slug: /blog/business-email-security-small-business
—
Business Email Security for Small Business: Stop the Attacks That Actually Hit Companies Like Yours
Business email security is the most critical — and most overlooked — defense for small businesses. Email is the most attacked surface in your business. Not your network perimeter. Not your servers. Your inbox. According to the FBI’s Internet Crime Report, business email compromise is the costliest cybercrime category on record. Losses hit $2.9 billion in 2023 alone. The overwhelming majority of those victims are small and mid-size businesses — not large enterprises with dedicated security teams.
The reason is straightforward: email is how work gets done, and attackers know it. A convincing message from what appears to be your CEO, your bank, or a trusted vendor can trigger a wire transfer, an invoice payment, or a credential disclosure before anyone verifies it. That window is all an attacker needs. Understanding how these attacks work — and putting the right controls in place — is how you stop them before they start.
We’ve been responding to email-related incidents for businesses across Chattanooga and East Tennessee since 2010. This guide covers the threats that actually hit companies your size, the technical controls that stop them, and the practical steps you can take this week.
—
> Key Takeaways
> – Business email compromise (BEC) is the costliest cybercrime category, responsible for $2.9 billion in losses in 2023, and small businesses are the primary targets.
> – Most email attacks succeed through phishing and impersonation — not technical exploits — meaning employee awareness and account controls are your most effective defenses.
> – Three DNS-based authentication protocols — SPF, DKIM, and DMARC — prevent attackers from sending email that appears to come from your domain. Most small businesses haven’t configured them.
> – Multi-factor authentication on your email account is the single most impactful change you can make. An attacker with your password still can’t get in.
> – Microsoft 365 and Google Workspace include powerful email security features that most small businesses have never turned on.
> – A compromised email account doesn’t just expose one person — attackers can read historical conversations, impersonate staff internally and externally, and silently intercept inbound messages for weeks.
—
How Business Email Attacks Actually Work
How a Business Email Compromise Attack Works
🔒 MFA at Step 1 stops the entire chain. Verbal verification at Step 4 catches it if Step 1 fails.
Most email attacks against small businesses don’t involve sophisticated malware or zero-day exploits. They rely on deception — and deception works because email was never designed with strong identity verification in mind.
Phishing is the most common entry point. An attacker crafts a convincing email — often impersonating Microsoft, your bank, or a trusted vendor — that directs you to a fake login page. You enter your credentials. They capture them. Within hours, your account is being accessed from an IP address in another country, and your inbox is being read for anything valuable.
Business email compromise (BEC) takes phishing further. Once an attacker has access to a real account, they study the communication patterns and wait. They read past emails to understand who the business trusts, how they communicate, and where money moves. When the right moment arrives, they send a message that looks completely legitimate. It might be a request to update banking information before a payment, a rush wire transfer approved by the owner, or an invoice from a familiar vendor with a new account number. The tactic isn’t new. Only the channel has changed.
Account takeover without phishing happens through credential stuffing. Attackers buy breached email/password lists for a few dollars and run automated tools against Microsoft 365 and Google Workspace. If you’ve reused a password from any previous breach, this works.
Malicious attachments — PDFs, Word documents, Excel files with macros — deliver malware that can log keystrokes, steal stored credentials, or give attackers persistent remote access. Modern email filtering catches most of these, but novel variants slip through regularly.
What connects all of these is the email account itself. If an attacker gets in, they have access to years of historical correspondence: contract terms, banking relationships, personnel matters, client data. They can create inbox rules to silently forward messages to an external address — while deleting the originals from your inbox. They can also reset passwords for other accounts using your email as the recovery address. A single compromised account is often the entry point for a much larger breach.
—
The Three DNS Records That Stop Domain Spoofing
How SPF, DKIM & DMARC Work Together
One of the simplest and most overlooked email security controls is configuring three DNS records that authenticate your outbound email and prevent others from sending messages that appear to come from your domain.
