Email is the front door: spotting phishing and stopping BEC

Over 90% of breaches begin with email. How to spot phishing, build a reporting culture, configure SPF/DKIM/DMARC, and prevent the single most expensive small business fraud: business email compromise.

_Part 5 of 12 in the Cyber security for the small business series._

Email is the front door of most cyber attacks. Over 90% of successful breaches begin with a phishing email. This month we look at how to recognise phishing, how to build a culture where people report it, and how to set up the technical measures that reduce the volume of malicious messages reaching your inbox in the first place.

How to spot a phishing email

Phishing emails have become significantly more convincing in recent years. The days of obvious misspellings and Nigerian prince scenarios are not entirely behind us, but the leading edge of phishing is now polished, professional, and frighteningly specific. Nonetheless, most phishing emails share common characteristics:

Urgency. Your account will be suspended in 24 hours. Immediate action required. Your payment has failed. The goal is to make you act before you think.

Unexpected requests. A supplier asking you to update their bank details. Your CEO asking you to buy gift cards. A courier company asking you to reschedule a delivery you did not order.

Mismatched links. The text says www.yourbank.co.uk but hovering over the link reveals a completely different address. This is one of the most reliable tells. Always hover before clicking.

Generic greetings. Dear Customer or Dear Account Holder rather than your name — though targeted phishing will use your name, and you should not relax simply because an email gets your name right.

Unusual sender addresses. The display name says HMRC but the actual email address is something like hmrc-refunds@random-domain.com. Click the sender's name to see the actual address.

Building a reporting culture

The single most important thing you can do about phishing is to create a culture where people feel comfortable reporting suspicious emails without fear of embarrassment or blame. If someone clicks a phishing link, you want them to tell you immediately, not hide it out of shame.

Rory Sutherland writes about the power of removing friction from desirable behaviours. Applied to phishing, this means making it as easy as possible to report something suspicious, and as psychologically safe as possible to admit a mistake. A simple shared mailbox (something like suspicious@yourbusiness.co.uk) and an explicit statement that reporting is always the right thing to do, even if the email turns out to be genuine, can transform your organisation's resilience.

When someone reports a suspicious email correctly, thank them publicly. When someone reports having clicked a link, thank them for telling you and get to work. Never punish people for falling for something — that is the surest way to ensure the next person hides it.

You can also report phishing emails directly to the NCSC at report@phishing.gov.uk. They have removed millions of malicious sites this way.

Technical measures for email security

If you use a managed email service like Microsoft 365 or Google Workspace, most of these can be configured through the admin console. Get your IT support or email provider to help if you are not sure:

Spam filtering. Modern email services include sophisticated spam and phishing filters. Ensure they are turned on and at an appropriate level. Review the quarantine regularly to catch false positives.

SPF, DKIM, and DMARC. These three complementary technologies help prevent attackers from sending emails that appear to come from your domain. Without them, anyone can forge an email that looks like it came from accounts@yourbusiness.co.uk and your customers will believe it. DMARC in particular gives you visibility into who is sending email on your behalf and allows you to instruct receiving mail servers to reject unauthorised messages. The NCSC has practical guidance on configuring all three.

External email warnings. Most email systems can add a banner to messages that originate from outside your organisation, providing a visual reminder to be cautious. It is a simple setting that gives a constant low-friction nudge.

Attachment and link scanning. Business email services typically include features that scan attachments for malware and check links against known malicious URLs. Ensure these features are enabled.

Business email compromise

Business email compromise deserves special attention because it is responsible for the largest financial losses in small business cyber crime. In a BEC attack, the attacker either compromises a real email account or creates a convincing impersonation, then uses it to request payments, redirect invoices, or extract sensitive information.

Common BEC scenarios include:

A supplier notifying you of changed bank details. The supplier is real. The email is not. The next payment goes to the attacker's account.

The CEO asking the finance team to make an urgent payment, often when the CEO is known to be travelling.

A solicitor involved in a property transaction providing account details for completion funds, often near the close of a deal when the buyer is under time pressure.

A client requesting copies of their personal data, which then gets used in identity fraud.

The defence is procedural rather than technical: never process a change to payment details based solely on an email. Always verify by telephone, using a number you already have on file, not a number provided in the email. This single rule, consistently applied, would prevent the majority of BEC losses in the UK.

Pin that rule to the wall above the desk of whoever processes payments. The rule is the control.

What May looks like

If you want to do one thing this month, write down your payment verification rule on a single side of A4 and discuss it with anyone in your business who handles invoices, supplier payments, or financial transfers. The rule is: any change to payment details must be verified by a phone call to a number we already had, before the change is actioned. No exceptions, no urgency, no one is too senior to be verified.

Next month: software updates. The vegetables of cyber security — boring, easy to skip, and the thing that protects you from more than you would think.

Cyber Essentials note

Email security forms part of Cyber Essentials control 2, Secure Configuration. The technical email measures above contribute directly.