{"id":100,"date":"2026-05-09T08:35:06","date_gmt":"2026-05-09T12:35:06","guid":{"rendered":"http:\/\/etntech.com\/blog\/?p=100"},"modified":"2026-05-11T16:46:19","modified_gmt":"2026-05-11T20:46:19","slug":"business-email-security-small-business","status":"publish","type":"post","link":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/","title":{"rendered":"Business Email Security for Small Business: Stop the Attacks That Actually Hit Companies Like Yours"},"content":{"rendered":"<p><script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"FAQPage\",\n  \"mainEntity\": [\n    {\n      \"@type\": \"Question\",\n      \"name\": \"What is business email compromise and how does it differ from phishing?\",\n      \"acceptedAnswer\": {\n        \"@type\": \"Answer\",\n        \"text\": \"Phishing is the attack that captures credentials -- usually through a fake login page. Business email compromise (BEC) is what happens with those credentials. An attacker who has accessed a real email account uses it to impersonate that person to employees, vendors, or clients, typically to redirect financial transactions. BEC attacks don't always require compromising an account -- sometimes attackers simply spoof a display name to trick recipients -- but account access makes them far more convincing and harder to detect.\"\n      }\n    },\n    {\n      \"@type\": \"Question\",\n      \"name\": \"How can I tell if my email account has been compromised?\",\n      \"acceptedAnswer\": {\n        \"@type\": \"Answer\",\n        \"text\": \"Check your inbox rules for anything you didn't create. Review your sign-in history (available in Microsoft 365 and Google Workspace account security settings) for logins from unfamiliar locations or devices. Check whether any contacts have received messages from you that you didn't send. If your IT provider manages your environment, they should have alerting in place that flags anomalous sign-in activity automatically.\"\n      }\n    },\n    {\n      \"@type\": \"Question\",\n      \"name\": \"Does email encryption protect against these attacks?\",\n      \"acceptedAnswer\": {\n        \"@type\": \"Answer\",\n        \"text\": \"Not directly. Email encryption (like S\/MIME or transport-layer TLS) protects messages in transit from interception. It does not prevent an attacker from accessing your account, impersonating your domain, or tricking an employee into clicking a phishing link. Encryption is a useful component of a complete email security posture but shouldn't be confused with the controls that stop BEC and phishing attacks.\"\n      }\n    },\n    {\n      \"@type\": \"Question\",\n      \"name\": \"Is email security included in Microsoft 365 Business Premium?\",\n      \"acceptedAnswer\": {\n        \"@type\": \"Answer\",\n        \"text\": \"Yes. Microsoft 365 Business Premium includes Defender for Office 365 Plan 1, which covers Safe Links, Safe Attachments, and anti-phishing policies. It also includes Microsoft Entra ID P1 (formerly Azure AD P1), which enables Conditional Access policies. Many small businesses subscribe to Business Premium without realizing these features exist or that they need to be explicitly enabled -- they don't turn themselves on.\"\n      }\n    },\n    {\n      \"@type\": \"Question\",\n      \"name\": \"How quickly can an attacker act after compromising an email account?\",\n      \"acceptedAnswer\": {\n        \"@type\": \"Answer\",\n        \"text\": \"It varies. Automated credential-stuffing attacks will attempt account access within minutes of acquiring credentials. Human-operated attacks -- where an attacker is specifically targeting your business -- often involve a reconnaissance period of days to weeks, during which they read historical email to identify high-value opportunities. The longer a compromise goes undetected, the more damage becomes possible. ---\"\n      }\n    }\n  ]\n}\n<\/script><\/p>\n<p>slug: \/blog\/business-email-security-small-business<br \/>\n&#8212;<\/p>\n<h1>Business Email Security for Small Business: Stop the Attacks That Actually Hit Companies Like Yours<\/h1>\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/etntech.com\/blog\/wp-content\/uploads\/2026\/05\/business-email-security-guide-1.jpg\" alt=\"Business email security guide for small businesses \u2014 laptop with security overlay\" width=\"1200\" loading=\"eager\" \/><\/figure>\n<p>Business email security is the most critical \u2014 and most overlooked \u2014 defense for small businesses. Email is the most attacked surface in your business. Not your network perimeter. Not your servers. Your inbox. According to the FBI&#8217;s Internet Crime Report, business email compromise is the costliest cybercrime category on record. Losses hit <a href=\"https:\/\/www.ic3.gov\/AnnualReport\/Reports\/2023_IC3Report.pdf\">$2.9 billion in 2023 alone<\/a>. The overwhelming majority of those victims are small and mid-size businesses &#8212; not large enterprises with dedicated security teams.