Why most SME data breaches start with email (and how to stop them)

For most small and medium-sized businesses, email has quietly become the single biggest cyber-security risk. Not firewalls, not servers – email.

Invoices arrive by email. Password resets go through email. Staff share files, approve payments and receive urgent instructions via email. If an attacker controls an email account, they often control the business.

This guide explains why email is such a common entry point for attackers and, more importantly, what SMEs can realistically do to reduce the risk without turning into a security consultancy overnight.

Why attackers focus on email

Email is attractive to attackers for three simple reasons: it’s universal, it’s trusted, and it’s full of valuable links to other systems.

If a criminal gains access to a staff mailbox, they can:

• Reset passwords for cloud services and internal systems.
• Send convincing messages that appear to come from a real colleague.
• Monitor conversations and strike at exactly the right moment.

This type of attack is often referred to as business email compromise (BEC). It doesn’t involve sophisticated malware; it relies on patience, social engineering and the assumption that “it looks normal”.

The real-world SME email attack pattern

Many breaches follow a predictable pattern:

1. A staff member receives a convincing phishing email.
2. They enter their login details on a fake sign-in page.
3. The attacker logs in, often from overseas.
4. Email rules are quietly added to hide warning messages.
5. The attacker waits, reading emails and learning how the business works.
6. Money is redirected, data stolen, or ransomware introduced.

What makes these attacks effective is how normal they feel. There’s no pop-up warning, no obvious virus – just day-to-day email traffic.

Phishing: why smart people still get caught

Phishing emails have come a long way from poor spelling and obvious scams. Modern attempts are often well-written, well-timed and highly targeted.

Common examples SMEs see include:

• “You have a new voice message” emails linking to fake login pages.
• Shared document notifications pretending to be from Microsoft or Google.
• Urgent payment or bank-detail change requests.
• Fake software update or security warning emails.

Attackers don’t need many victims. If just one person clicks at the wrong moment, that can be enough to gain a foothold.

Email security is not just an IT problem

One of the biggest mistakes SMEs make is treating email security as purely a technical issue. Technology helps, but behaviour and process matter just as much.

If staff feel rushed, pressured or afraid to question unusual emails, the risk increases dramatically. Secure businesses create environments where people are encouraged to pause and check.

The single most effective control: MFA on email

Multi-factor authentication (MFA) is the most powerful defence available to SMEs today. In simple terms, it means a stolen password alone is not enough to access email.

Even if an attacker captures a username and password, MFA stops them logging in.

Key points to get right:

• Enable MFA for all users, not just administrators.
• Avoid exemptions for “trusted” staff or older accounts.
• Use authenticator apps rather than SMS wherever possible.

Many businesses discover that MFA would have prevented the vast majority of the security incidents they’ve experienced.

Lock down inbox rules and forwarding

Once inside an email account, attackers often add inbox rules to hide their activity. Replies from finance, IT or management may be auto-archived or deleted before the user sees them.

To reduce this risk:

• Restrict automatic forwarding to external addresses.
• Monitor or alert on new inbox rules being created.
• Periodically review mail rules for key accounts.

These changes are usually quick to implement but can significantly limit the attacker’s ability to remain hidden.

Make payment changes harder, not faster

One of the most damaging outcomes of email compromise is fraudulent payments. An attacker watches a conversation, waits for the right moment, and then requests a bank detail change.

No technical control can fully solve this – process matters.

• Never accept bank detail changes by email alone.
• Verify changes using a known phone number or secondary channel.
• Delay payments if something feels rushed or unusual.

Adding friction here is a feature, not a bug.

Reduce the blast radius with access controls

Not all email accounts are equal. A compromised shared inbox or admin account is far more damaging than a standard user.

Best practice includes:

• Avoid shared mailboxes with full access for everyone.
• Limit admin rights strictly to those who need them.
• Use named accounts so access can be traced and revoked.

These steps reduce how far an attacker can go if something does slip through.

Logging and alerts: knowing when something’s wrong

Many SMEs don’t realise an email account has been compromised until weeks or months later.

Basic alerts can provide early warning:

• Logins from unusual countries or devices.
• Multiple failed login attempts.
• Changes to security settings.

You don’t need a full security operations centre – just enough visibility to notice when behaviour changes.

How this ties into bespoke systems

Email is often the gateway to bespoke web and mobile applications. Password resets, notifications and approval flows often rely on it.

When building or maintaining custom systems, secure email integration is critical. That includes strong authentication, rate limiting, clear audit logs and sensible timeout policies.

What to tackle first

If you take only a few actions after reading this guide, prioritise:

1. Enable MFA on all email accounts.
2. Restrict and monitor inbox rules and forwarding.
3. Introduce a verification step for payment changes.

Email will remain a critical tool for SMEs, but it doesn’t have to be the weakest link. With a handful of sensible controls and cultural changes, you can massively reduce your exposure without slowing the business down.