Lessons from Real Email Security Incidents
Email is one of the most essential tools for modern businesses — but it’s also one of the easiest ways for cybercriminals to get in.
Business Email Compromise
“I thought it was from my boss” — CEO Impersonation
One of the most effective tricks cybercriminals use is impersonating someone from inside your own organization — often the owner, CEO, or manager.
What it looks like:
An employee gets an email from “Boss@yourcompany.com” asking them to urgently wire funds to a supplier, pay an overdue invoice, or buy gift cards for a client giveaway. The email looks legit — the sender’s name is familiar, the tone is convincing, and the request seems urgent.
What’s really going on:
The email is spoofed — the address might be off by one letter or use a fake domain that looks close enough to pass at a glance (like yourcornpany.com instead of yourcompany.com). And once money is sent, it’s gone.
How to protect your business:
Never process financial or sensitive requests over email alone. Verify in person or by phone.
Set up email authentication (SPF, DKIM, DMARC) to help stop domain spoofing.
Educate staff to slow down and double-check when a request feels off or overly urgent.
Business Email Compromise
“I thought it was from my boss” — CEO Impersonation
One of the most effective tricks cybercriminals use is impersonating someone from inside your own organization — often the owner, CEO, or manager.
What it looks like:
An employee gets an email from “Boss@yourcompany.com” asking them to urgently wire funds to a supplier, pay an overdue invoice, or buy gift cards for a client giveaway. The email looks legit — the sender’s name is familiar, the tone is convincing, and the request seems urgent.
What’s really going on:
The email is spoofed — the address might be off by one letter or use a fake domain that looks close enough to pass at a glance (like yourcornpany.com instead of yourcompany.com). And once money is sent, it’s gone.
How to protect your business:
Never process financial or sensitive requests over email alone. Verify in person or by phone.
Set up email authentication (SPF, DKIM, DMARC) to help stop domain spoofing.
Educate staff to slow down and double-check when a request feels off or overly urgent.
Email Spoofing
“But.. the email actually was from my boss! I double checked.”
Yes — a cybercriminal can absolutely spoof your boss’s actual email address, and it’s one of the most common and dangerous email scams out there.
Imagine this: Sarah, the office administrator, receives an email that looks like it’s from Bob, the company owner. The email address in the “From” field is bob@yourcompany.com, and the message reads:
Subject: Urgent: Vendor Payment Update
Body: Hi Sarah,
Please update the payment details for Acme Supplies. The new bank account number is 123-456-789. We need to send the payment today to avoid delays. Let me know once it’s done.
Thanks,
James
Sarah double checked the email and it looks exactly like it’s from Bob’s email, so Sarah doesn’t hesitate to update the vendor’s banking information and processes the payment.
Later, the company finds out the email was fake — it was sent by a cybercriminal who spoofed Bob’s email address. The money was sent to a fraudulent account, and the real Bob had no idea this email was ever sent.
Here’s how it works:
Email spoofing is when a scammer fakes the “From” field in an email to make it look like it came from a legitimate address — like your boss’s actual email (e.g., bob@yourcompany.com). The email looks real in your inbox, even though it was sent from a completely different server.
Why it works:
Most people glance at the sender’s name or email and trust it without inspecting the technical headers.
If your domain isn’t protected by email authentication protocols like SPF, DKIM, and DMARC, spoofed emails are much more likely to land in inboxes instead of spam folders.
These emails often contain urgent requests (like wire transfers, gift card purchases, or login prompts) that pressure staff into acting quickly before verifying.
How to reduce the risk:
- Implement SPF, DKIM, and DMARC on your domain — these tell receiving email servers which messages are actually authorized to use your domain.
- Train staff to double-check any unexpected or unusual requests, even if they look like they came from someone inside the company.
- Encourage phone or in-person confirmation for sensitive or financial actions — especially if the tone of the message feels “off.”
- Use a secure email gateway or filtering service that can detect spoofing and impersonation attempts.
Malware via Fake Documents
“I clicked the attachment — and my whole computer locked up.”
Cybercriminals often send what look like everyday business documents — invoices, resumes, purchase orders, shipping updates — with malicious code embedded.
What it looks like:
You receive an email from a supplier with a subject like “Updated PO” and an attached Word or Excel file. Everything seems normal… until someone opens the file and enables macros (as prompted), and within seconds, malware is installed on your system.
What’s really going on:
Malicious macros (tiny scripts inside Office documents) are used to install ransomware or remote access tools. These give attackers full control over your system or encrypt your data for ransom.
How to protect your business:
Block attachments with risky file types (like
.exe,.js, or macro-enabled Office files).Use email filters that scan for malicious content.
Train employees not to open unexpected attachments — especially if they’re prompted to “enable content.”
Credential Harvesting
“I logged in like normal — but it wasn’t the real site.”
Some phishing emails lead to fake login pages designed to steal usernames and passwords.
What it looks like:
You receive an email saying your Microsoft 365 account has a login issue or that your Dropbox file is waiting. You click the link, land on a page that looks completely legit, and enter your credentials.
What’s really going on:
The page is a fake, and once you hit “login,” your username and password are sent straight to the attacker — who can now access your email, files, and more.
How to protect your business:
Hover over links before clicking — check for misspellings or strange domains.
Use multi-factor authentication (MFA) so a password alone isn’t enough.
Regularly monitor sign-in activity and flag logins from unusual locations.
Visit the website directly in your browser, instead of using the link in an email.
Compromised Email Account
“But, we didn't send that email?”
When attackers gain access to a business email account, they don’t always act right away. They quietly monitor communication, then use your own account to send convincing phishing messages to your contacts.
What it looks like:
Clients receive emails from your real address asking them to review a proposal, click a link, or update payment info. It’s coming from your real email signature, and might even reference an actual project.
What’s really going on:
The attacker is operating from inside your account — replying to email threads, accessing files, and damaging your credibility and relationships.
How to protect your business:
Use monitoring tools that detect unusual outbound activity.
Set up alerts for email forwarding rules or logins from unfamiliar IPs.
Educate your clients to always verify requests involving money or links.
Supply Chain Attacks
“It wasn’t us — our vendor got hacked.”
Even if your business is secure, attackers may target vendors or partners in your supply chain. Once they compromise their email account, they can use it to target you.
What it looks like:
A trusted vendor emails you with an updated invoice — new banking info included. It seems normal, since you work with them regularly. You pay the invoice… but the money goes to the attacker.
What’s really going on:
The vendor’s email was compromised and used to send out fake financial documents to clients like you.
How to protect your business:
Set up strict payment verification steps — never rely on email alone.
Talk with your vendors about their own cybersecurity practices.
Use secure portals for sensitive document exchanges instead of email attachments.
Email attacks aren’t just a tech problem — they’re a business risk.
Cybercriminals aren’t targeting you specifically — they’re hoping you don’t notice the bait. But with the right tools, awareness, and habits, you can make sure your business isn’t the one that gets caught.
If you’re unsure how secure your current email setup is, it’s worth asking. Because these days, email isn’t just for communication — it’s access to your entire business.