<\/p>\n<p>The reason is straightforward: email is how work gets done, and attackers know it. A convincing message from what appears to be your CEO, your bank, or a trusted vendor can trigger a wire transfer, an invoice payment, or a credential disclosure before anyone verifies it. That window is all an attacker needs. Understanding how these attacks work \u2014 and putting the right controls in place \u2014 is how you stop them before they start.<\/p>\n<p>We&#8217;ve been responding to email-related incidents for businesses across Chattanooga and East Tennessee since 2010. This guide covers the threats that actually hit companies your size, the technical controls that stop them, and the practical steps you can take this week.<\/p>\n<p>&#8212;<\/p>\n<p>> <strong>Key Takeaways<\/strong><br \/>\n> &#8211; Business email compromise (BEC) is the costliest cybercrime category, responsible for $2.9 billion in losses in 2023, and small businesses are the primary targets.<br \/>\n> &#8211; Most email attacks succeed through phishing and impersonation &#8212; not technical exploits &#8212; meaning employee awareness and account controls are your most effective defenses.<br \/>\n> &#8211; Three DNS-based authentication protocols &#8212; SPF, DKIM, and DMARC &#8212; prevent attackers from sending email that appears to come from your domain. Most small businesses haven&#8217;t configured them.<br \/>\n> &#8211; Multi-factor authentication on your email account is the single most impactful change you can make. An attacker with your password still can&#8217;t get in.<br \/>\n> &#8211; Microsoft 365 and Google Workspace include powerful email security features that most small businesses have never turned on.<br \/>\n> &#8211; A compromised email account doesn&#8217;t just expose one person &#8212; attackers can read historical conversations, impersonate staff internally and externally, and silently intercept inbound messages for weeks.<\/p>\n<p>&#8212;<\/p>\n<h2>How Business Email Attacks Actually Work<\/h2>\n<div style=\"background:#f8f9fa;border:1px solid #e0e0e0;border-radius:8px;padding:24px;margin:24px 0;font-family:sans-serif;\">\n<p style=\"text-align:center;font-weight:700;font-size:15px;margin:0 0 20px;color:#1a1a2e;\">How a Business Email Compromise Attack Works<\/p>\n<div style=\"display:flex;align-items:flex-start;gap:0;flex-wrap:wrap;justify-content:center;\">\n<div style=\"text-align:center;width:130px;margin:4px;\">\n<div style=\"background:#dc3545;color:#fff;border-radius:50%;width:48px;height:48px;line-height:48px;margin:0 auto 8px;font-weight:700;font-size:18px;\">1<\/div>\n<div style=\"font-size:12px;font-weight:600;color:#1a1a2e;\">Phishing Email<\/div>\n<div style=\"font-size:11px;color:#555;margin-top:4px;\">Fake Microsoft or bank login page captures credentials<\/div>\n<\/div>\n<div style=\"padding-top:20px;color:#aaa;font-size:20px;margin:4px;\">&#8594;<\/div>\n<div style=\"text-align:center;width:130px;margin:4px;\">\n<div style=\"background:#fd7e14;color:#fff;border-radius:50%;width:48px;height:48px;line-height:48px;margin:0 auto 8px;font-weight:700;font-size:18px;\">2<\/div>\n<div style=\"font-size:12px;font-weight:600;color:#1a1a2e;\">Account Access<\/div>\n<div style=\"font-size:11px;color:#555;margin-top:4px;\">Attacker logs in, reads inbox for days or weeks<\/div>\n<\/div>\n<div style=\"padding-top:20px;color:#aaa;font-size:20px;margin:4px;\">&#8594;<\/div>\n<div style=\"text-align:center;width:130px;margin:4px;\">\n<div style=\"background:#ffc107;color:#fff;border-radius:50%;width:48px;height:48px;line-height:48px;margin:0 auto 8px;font-weight:700;font-size:18px;\">3<\/div>\n<div style=\"font-size:12px;font-weight:600;color:#1a1a2e;\">Reconnaissance<\/div>\n<div style=\"font-size:11px;color:#555;margin-top:4px;\">Identifies payments, vendors, banking relationships<\/div>\n<\/div>\n<div style=\"padding-top:20px;color:#aaa;font-size:20px;margin:4px;\">&#8594;<\/div>\n<div style=\"text-align:center;width:130px;margin:4px;\">\n<div style=\"background:#20c997;color:#fff;border-radius:50%;width:48px;height:48px;line-height:48px;margin:0 auto 8px;font-weight:700;font-size:18px;\">4<\/div>\n<div style=\"font-size:12px;font-weight:600;color:#1a1a2e;\">Fraudulent Request<\/div>\n<div style=\"font-size:11px;color:#555;margin-top:4px;\">Sends convincing wire transfer or payment change request<\/div>\n<\/div>\n<div style=\"padding-top:20px;color:#aaa;font-size:20px;margin:4px;\">&#8594;<\/div>\n<div style=\"text-align:center;width:130px;margin:4px;\">\n<div style=\"background:#dc3545;color:#fff;border-radius:50%;width:48px;height:48px;line-height:48px;margin:0 auto 8px;font-weight:700;font-size:18px;\">5<\/div>\n<div style=\"font-size:12px;font-weight:600;color:#1a1a2e;\">Money Transferred<\/div>\n<div style=\"font-size:11px;color:#555;margin-top:4px;\">Funds moved before anyone detects the fraud<\/div>\n<\/div>\n<\/div>\n<p style=\"text-align:center;font-size:11px;color:#888;margin:16px 0 0;\">&#x1F512; MFA at Step 1 stops the entire chain. Verbal verification at Step 4 catches it if Step 1 fails.