Email Security Built for Modern Business Threats
Most businesses that suffer an email breach already had some protection in place. They had a spam filter, antivirus software and a basic firewall. The tools were there. The gap was in understanding how email security works as a complete layered system. This guide covers every control your business needs in 2026, including the threats most published guides still miss.
Email Security Fundamentals
What Is Email Security and Why Is Standard Advice No Longer Enough in 2026?
Email security is the combination of technical controls, authentication protocols, encryption standards and human procedures that protect business email from unauthorized access, data theft and malicious attacks. Basic spam filtering and antivirus software handled many threats five years ago. In 2026, AI-generated phishing, QR code attacks and email supply chain compromises require a layered defence strategy.
Your inbox carries more sensitive business data than almost any other system you operate. Customer contracts, financial instructions, staff personal records, supplier invoices and login links for every connected platform all move through email every day. Every piece of that information is a potential target.
Phishing appeared in 41% of social engineering breaches referenced in the 2024 Verizon Data Breach Investigations Report.
Business Email Compromise losses reported by the FBI Internet Crime Complaint Center in a single year.
These are not outdated statistics from a different threat era. They reflect active attacks against businesses of every size.
What has changed most between 2020 and 2026 is the quality of the attacks. The obvious spelling errors, broken sentence structure and implausible urgency that once flagged a phishing email to an alert employee have largely disappeared.
Generative AI produces fluent, contextually accurate phishing emails at scale and can customize them to a specific target in minutes. A business that relies on employee awareness as its primary email defence is now fighting a threat its people cannot reliably detect.
Standard advice to check the sender address and look for suspicious links remains valid. It is no longer sufficient on its own. Email security in 2026 requires controls that operate before a malicious message reaches the inbox.
Emerging Attack Methods
What Are the Email Threats Most Businesses Are Not Prepared For?
The email threats most businesses are least prepared for in 2026 include QR code phishing, AI-generated spear phishing, Business Email Compromise sent from legitimate compromised accounts and supply chain attacks through trusted vendors. These attacks are specifically engineered to bypass common filters and traditional employee training.
Understanding where the new gaps exist is the starting point for closing them.
QR Code Phishing
Malicious destinations are hidden inside images that basic email scanners may not decode.
AI Spear Phishing
Highly fluent and personalized messages remove the spelling and grammar clues employees once relied upon.
Compromised Trusted Accounts
Attacks sent from genuine supplier or colleague accounts can pass domain authentication checks.
What Is QR Code Phishing and Why Does Your Email Filter Miss It?
QR code phishing, commonly known as quishing, works by embedding a malicious URL inside a QR code image placed within the email body. The recipient is instructed to scan the code with a personal phone to verify an account, access a shared document or complete a required business action.
Standard email security filters scan text content, hyperlinks and file attachments. Basic platforms may not read the URL encoded inside an image. The malicious destination remains invisible to the email-level controls until the employee’s phone opens the page. At that point, the attack has moved outside the organisation’s managed email environment.
Microsoft and Proofpoint documented significant increases in quishing campaigns during 2024 and 2025. The emails frequently impersonate Microsoft, DocuSign or banking institutions. Any scenario that provides a plausible reason to scan a code can catch employees off guard, particularly when the email resembles a routine internal notification.
Use an email security gateway capable of image analysis and QR code decoding before delivery. Standard spam filters and basic anti-malware scanners may not provide this capability.
How Do AI-Generated Phishing Attacks Work in Practice?
Generative AI has removed many of the visual indicators that previously exposed a phishing email. Attackers can now produce fluent, personalized messages in almost any language, tailored to a recipient using information gathered from LinkedIn profiles, company websites, press releases and social media activity.
A spear phishing email targeting an accounts payable team might reference the company’s real finance director, cite an upcoming supplier payment, match the organisation’s normal communication style and arrive from a spoofed domain that passes a quick visual check. None of the old detection signals may be present.
The threat also extends beyond written email. Deepfake voice technology has been used alongside email attacks in documented cases across the UK and US. An attacker sends a fraudulent payment instruction and follows it with an AI-cloned phone call that appears to confirm the request.
Training employees to identify poor grammar is therefore no longer a meaningful primary defence. Authentication, access controls and payment-verification procedures now carry a much larger share of the defensive load.
What Is an Email Supply Chain Attack and How Does It Work?
An email supply chain attack exploits a trusted third-party relationship rather than attacking your business directly. The attacker compromises a supplier, law firm, accountant or technology vendor that communicates regularly with your team.
Once inside the vendor’s email system, the attacker can monitor conversations, map business relationships and wait for the right context. When an opportunity appears, the attacker sends a carefully timed message from the genuine vendor address requesting a payment-account change, file download or credential submission.
Your gateway may not flag the message because the sending domain is real and authenticated. The email can pass SPF, DKIM and DMARC. The claimed sender may be someone your team genuinely knows. The attack succeeds because the trust being exploited was real.
Any vendor request involving changed banking details, payment instructions or sensitive data must be verified through a direct call to a pre-registered telephone number. Email alone should never authorise these changes.
Domain Authentication
What Are SPF, DKIM and DMARC, and How Do You Set Them Up Without Breaking Your Email?
SPF, DKIM and DMARC are DNS-based email authentication protocols that work together to verify that messages sent from your domain are legitimate. SPF authorizes sending servers, DKIM attaches a cryptographic signature and DMARC defines what receiving servers should do when authentication fails.
The most common reason businesses avoid DMARC enforcement is fear of blocking legitimate email. This is a valid concern, but it can be managed safely through a staged implementation.