SPF (Sender Policy Framework) is a DNS record that lists which mail servers are authorized to send email from your domain. When a receiving mail server gets a message claiming to be from your domain, it checks your SPF record. If the sending server isn’t on the approved list, the message is flagged or rejected.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound email, generated using a private key only your mail server holds. The receiving server checks the signature against a public key in your DNS records. If the signature doesn’t match — because the message was altered in transit or sent by someone without your private key — it fails.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving servers what to do when a message fails authentication: quarantine it, reject it, or let it through. It also provides reporting that shows you who is sending email using your domain — including attackers who may be spoofing it without your knowledge.
Without these records, anyone can send an email that looks like it came from your domain. With them, that becomes technically impossible for most mail systems to accept.
Checking your records takes two minutes. Search “MX Toolbox SPF lookup” or “DMARC analyzer,” enter your domain, and you’ll see exactly what’s in place. Many small businesses have SPF set up but are missing DKIM and DMARC entirely. That matters. Without DMARC, SPF and DKIM authenticate your email — but they don’t enforce anything. A message that fails SPF can still reach the inbox.
If your DNS records aren’t set to enforcement mode (DMARC policy of “quarantine” or “reject”), this is worth fixing this week. Our cybersecurity services include DNS authentication configuration as part of any Microsoft 365 or Google Workspace setup, and we’ll check and correct them during a security assessment.
—
Microsoft 365 and Google Workspace Security Settings You Should Enable
Both major business email platforms ship with security features that protect against the attacks described above — and most small businesses have never turned them on.
Microsoft 365
Defender for Office 365 (Plan 1) is included with Microsoft 365 Business Premium. It adds:
Multi-factor authentication: Microsoft reports that MFA blocks over 99.9% of automated account attacks. Enable it for every user through the Microsoft 365 admin center. Use Microsoft Authenticator rather than SMS codes where possible.
Conditional Access (requires Azure AD P1, included in Business Premium): lets you enforce rules such as “require MFA outside the company network” or “block sign-ins from countries we don’t operate in.” Even if an attacker has valid credentials, Conditional Access blocks the sign-in from an unrecognized location.
Audit logging: turn it on and keep it on. If an incident does occur, audit logs are how you determine what the attacker accessed, when, and whether they created any inbox rules or forwarding addresses.
Google Workspace
Advanced phishing and malware protection: in the Admin Console under Gmail security settings, enable enhanced pre-delivery message scanning and additional attachment protection. Also enable warnings for spoofed employee names in email.
2-Step Verification: enforce it organization-wide. Google supports hardware security keys (the most phishing-resistant option), Google Prompt, and authenticator apps.
Google Workspace alerts: configure alerts for suspicious sign-ins, email forwarding rule creation, and account changes. These notifications can catch an account compromise within minutes rather than weeks.
Both platforms also allow you to enforce policies across your organization rather than leaving security to individual users. If MFA is enabled as a suggestion rather than a requirement, some users will skip it. Enforce it at the admin level.
—
Practical Controls for Small Business Owners
Beyond the technical settings, there are operational controls that reduce exposure significantly.
Establish a verbal verification policy for financial transactions. Any request to change banking information, approve a wire transfer, or pay an unusual invoice should require a phone call to confirm — using a number you already have on file, not one included in the email. This one rule would have stopped the $62,000 wire transfer loss we described in our MFA guide. No exceptions.
Train employees to recognize phishing. This doesn’t require a formal cybersecurity program. It means walking through examples of what phishing emails look like: urgency language, requests for credentials, hover-check mismatched URLs, unusual sender addresses. Tools like KnowBe4 and Proofpoint Security Awareness Training run simulated phishing campaigns that measure and improve employee awareness over time.
Limit email client storage of credentials. Browser-stored passwords and email client saved credentials are targets for infostealers — malware that extracts locally cached credentials and exfiltrates them. Use a business password manager (Bitwarden or 1Password) for all credentials instead.
Create a separate admin account for administrative tasks. Don’t use your day-to-day email account — the one that receives vendor correspondence, marketing emails, and newsletter subscriptions — to administer your Microsoft 365 or Google Workspace tenant. Use a dedicated admin account with a strong password, MFA enforced, and no mailbox attached. If your day-to-day account is compromised, the admin account remains protected.