<\/p>\n<\/div>\n<p>Most email attacks against small businesses don&#8217;t involve sophisticated malware or zero-day exploits. They rely on deception &#8212; and deception works because email was never designed with strong identity verification in mind.<\/p>\n<p><strong>Phishing<\/strong> is the most common entry point. An attacker crafts a convincing email &#8212; often impersonating Microsoft, your bank, or a trusted vendor &#8212; that directs you to a fake login page. You enter your credentials. They capture them. Within hours, your account is being accessed from an IP address in another country, and your inbox is being read for anything valuable.<\/p>\n<p><strong>Business email compromise (BEC)<\/strong> takes phishing further. Once an attacker has access to a real account, they study the communication patterns and wait. They read past emails to understand who the business trusts, how they communicate, and where money moves. When the right moment arrives, they send a message that looks completely legitimate. It might be a request to update banking information before a payment, a rush wire transfer approved by the owner, or an invoice from a familiar vendor with a new account number. The tactic isn&#8217;t new. Only the channel has changed.<\/p>\n<p><strong>Account takeover without phishing<\/strong> happens through credential stuffing. Attackers buy breached email\/password lists for a few dollars and run automated tools against Microsoft 365 and Google Workspace. If you&#8217;ve reused a password from any previous breach, this works.<\/p>\n<p><strong>Malicious attachments<\/strong> &#8212; PDFs, Word documents, Excel files with macros &#8212; deliver malware that can log keystrokes, steal stored credentials, or give attackers persistent remote access. Modern email filtering catches most of these, but novel variants slip through regularly.<\/p>\n<p>What connects all of these is the email account itself. If an attacker gets in, they have access to years of historical correspondence: contract terms, banking relationships, personnel matters, client data. They can create inbox rules to silently forward messages to an external address &#8212; while deleting the originals from your inbox. They can also reset passwords for other accounts using your email as the recovery address. A single compromised account is often the entry point for a much larger breach.<\/p>\n<p>&#8212;<\/p>\n<h2>The Three DNS Records That Stop Domain Spoofing<\/h2>\n<div style=\"background:#f8f9fa;border:1px solid #e0e0e0;border-radius:8px;padding:24px;margin:24px 0;font-family:sans-serif;\">\n<p style=\"text-align:center;font-weight:700;font-size:15px;margin:0 0 20px;color:#1a1a2e;\">How SPF, DKIM &amp; DMARC Work Together<\/p>\n<div style=\"display:grid;grid-template-columns:1fr 1fr 1fr;gap:16px;\">\n<div style=\"background:#fff;border:2px solid #0d6efd;border-radius:8px;padding:16px;text-align:center;\">\n<div style=\"font-weight:700;color:#0d6efd;font-size:14px;margin-bottom:8px;\">SPF<\/div>\n<div style=\"font-size:12px;color:#333;line-height:1.5;\">Lists which mail servers are authorized to send from your domain. Unapproved servers get flagged.<\/div>\n<\/div>\n<div style=\"background:#fff;border:2px solid #198754;border-radius:8px;padding:16px;text-align:center;\">\n<div style=\"font-weight:700;color:#198754;font-size:14px;margin-bottom:8px;\">DKIM<\/div>\n<div style=\"font-size:12px;color:#333;line-height:1.5;\">Adds a cryptographic signature to every email. Receiving servers verify it hasn&#8217;t been tampered with.<\/div>\n<\/div>\n<div style=\"background:#fff;border:2px solid #dc3545;border-radius:8px;padding:16px;text-align:center;\">\n<div style=\"font-weight:700;color:#dc3545;font-size:14px;margin-bottom:8px;\">DMARC<\/div>\n<div style=\"font-size:12px;color:#333;line-height:1.5;\">Ties SPF and DKIM together. Tells receiving servers to quarantine or reject failures. Sends you reports.<\/div>\n<\/div>\n<\/div>\n<div style=\"background:#fff3cd;border:1px solid #ffc107;border-radius:6px;padding:12px;margin-top:16px;font-size:12px;color:#664d03;\">\n<strong>&#x26A0; Without DMARC:<\/strong> SPF and DKIM authenticate your email but don&#8217;t enforce anything. A message that fails SPF can still reach the inbox. DMARC is the enforcement layer.