Email is not just a communication tool — it's the most targeted attack surface your business has. According to the FBI's Internet Crime Complaint Center (IC3) 2023 Annual Report, Business Email Compromise (BEC) accounted for over USD $2.9 billion in reported losses — making it the single highest-loss cybercrime category, ahead of ransomware, investment fraud, and everything else combined.
BEC isn't sophisticated hacking. Most of it is someone impersonating your CEO, a supplier, or a lawyer via email and convincing someone in your team to transfer money or share credentials. The technical barrier is low. The financial damage is catastrophic.
The frustrating part: most of the defences are straightforward, free or near-free, and rarely implemented by small businesses. Here's what actually matters.
SPF, DKIM, and DMARC: the authentication trio
These three DNS records are the foundation of email authentication. If you don't have them configured, anyone on the internet can send an email that appears to come from your domain. That's not a hypothetical — it's trivially easy to do with basic tools.
SPF (Sender Policy Framework)
SPF is a DNS record that lists which mail servers are authorised to send email on behalf of your domain. When an email arrives claiming to be from your domain, the recipient's mail server checks your SPF record. If the sending server isn't on the list, it can be flagged or rejected. Setting it up takes about 5 minutes in your DNS panel.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every outgoing email. The recipient can verify that the email genuinely came from your mail server and wasn't tampered with in transit. Your email provider (Google Workspace, Microsoft 365, etc.) typically gives you the DKIM keys — you add them as DNS records.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do when those checks fail: nothing (monitor only), send to spam (quarantine), or reject outright. It also sends you reports so you can see who's trying to impersonate your domain. The DMARC.org overview is a solid starting reference if you want to go deeper.
Start here: Go to MXToolbox and run an SPF, DKIM, and DMARC lookup on your domain right now. If any of them show as missing or misconfigured, that's the first thing to fix — before anything else in this article.
Multi-factor authentication on every email account
Password theft is the other major entry point. Credential stuffing attacks — where attackers try username/password combinations leaked from other breaches — are automated and constant. Microsoft's security research has repeatedly shown that MFA blocks over 99% of account compromise attacks.
Multi-factor authentication (MFA) means that even if an attacker has your password, they can't access the account without a second factor — usually a time-based code from an authenticator app. Not SMS if you can avoid it (SIM-swapping is a real attack), but app-based MFA like Google Authenticator, Microsoft Authenticator, or Authy.
Enable MFA on every business email account, every team member, no exceptions. This is non-negotiable. If your email provider doesn't support MFA, get a new email provider.
How to recognise a business email compromise attempt
BEC attacks don't usually involve malware or malicious links. They rely on social engineering — crafting a convincing story and exploiting normal business processes. Common patterns include:
- CEO fraud: An email appearing to come from the owner or a senior leader asking a staff member to urgently transfer funds or buy gift cards. The urgency is deliberate — it bypasses normal verification habits.
- Supplier impersonation: A "supplier" emails to say their bank account details have changed, and to update payment records. The next payment goes to the attacker.
- Invoice fraud: A realistic-looking invoice arrives for a service the business uses, but with changed payment details.
- Lawyer/authority impersonation: Fake legal correspondence demanding urgent action to avoid penalty.
Watch for: urgency + unusual request + "don't tell anyone" language. Any request to change payment details should require a phone call to a previously known number to verify — never reply to the email thread itself, as the attacker controls it.
What a compromised business email actually costs
The FBI's IC3 data shows an average BEC loss per incident in the tens of thousands of dollars — and that's the reported figure. Many incidents go unreported due to embarrassment or because the business doesn't realise what happened until the money is long gone.
But the direct financial loss is only part of it. A compromised email account gives an attacker access to years of correspondence — client data, contracts, pricing information, staff details. They can use that to launch further targeted attacks, or sell the access on dark web forums. The downstream cost of a single compromised inbox can exceed the initial theft many times over.
For New Zealand businesses, the CERT NZ email security guide is a practical local resource that aligns with what's described here and is regularly updated.
The minimum viable email security stack
If you do nothing else after reading this, do these four things:
- Check and configure SPF, DKIM, and DMARC for your domain
- Enable MFA on every email account in your business
- Set a policy: any request to change payment details requires a phone call to verify
- Brief your team on what BEC looks like — most staff have never been shown an example
None of this requires a security consultant, a significant budget, or technical expertise beyond basic DNS access. It does require 2–3 hours and the willingness to actually do it.
Security starts with your website, too. We build sites with proper security configurations baked in — not bolted on after the fact. If you're unsure whether your setup is solid, let's talk.
Book a free call →