main risks fall into six categories: phishing, business email compromise, ransomware delivery, account takeover, outbound data leakage and supply-chain invoice fraud. Some aim to steal credentials, some to trigger a fraudulent payment, and some to encrypt your data. The defences differ for each, so naming them matters.

RiskAttacker's goalPrimary defence
PhishingSteal credentials or trustFiltering, MFA, user training
Business email compromiseTrigger a fraudulent paymentOut-of-band payment verification
RansomwareEncrypt data, extort paymentTested backups, attachment scanning
Account takeoverPersistent silent accessMFA, login monitoring, alerting
Data leakageExfiltrate sensitive dataDLP policies, staff handling rules
Supplier invoice fraudRedirect supplier paymentsPhone verification of bank changes

No single product covers all six. A genuine programme combines technical filtering, identity controls and human procedure — which is why we package them as one accountable service rather than a stack of disconnected tools.

Why is phishing still the most common email threat?

Phishing leads by volume because the economics work for attackers. Mass campaigns impersonating HMRC, Royal Mail, the NHS, Microsoft and banks go out in their millions daily. Deceive even 0.01% of ten million recipients and you have a thousand compromises — at almost no cost.

Volume phishing relies on plausibility at scale; targeted spear phishing relies on research. LinkedIn and Companies House make it trivial to map reporting lines and name colleagues or suppliers convincingly. The NCSC identifies credential theft as the primary objective of most phishing campaigns. Once credentials are stolen, attackers typically sign in within hours, set up forwarding rules, and wait to intervene in a payment.

The harder problem is that filtering alone no longer keeps pace. One industry benchmark reported a 47% rise in attacks evading native email defences and secure email gateways (KnowBe4 2025 Phishing Benchmark Report), and 84.2% of phishing attacks passed DMARC authentication in 2024 (Egress Phishing Threat Trends). Treat those figures as directional, but the lesson holds: authentication and gateways reduce risk, they do not eliminate it. Layer them with phishing protection that includes detection, reporting and response.

How does business email compromise (BEC) work?

BEC targets the business, not the inbox at random. It aims for one high-value transfer rather than many small wins, usually hitting accounts payable with an impersonated email from a CEO, supplier or solicitor authorising a payment or a change of bank details.

The dangerous part is that many BEC attacks carry no malware and no malicious link, so email security gateways may do nothing to stop them. The FBI's Internet Crime Complaint Center (IC3) consistently ranks BEC among the highest-loss categories of cybercrime, and UK Action Fraud data reflects the same pattern nationally. Because there is no payload to detect, the only reliable countermeasure is procedural: any instruction to move funds or change payment details must be verified through a separate, confirmed channel — a phone call to a number from your own records, never one supplied in the email. Pair that discipline with managed email security services so impersonation attempts are flagged before they reach finance.

How is ransomware delivered through email?

Ransomware is most often delivered by phishing email — a malicious attachment or a link to a compromised download. Once executed, modern ransomware identifies and encrypts data across local drives, network shares and connected cloud storage before posting a ransom demand.

For UK SMEs, the operational damage usually dwarfs the ransom. Days or weeks without systems means lost revenue, broken client contracts, recovery costs, and potential ICO action where personal data is exposed. The NCSC advises against paying ransoms and treats tested backup and recovery as the primary defence. Practically, that means immutable or offline backups, regular restore tests, and fast containment — capabilities built into a managed incident response plan rather than improvised on the worst day of the year.

What does an email account takeover look like?

Account takeover happens when phishing captures credentials and MFA is not enforced, handing an attacker full access to the mailbox. Sophisticated intruders stay quiet — forwarding mail externally, searching for payment instructions and supplier bank details, and waiting for the right moment to strike.

Warning signs include unexpected password-reset notifications, colleagues reporting odd emails from your address, forwarding rules you did not create, and unfamiliar items in Sent. Regular review of login history and active sessions — both available in Microsoft 365 — catches compromise early. The single highest-impact control is enforcing multi-factor authentication in Microsoft 365, which blocks the overwhelming majority of credential-based account takeover. Be realistic, though: roughly 83% of advanced phishing attacks were reported to bypass MFA (Egress 2024), so MFA is a foundation, not a finish line.

How do you prevent outbound email data leakage?

Not every email risk is inbound. Outbound email is a major data-leakage vector — personal data, commercially sensitive material and regulated financial information leave organisations by email every day, sometimes by accident and sometimes deliberately. Misdirected email — sending client data to the wrong recipient — is consistently among the most commonly reported non-cyber breaches to the ICO.

Data loss prevention (DLP) policies can detect and block or flag outbound messages containing defined sensitive-data patterns. Combined with clear staff handling rules, DLP sharply reduces accidental disclosure. Where the data is personal, it also supports your GDPR and data protection obligations — the same controls that prevent a leak also evidence that you took reasonable steps to avoid one.

How do attackers commit supplier invoice fraud?

Supplier invoice fraud compromises a supplier's mailbox, watches the invoicing thread, and at the right moment sends a convincing message from the genuine account asking for future payments to go to a new bank account. Because the email comes from a real, trusted sender, it passes technical filters and often the human check too.

This is where data backs the warning: around 44% of phishing emails in one 2024 study were sent from compromised accounts to bypass authentication, with about 8% originating inside the supply chain (Egress 2024). The defence is non-negotiable procedure — verify any supplier bank-change request by phone, using a number from your own records, before processing, however authentic the email looks. Strengthening identity controls with Microsoft Defender for Business reduces the odds that your own mailbox becomes the compromised account someone else has to worry about.

Which Email Risks Is Your Business Most Exposed To?

Every business has a different email risk profile based on its sector, size, and current controls. AMVIA can identify your specific exposures and prioritise the controls that make the most difference.

Frequently Asked Questions