\n<\/div>\n<\/div>\n<p>One of the simplest and most overlooked email security controls is configuring three DNS records that authenticate your outbound email and prevent others from sending messages that appear to come from your domain.<\/p>\n<p><strong>SPF (Sender Policy Framework)<\/strong> is a DNS record that lists which mail servers are authorized to send email from your domain. When a receiving mail server gets a message claiming to be from your domain, it checks your SPF record. If the sending server isn&#8217;t on the approved list, the message is flagged or rejected.<\/p>\n<p><strong>DKIM (DomainKeys Identified Mail)<\/strong> adds a cryptographic signature to outbound email, generated using a private key only your mail server holds. The receiving server checks the signature against a public key in your DNS records. If the signature doesn&#8217;t match &#8212; because the message was altered in transit or sent by someone without your private key &#8212; it fails.<\/p>\n<p><strong>DMARC (Domain-based Message Authentication, Reporting and Conformance)<\/strong> ties SPF and DKIM together and tells receiving servers what to do when a message fails authentication: quarantine it, reject it, or let it through. It also provides reporting that shows you who is sending email using your domain &#8212; including attackers who may be spoofing it without your knowledge.<\/p>\n<p>Without these records, anyone can send an email that looks like it came from your domain. With them, that becomes technically impossible for most mail systems to accept.<\/p>\n<p>Checking your records takes two minutes. Search &#8220;MX Toolbox SPF lookup&#8221; or &#8220;DMARC analyzer,&#8221; enter your domain, and you&#8217;ll see exactly what&#8217;s in place. Many small businesses have SPF set up but are missing DKIM and DMARC entirely. That matters. Without DMARC, SPF and DKIM authenticate your email &#8212; but they don&#8217;t enforce anything. A message that fails SPF can still reach the inbox.<\/p>\n<p>If your DNS records aren&#8217;t set to enforcement mode (DMARC policy of &#8220;quarantine&#8221; or &#8220;reject&#8221;), this is worth fixing this week. Our <a href=\"https:\/\/etntech.com\/cybersecurity\">cybersecurity services<\/a> include DNS authentication configuration as part of any Microsoft 365 or Google Workspace setup, and we&#8217;ll check and correct them during a security assessment.<\/p>\n<p>&#8212;<\/p>\n<h2>Microsoft 365 and Google Workspace Security Settings You Should Enable<\/h2>\n<p>Both major business email platforms ship with security features that protect against the attacks described above &#8212; and most small businesses have never turned them on.<\/p>\n<h3>Microsoft 365<\/h3>\n<p><strong>Defender for Office 365 (Plan 1)<\/strong> is included with Microsoft 365 Business Premium. It adds:<\/p>\n<li><strong>Safe Links<\/strong>: rewrites URLs in emails and scans the destination at click-time, not just at delivery. Links that appear clean when delivered can become malicious later; Safe Links catches this.<\/li>\n<li><strong>Safe Attachments<\/strong>: opens suspicious attachments in a sandboxed environment before delivering them to your inbox. If the attachment attempts malicious behavior, it&#8217;s blocked.<\/li>\n<li><strong>Anti-phishing policies<\/strong>: uses machine learning to identify phishing attempts, including impersonation attacks targeting executives or specific users.<\/li>\n<p><strong>Multi-factor authentication<\/strong>: <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2019\/08\/20\/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks\/\">Microsoft reports that MFA blocks over 99.9% of automated account attacks<\/a>. Enable it for every user through the Microsoft 365 admin center. Use Microsoft Authenticator rather than SMS codes where possible.<\/p>\n<p><strong>Conditional Access<\/strong> (requires Azure AD P1, included in Business Premium): lets you enforce rules such as &#8220;require MFA outside the company network&#8221; or &#8220;block sign-ins from countries we don&#8217;t operate in.&#8221; Even if an attacker has valid credentials, Conditional Access blocks the sign-in from an unrecognized location.<\/p>\n<p><strong>Audit logging<\/strong>: turn it on and keep it on. If an incident does occur, audit logs are how you determine what the attacker accessed, when, and whether they created any inbox rules or forwarding addresses.<\/p>\n<h3>Google Workspace<\/h3>\n<p><strong>Advanced phishing and malware protection<\/strong>: in the Admin Console under Gmail security settings, enable enhanced pre-delivery message scanning and additional attachment protection. Also enable warnings for spoofed employee names in email.<\/p>\n<p><strong>2-Step Verification<\/strong>: enforce it organization-wide. Google supports hardware security keys (the most phishing-resistant option), Google Prompt, and authenticator apps.