Audit email forwarding rules quarterly. One of the first things an attacker does after compromising an email account is create a forwarding rule: all messages matching certain criteria get silently copied to an external address. Check active forwarding rules for every account in your tenant quarterly and delete anything you don’t recognize.
What happens when these controls aren’t in place: In early 2025, an East Tennessee accounting firm lost $62,000 to a business email compromise attack. It started with a phishing email that mimicked a shared document notification. One employee clicked through and entered their Microsoft 365 credentials on a fake login page.
The attacker didn’t act immediately. They read the inbox for three weeks — identifying an active real estate transaction and learning how the firm communicated about payments. When the timing was right, they sent a message that appeared to come from the compromised employee, asking to update the wire transfer instructions.
The money moved before anyone caught the discrepancy. The FBI was notified. It was not recovered.
MFA on the compromised account would have blocked the initial phishing attack. A verbal verification policy for wire transfers would have caught the fraudulent request. Either control would have prevented the loss. Neither was in place.
—
Frequently Asked Questions
What is business email compromise and how does it differ from phishing?
Phishing is the attack that captures credentials — usually through a fake login page. Business email compromise (BEC) is what happens with those credentials. An attacker who has accessed a real email account uses it to impersonate that person to employees, vendors, or clients, typically to redirect financial transactions. BEC attacks don’t always require compromising an account — sometimes attackers simply spoof a display name to trick recipients — but account access makes them far more convincing and harder to detect.
How can I tell if my email account has been compromised?
Check your inbox rules for anything you didn’t create. Review your sign-in history (available in Microsoft 365 and Google Workspace account security settings) for logins from unfamiliar locations or devices. Check whether any contacts have received messages from you that you didn’t send. If your IT provider manages your environment, they should have alerting in place that flags anomalous sign-in activity automatically.
Does email encryption protect against these attacks?
Not directly. Email encryption (like S/MIME or transport-layer TLS) protects messages in transit from interception. It does not prevent an attacker from accessing your account, impersonating your domain, or tricking an employee into clicking a phishing link. Encryption is a useful component of a complete email security posture but shouldn’t be confused with the controls that stop BEC and phishing attacks.
Is email security included in Microsoft 365 Business Premium?
Yes. Microsoft 365 Business Premium includes Defender for Office 365 Plan 1, which covers Safe Links, Safe Attachments, and anti-phishing policies. It also includes Microsoft Entra ID P1 (formerly Azure AD P1), which enables Conditional Access policies. Many small businesses subscribe to Business Premium without realizing these features exist or that they need to be explicitly enabled — they don’t turn themselves on.
How quickly can an attacker act after compromising an email account?
It varies. Automated credential-stuffing attacks will attempt account access within minutes of acquiring credentials. Human-operated attacks — where an attacker is specifically targeting your business — often involve a reconnaissance period of days to weeks, during which they read historical email to identify high-value opportunities. The longer a compromise goes undetected, the more damage becomes possible.
—
What to Do Next
Business email is the primary attack surface for small businesses. The good news: the defenses are well understood, available on platforms you already use, and configurable without major expense. The gap for most businesses isn’t access to the tools. It’s knowing which settings to turn on — and having someone verify they’re working.
Our managed IT services in Chattanooga have been protecting small businesses and dental practices across East Tennessee since 2010. We hold certifications with SonicWall, Datto, and Ubiquiti UniFi, and we’ve earned Best of the Best recognition for IT services in the Chattanooga area.
If you’re not certain your email environment is configured to stop the attacks described here, a security assessment is the right starting point. We’ll check your DNS authentication records, your Microsoft 365 or Google Workspace security settings, your MFA enrollment status, and your email forwarding rules — and give you a straight answer about what we find.
Schedule a free consultation or reach us directly at (423) 779-8196 or Helpdesk@etntech.com. We serve businesses across Chattanooga, Hamilton County, Cleveland, Ooltewah, and the surrounding East Tennessee region.
East Tennessee Technical Consultants
📞 (423) 779-8196 | ✉️ Helpdesk@etntech.com | etntech.com
—