Every year the security industry announces the next big threat vector. Cloud misconfigurations. Supply chain attacks. AI-powered exploits. And every year, the data tells the same story: email is still where most attacks begin. In 2025, 82% of cyberattacks started with an email. That number has barely moved in a decade — because email works, and attackers go with what works.
What has changed is the quality of the attacks. AI has removed the barriers that used to make phishing easy to spot — the broken English, the generic greetings, the obvious pretexts. Today's email attacks are personalised, contextually accurate, and increasingly difficult to distinguish from legitimate correspondence. For small businesses without a dedicated security team, the risk is real and growing. This post explains what the attacks look like, why the technical defences matter, and what you can do right now to reduce your exposure.
The Scale of the Problem
56% of UK businesses were hit by email impersonation attacks in 2025. Research from the Cyber Security Breaches Survey shows phishing remains the most common form of cyber attack on UK organisations — reported by 85% of businesses that identified a breach or attack.
Business email compromise (BEC) — where attackers impersonate a senior executive, supplier, or trusted contact to authorise fraudulent payments or extract sensitive data — is now one of the costliest forms of cybercrime globally. The FBI's Internet Crime Complaint Center consistently reports BEC losses in the billions annually, and UK Finance data shows it is among the fastest-growing fraud types affecting British businesses.
AI-powered phishing attacks increased by 1,210% between 2022 and 2025, according to research from SlashNext. The same tools that help legitimate businesses draft personalised communications are being used to generate convincing, targeted phishing emails at industrial scale.
The volume problem is compounding the quality problem. Attackers no longer need to craft individual emails by hand. AI allows the mass production of personalised, context-aware lures — emails that reference your industry, your suppliers, your recent activity — at a cost that makes even low-success-rate campaigns economically viable.
What Modern Email Attacks Look Like
The phishing email that asks you to "click here to verify your account" and misspells your name is largely a relic. The attacks that are working against businesses today are considerably more sophisticated.
The Technical Defences: SPF, DKIM, and DMARC
Three email authentication standards exist specifically to prevent domain spoofing — the technique that allows attackers to send emails that appear to come from your domain. Most small businesses have partially implemented them. Few have implemented them correctly.
SPF (Sender Policy Framework)
SPF is a DNS record that specifies which mail servers are authorised to send email on behalf of your domain. When a receiving mail server gets an email claiming to be from your domain, it checks your SPF record to see if the sending server is on the approved list. If it isn't, the email can be flagged or rejected.
SPF alone is not sufficient — it only checks the envelope sender, not the "From" address the recipient sees. But it is a necessary foundation. An SPF record that includes all your legitimate sending sources (your email provider, any third-party tools that send email on your behalf) and ends with -all (hard fail for unauthorised senders) is the correct configuration.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to emails sent from your domain. The receiving server uses a public key published in your DNS to verify that the email was genuinely sent by you and has not been altered in transit. Unlike SPF, DKIM travels with the message — it survives email forwarding, which SPF does not.
Your email provider will have instructions for enabling DKIM. For Microsoft 365, it's configured in the Defender portal under Email Authentication Settings. For Google Workspace, it's in Admin Console under Apps → Gmail → Authenticate Email.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC is the policy layer that ties SPF and DKIM together and tells receiving mail servers what to do when an email fails authentication. It also generates reports — both aggregate and forensic — that show you who is sending email using your domain.
A DMARC policy of p=none does nothing to protect you. It tells receiving servers to take no action on failing emails — it only sends reports. A policy of p=quarantine sends failing emails to spam. A policy of p=reject blocks them outright. Many businesses have DMARC in place at p=none and believe they are protected. They are not.
The correct progression is: implement SPF and DKIM correctly, then deploy DMARC at p=none to collect reports, review the reports to ensure all legitimate sending sources are covered, then move to p=quarantine and eventually p=reject. Jumping straight to p=reject without understanding your email flows will cause legitimate emails to be blocked.
What Attackers Do When Technical Defences Are in Place
SPF, DKIM, and DMARC prevent attackers from spoofing your exact domain. They do not prevent attacks that use lookalike domains — registrations like farad0me.com, faradome-uk.com, or faradome.co that are visually similar to yours but technically different. These bypass authentication checks entirely because they are, technically, legitimate sends from a different domain.
Monitoring for typosquat registrations — domains that could be used to impersonate your business — is a meaningful additional layer. New domains are registered that target known brands and business names every day. Knowing when someone registers a lookalike domain gives you the opportunity to respond before it's used in an attack.
Reducing the Human Risk
Technical controls reduce the attack surface. They do not eliminate it. Attackers who can't spoof your domain will use a compromised legitimate account, a convincing lookalike domain, or a social engineering approach that doesn't require domain spoofing at all. Staff awareness remains a critical layer.
- Establish a verbal verification process for payment requests. Any email requesting a change to payment details or an urgent transfer should require a phone call to a known number — not a reply to the email, not a call to a number in the email — to verify. This one control stops the majority of BEC attacks.
- Train staff to recognise urgency as a red flag. Urgency is the primary psychological lever in email attacks. "Do this now before close of business." "Don't discuss this with anyone." "I'm travelling — just action this." Real urgent requests can wait for a 60-second verification call.
- Enable multi-factor authentication on all email accounts. If credentials are harvested via a phishing page, MFA prevents the attacker from using them immediately. It buys time and generates alerts. It is the single highest-impact control for email account security.
- Review email forwarding rules periodically. Attackers who compromise an email account frequently set up silent forwarding rules to receive copies of incoming email without the user knowing. In Microsoft 365 and Google Workspace, audit forwarding rules quarterly and alert on their creation.
- Check what your domain looks like to the outside world. Use a tool to check whether your SPF record is correctly configured, whether DKIM is signing outbound mail, and whether your DMARC policy is actually enforcing. Many businesses assume these are configured correctly when they are not.
The Bottom Line
Email is the attack surface you already have, already use, and cannot easily remove. Every employee with an email address is a potential entry point. The question is not whether your business will be targeted — at 56% of UK businesses hit last year, the probability is high — but whether the attacker finds an open door when they arrive.
The technical controls are not complicated to understand, even if the configuration requires care. SPF, DKIM, and DMARC configured correctly, combined with MFA on all accounts and a simple payment verification procedure, closes the majority of the doors that email attacks walk through. Most businesses that get compromised via email were not hit by a sophisticated, novel attack. They were hit by a well-worn technique that worked because a basic control was missing.
Check if Your Domain Has Been Compromised
Faradome Breach checks whether your business email domain appears in known data breaches — credentials that attackers could use right now to access your accounts.
Run a Free Breach Check → Talk to Us