<\/p>\n<p><strong>Google Workspace alerts<\/strong>: configure alerts for suspicious sign-ins, email forwarding rule creation, and account changes. These notifications can catch an account compromise within minutes rather than weeks.<\/p>\n<p>Both platforms also allow you to enforce policies across your organization rather than leaving security to individual users. If MFA is enabled as a suggestion rather than a requirement, some users will skip it. Enforce it at the admin level.<\/p>\n<p>&#8212;<\/p>\n<h2>Practical Controls for Small Business Owners<\/h2>\n<p>Beyond the technical settings, there are operational controls that reduce exposure significantly.<\/p>\n<p><strong>Establish a verbal verification policy for financial transactions.<\/strong> Any request to change banking information, approve a wire transfer, or pay an unusual invoice should require a phone call to confirm &#8212; using a number you already have on file, not one included in the email. This one rule would have stopped the $62,000 wire transfer loss we described in our MFA guide. No exceptions.<\/p>\n<p><strong>Train employees to recognize phishing.<\/strong> This doesn&#8217;t require a formal cybersecurity program. It means walking through examples of what phishing emails look like: urgency language, requests for credentials, hover-check mismatched URLs, unusual sender addresses. Tools like KnowBe4 and Proofpoint Security Awareness Training run simulated phishing campaigns that measure and improve employee awareness over time.<\/p>\n<p><strong>Limit email client storage of credentials.<\/strong> Browser-stored passwords and email client saved credentials are targets for infostealers &#8212; malware that extracts locally cached credentials and exfiltrates them. Use a business password manager (Bitwarden or 1Password) for all credentials instead.<\/p>\n<p><strong>Create a separate admin account for administrative tasks.<\/strong> Don&#8217;t use your day-to-day email account &#8212; the one that receives vendor correspondence, marketing emails, and newsletter subscriptions &#8212; to administer your Microsoft 365 or Google Workspace tenant. Use a dedicated admin account with a strong password, MFA enforced, and no mailbox attached. If your day-to-day account is compromised, the admin account remains protected.<\/p>\n<p><strong>Audit email forwarding rules quarterly.<\/strong> One of the first things an attacker does after compromising an email account is create a forwarding rule: all messages matching certain criteria get silently copied to an external address. Check active forwarding rules for every account in your tenant quarterly and delete anything you don&#8217;t recognize.<\/p>\n<p><strong>What happens when these controls aren&#8217;t in place:<\/strong> In early 2025, an East Tennessee accounting firm lost $62,000 to a business email compromise attack. It started with a phishing email that mimicked a shared document notification. One employee clicked through and entered their Microsoft 365 credentials on a fake login page.<\/p>\n<p>The attacker didn&#8217;t act immediately. They read the inbox for three weeks &#8212; identifying an active real estate transaction and learning how the firm communicated about payments. When the timing was right, they sent a message that appeared to come from the compromised employee, asking to update the wire transfer instructions.<\/p>\n<p>The money moved before anyone caught the discrepancy. The FBI was notified. It was not recovered.<\/p>\n<p>MFA on the compromised account would have blocked the initial phishing attack. A verbal verification policy for wire transfers would have caught the fraudulent request. Either control would have prevented the loss. Neither was in place.<\/p>\n<p>&#8212;<\/p>\n<h2>Frequently Asked Questions<\/h2>\n<p><strong>What is business email compromise and how does it differ from phishing?<\/strong><br \/>\nPhishing is the attack that captures credentials &#8212; usually through a fake login page. Business email compromise (BEC) is what happens with those credentials. An attacker who has accessed a real email account uses it to impersonate that person to employees, vendors, or clients, typically to redirect financial transactions. BEC attacks don&#8217;t always require compromising an account &#8212; sometimes attackers simply spoof a display name to trick recipients &#8212; but account access makes them far more convincing and harder to detect.<\/p>\n<p><strong>How can I tell if my email account has been compromised?<\/strong><br \/>\nCheck your inbox rules for anything you didn&#8217;t create. Review your sign-in history (available in Microsoft 365 and Google Workspace account security settings) for logins from unfamiliar locations or devices. Check whether any contacts have received messages from you that you didn&#8217;t send. If your IT provider manages your environment, they should have alerting in place that flags anomalous sign-in activity automatically.<\/p>\n<p><strong>Does email encryption protect against these attacks?<\/strong><br \/>\nNot directly. Email encryption (like S\/MIME or transport-layer TLS) protects messages in transit from interception. It does not prevent an attacker from accessing your account, impersonating your domain, or tricking an employee into clicking a phishing link. Encryption is a useful component of a complete email security posture but shouldn&#8217;t be confused with the controls that stop BEC and phishing attacks.<\/p>\n<p><strong>Is email security included in Microsoft 365 Business Premium?<\/strong><br \/>\nYes. Microsoft 365 Business Premium includes Defender for Office 365 Plan 1, which covers Safe Links, Safe Attachments, and anti-phishing policies. It also includes Microsoft Entra ID P1 (formerly Azure AD P1), which enables Conditional Access policies. Many small businesses subscribe to Business Premium without realizing these features exist or that they need to be explicitly enabled &#8212; they don&#8217;t turn themselves on.<\/p>\n<p><strong>How quickly can an attacker act after compromising an email account?<\/strong><br \/>\nIt varies. Automated credential-stuffing attacks will attempt account access within minutes of acquiring credentials. Human-operated attacks &#8212; where an attacker is specifically targeting your business &#8212; often involve a reconnaissance period of days to weeks, during which they read historical email to identify high-value opportunities. The longer a compromise goes undetected, the more damage becomes possible.<\/p>\n<p>&#8212;<\/p>\n<h2>What to Do Next<\/h2>\n<p>Business email is the primary attack surface for small businesses. The good news: the defenses are well understood, available on platforms you already use, and configurable without major expense. The gap for most businesses isn&#8217;t access to the tools. It&#8217;s knowing which settings to turn on &#8212; and having someone verify they&#8217;re working.<\/p>\n<p>Our <a href=\"https:\/\/etntech.com\">managed IT services in Chattanooga<\/a> have been protecting small businesses and dental practices across East Tennessee since 2010. We hold certifications with SonicWall, Datto, and Ubiquiti UniFi, and we&#8217;ve earned Best of the Best recognition for IT services in the Chattanooga area.<\/p>\n<p>If you&#8217;re not certain your email environment is configured to stop the attacks described here, a security assessment is the right starting point. We&#8217;ll check your DNS authentication records, your Microsoft 365 or Google Workspace security settings, your MFA enrollment status, and your email forwarding rules &#8212; and give you a straight answer about what we find.<\/p>\n<p><a href=\"https:\/\/etntech.com\/bookings\">Schedule a free consultation<\/a> or reach us directly at (423) 779-8196 or Helpdesk@etntech.com. We serve businesses across Chattanooga, Hamilton County, Cleveland, Ooltewah, and the surrounding East Tennessee region.<\/p>\n<p><strong>East Tennessee Technical Consultants<\/strong><br \/>\n\ud83d\udcde <a href=\"tel:4237798196\">(423) 779-8196<\/a> | \u2709\ufe0f Helpdesk@etntech.com | <a href=\"https:\/\/etntech.com\">etntech.com<\/a><\/p>\n<p>&#8212;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Business email compromise cost $2.9B in 2023. Learn the controls that stop phishing, BEC, and account takeover &#8212; and which settings to turn on today.<\/p>\n","protected":false},"author":1,"featured_media":169,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"business email security","_yoast_wpseo_title":"Business Email Security for Small Business | ETTC","_yoast_wpseo_metadesc":"Business email compromise cost $2.9B in 2023. Learn the controls that stop phishing, BEC, and account takeover -- and which settings to turn on today.","_yoast_wpseo_linkdex":"","_yoast_wpseo_content_score":"30","footnotes":""},"categories":[3],"tags":[],"class_list":["post-100","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity"],"yoast_seo":{"focus_keyphrase":"business email security","seo_title":"Business Email Security for Small Business | ETTC","meta_description":"Business email compromise cost $2.9B in 2023. Learn the controls that stop phishing, BEC, and account takeover -- and which settings to turn on today."},"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Business Email Security for Small Business | ETTC<\/title>\n<meta name=\"description\" content=\"Business email compromise cost $2.9B in 2023. Learn the controls that stop phishing, BEC, and account takeover -- and which settings to turn on today.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/etntech.com\/blog\/business-email-security-small-business\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Business Email Security for Small Business | ETTC\" \/>\n<meta property=\"og:description\" content=\"Business email compromise cost $2.9B in 2023. Learn the controls that stop phishing, BEC, and account takeover -- and which settings to turn on today.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/etntech.com\/blog\/business-email-security-small-business\/\" \/>\n<meta property=\"og:site_name\" content=\"ETNTech Blog\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-09T12:35:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-11T20:46:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/etntech.com\/blog\/wp-content\/uploads\/2026\/05\/business-email-security-guide-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"800\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"etntech_admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"etntech_admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/\"},\"author\":{\"name\":\"etntech_admin\",\"@id\":\"http:\\\/\\\/etntech.com\\\/blog\\\/#\\\/schema\\\/person\\\/1fb68ca7931767eaf09531a3d1aa2110\"},\"headline\":\"Business Email Security for Small Business: Stop the Attacks That Actually Hit Companies Like Yours\",\"datePublished\":\"2026-05-09T12:35:06+00:00\",\"dateModified\":\"2026-05-11T20:46:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/\"},\"wordCount\":2621,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/etntech.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/business-email-security-guide-1.jpg\",\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/\",\"url\":\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/\",\"name\":\"Business Email Security for Small Business | ETTC\",\"isPartOf\":{\"@id\":\"http:\\\/\\\/etntech.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/etntech.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/business-email-security-guide-1.jpg\",\"datePublished\":\"2026-05-09T12:35:06+00:00\",\"dateModified\":\"2026-05-11T20:46:19+00:00\",\"author\":{\"@id\":\"http:\\\/\\\/etntech.com\\\/blog\\\/#\\\/schema\\\/person\\\/1fb68ca7931767eaf09531a3d1aa2110\"},\"description\":\"Business email compromise cost $2.9B in 2023. Learn the controls that stop phishing, BEC, and account takeover -- and which settings to turn on today.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/#primaryimage\",\"url\":\"https:\\\/\\\/etntech.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/business-email-security-guide-1.jpg\",\"contentUrl\":\"https:\\\/\\\/etntech.com\\\/blog\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/business-email-security-guide-1.jpg\",\"width\":1200,\"height\":800},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/etntech.com\\\/blog\\\/business-email-security-small-business\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\\\/\\\/etntech.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Business Email Security for Small Business: Stop the Attacks That Actually Hit Companies Like Yours\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\\\/\\\/etntech.com\\\/blog\\\/#website\",\"url\":\"http:\\\/\\\/etntech.com\\\/blog\\\/\",\"name\":\"ETNTech Blog\",\"description\":\"IT Insights for Chattanooga Businesses\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\\\/\\\/etntech.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"http:\\\/\\\/etntech.com\\\/blog\\\/#\\\/schema\\\/person\\\/1fb68ca7931767eaf09531a3d1aa2110\",\"name\":\"etntech_admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/979bf8d253627b1946ecb20ccb6e998d84677a9d6320a231cc2fb16bbd4601a1?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/979bf8d253627b1946ecb20ccb6e998d84677a9d6320a231cc2fb16bbd4601a1?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/979bf8d253627b1946ecb20ccb6e998d84677a9d6320a231cc2fb16bbd4601a1?s=96&d=mm&r=g\",\"caption\":\"etntech_admin\"},\"sameAs\":[\"http:\\\/\\\/etntech.com\\\/blog\"],\"url\":\"https:\\\/\\\/etntech.com\\\/blog\\\/author\\\/etntech_admin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Business Email Security for Small Business | ETTC","description":"Business email compromise cost $2.9B in 2023. Learn the controls that stop phishing, BEC, and account takeover -- and which settings to turn on today.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/","og_locale":"en_US","og_type":"article","og_title":"Business Email Security for Small Business | ETTC","og_description":"Business email compromise cost $2.9B in 2023. Learn the controls that stop phishing, BEC, and account takeover -- and which settings to turn on today.","og_url":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/","og_site_name":"ETNTech Blog","article_published_time":"2026-05-09T12:35:06+00:00","article_modified_time":"2026-05-11T20:46:19+00:00","og_image":[{"width":1200,"height":800,"url":"https:\/\/etntech.com\/blog\/wp-content\/uploads\/2026\/05\/business-email-security-guide-1.jpg","type":"image\/jpeg"}],"author":"etntech_admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"etntech_admin","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/#article","isPartOf":{"@id":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/"},"author":{"name":"etntech_admin","@id":"http:\/\/etntech.com\/blog\/#\/schema\/person\/1fb68ca7931767eaf09531a3d1aa2110"},"headline":"Business Email Security for Small Business: Stop the Attacks That Actually Hit Companies Like Yours","datePublished":"2026-05-09T12:35:06+00:00","dateModified":"2026-05-11T20:46:19+00:00","mainEntityOfPage":{"@id":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/"},"wordCount":2621,"commentCount":0,"image":{"@id":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/#primaryimage"},"thumbnailUrl":"https:\/\/etntech.com\/blog\/wp-content\/uploads\/2026\/05\/business-email-security-guide-1.jpg","articleSection":["Cybersecurity"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/etntech.com\/blog\/business-email-security-small-business\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/","url":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/","name":"Business Email Security for Small Business | ETTC","isPartOf":{"@id":"http:\/\/etntech.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/#primaryimage"},"image":{"@id":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/#primaryimage"},"thumbnailUrl":"https:\/\/etntech.com\/blog\/wp-content\/uploads\/2026\/05\/business-email-security-guide-1.jpg","datePublished":"2026-05-09T12:35:06+00:00","dateModified":"2026-05-11T20:46:19+00:00","author":{"@id":"http:\/\/etntech.com\/blog\/#\/schema\/person\/1fb68ca7931767eaf09531a3d1aa2110"},"description":"Business email compromise cost $2.9B in 2023. Learn the controls that stop phishing, BEC, and account takeover -- and which settings to turn on today.","breadcrumb":{"@id":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/etntech.com\/blog\/business-email-security-small-business\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/#primaryimage","url":"https:\/\/etntech.com\/blog\/wp-content\/uploads\/2026\/05\/business-email-security-guide-1.jpg","contentUrl":"https:\/\/etntech.com\/blog\/wp-content\/uploads\/2026\/05\/business-email-security-guide-1.jpg","width":1200,"height":800},{"@type":"BreadcrumbList","@id":"https:\/\/etntech.com\/blog\/business-email-security-small-business\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/etntech.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Business Email Security for Small Business: Stop the Attacks That Actually Hit Companies Like Yours"}]},{"@type":"WebSite","@id":"http:\/\/etntech.com\/blog\/#website","url":"http:\/\/etntech.com\/blog\/","name":"ETNTech Blog","description":"IT Insights for Chattanooga Businesses","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/etntech.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"http:\/\/etntech.com\/blog\/#\/schema\/person\/1fb68ca7931767eaf09531a3d1aa2110","name":"etntech_admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/979bf8d253627b1946ecb20ccb6e998d84677a9d6320a231cc2fb16bbd4601a1?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/979bf8d253627b1946ecb20ccb6e998d84677a9d6320a231cc2fb16bbd4601a1?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/979bf8d253627b1946ecb20ccb6e998d84677a9d6320a231cc2fb16bbd4601a1?s=96&d=mm&r=g","caption":"etntech_admin"},"sameAs":["http:\/\/etntech.com\/blog"],"url":"https:\/\/etntech.com\/blog\/author\/etntech_admin\/"}]}},"_links":{"self":[{"href":"https:\/\/etntech.com\/blog\/wp-json\/wp\/v2\/posts\/100","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/etntech.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/etntech.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/etntech.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/etntech.com\/blog\/wp-json\/wp\/v2\/comments?post=100"}],"version-history":[{"count":4,"href":"https:\/\/etntech.com\/blog\/wp-json\/wp\/v2\/posts\/100\/revisions"}],"predecessor-version":[{"id":170,"href":"https:\/\/etntech.com\/blog\/wp-json\/wp\/v2\/posts\/100\/revisions\/170"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/etntech.com\/blog\/wp-json\/wp\/v2\/media\/169"}],"wp:attachment":[{"href":"https:\/\/etntech.com\/blog\/wp-json\/wp\/v2\/media?parent=100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/etntech.com\/blog\/wp-json\/wp\/v2\/categories?post=100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/etntech.com\/blog\/wp-json\/wp\/v2\/tags?post=100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}