Moving directly to a DMARC rejection policy without auditing your sending infrastructure can block legitimate messages from marketing platforms, CRM systems, e-signature services, helpdesk software and automated notification platforms.
| Stage | DMARC Policy | What Happens | When to Move Forward |
|---|---|---|---|
| 1 | p=none | Monitoring only. No email is blocked. Aggregate reports are collected. | After approximately four to six weeks of report review. |
| 2 | p=quarantine | Messages that fail authentication can be sent to the spam folder. | After confirming legitimate sending sources pass authentication. |
| 3 | p=reject | Failing messages are rejected by the receiving mail server. | Once all legitimate sending sources are fully authenticated. |
Before progressing to enforcement, your SPF record must include every service that sends email on your behalf. Marketing platforms, e-signature tools, CRM systems and helpdesk platforms all need to be included correctly. DKIM keys must also be generated and published for each sending service.
A DMARC aggregate report identifies IP addresses sending email while claiming to represent your domain and shows whether the messages passed or failed SPF and DKIM. During the monitoring stage, review these reports carefully. Any legitimate source that is not correctly authenticated will appear as a failure and should be fixed before moving to quarantine.
Where Does BIMI Fit?
BIMI sits above DMARC in the trust hierarchy. After your DMARC policy reaches p=quarantine or p=reject, BIMI can display your verified brand logo next to authenticated emails in supported inboxes such as Gmail and Apple Mail.
BIMI normally requires a Verified Mark Certificate from an authorised certificate authority. For businesses sending regular client-facing communications, it can improve recognition and provide a visible trust signal before the recipient opens the message.
Threat Filtering
What Is a Secure Email Gateway and How Is It Different From Default Microsoft 365 Protection?
A Secure Email Gateway inspects inbound and outbound email before delivery. Advanced platforms can provide attachment sandboxing, threat-intelligence filtering, Data Loss Prevention enforcement and QR code analysis. Microsoft 365’s default Exchange Online Protection provides baseline spam and known malware filtering but does not include every advanced capability.
This is one of the most misunderstood areas in small and medium-sized business email security. Business owners subscribe to Microsoft 365 and often assume that all necessary protection is included automatically.
Exchange Online Protection
Provides baseline filtering for known spam patterns and known malware signatures.
Defender for Office 365 Plan 1
Adds Safe Links and Safe Attachments to inspect links and detonate suspicious files before delivery.
Defender for Office 365 Plan 2
Adds automated investigation and response, attack simulation training and deeper threat intelligence.
Safe Links can re-scan a destination at the time a user clicks it, helping block websites that became malicious after the email was originally delivered. Safe Attachments can open suspicious files inside an isolated sandbox before they reach the employee.
Defender for Office 365 Plan 2 extends this with automated investigation and response, employee attack simulations and integrated threat intelligence. For organisations handling customer information, financial records or regulated data, this may represent a more appropriate level of protection.
Third-party platforms such as Proofpoint Email Security, Mimecast and Barracuda Email Security Gateway offer alternative approaches with different reporting features, management interfaces and threat-detection capabilities.
The right choice depends on your current infrastructure, regulatory responsibilities and internal capacity to configure and manage the platform.
Essential Gateway Configuration
- Sandbox suspicious inbound attachments before delivery.
- Apply updated, real-time threat-intelligence feeds.
- Enforce outbound Data Loss Prevention policies.
- Analyse images and QR codes for hidden destinations.
- Re-scan links when the recipient clicks them.
- Quarantine suspicious messages for administrator review.
The product matters, but the configuration applied to it matters just as much.
Financial Fraud Prevention
How Does Business Email Compromise Target Your Finance Team?
Business Email Compromise targets finance teams by impersonating executives, finance directors or trusted suppliers. The goal is to authorise fraudulent transfers, replace banking details or redirect legitimate payments to attacker-controlled accounts.
The FBI Internet Crime Complaint Center has reported more than $50 billion in confirmed global BEC losses since 2013. Individual incidents can create losses that are extremely difficult for a small or medium-sized business to recover.
Consider a common attack structure. A finance manager receives an email late on a Friday afternoon from what appears to be the managing director. The message references a real acquisition or supplier deal and requests an urgent transfer before the weekend. The sending domain differs from the genuine domain by one character. The transfer is processed before anyone verifies the instruction.
Friday afternoons, genuine business context and manufactured urgency are deliberate attacker choices. These conditions reduce the probability of careful verification and increase the chance that the employee will act quickly.
Technical Defences
- DMARC enforcement at p=reject to reduce direct domain spoofing.
- Multi-factor authentication on every email account.
- Conditional access policies for unusual devices and locations.
- Monitoring for suspicious inbox and forwarding rules.
- Alerts for unusual authentication and payment-related activity.
Procedural Defence
Any email instruction to transfer funds, change supplier banking details or approve a new payment account must be confirmed through a voice call to a pre-registered contact number before action is taken.
No email, regardless of how legitimate it appears, should be sufficient authorisation for a financial transaction above your defined threshold. This procedure can prevent a large proportion of documented BEC losses.
Protecting Sensitive Information
How Does Email Encryption Work and When Does Your Business Need It?
Email encryption prevents unauthorized parties from reading message content. TLS encrypts connections between mail servers. End-to-end encryption using S/MIME or PGP protects the content itself so that only the intended recipient can decrypt it.
Businesses handling personal data, healthcare records, financial information or legally privileged documents may need stronger encryption controls for those communications.
TLS Encryption
Transport Layer Security is the standard protocol for encrypting email while it travels between mail servers. Microsoft 365 and Google Workspace support opportunistic TLS by default, meaning they use encryption when the receiving server also supports it.
Enforcing TLS on your mail platform and requiring it for communications with regulated or high-risk partners provides an important baseline.
The limitation is that TLS protects the connection during transmission. After delivery, the email may exist in readable form on the recipient’s system.
S/MIME
S/MIME uses digital certificates to encrypt email content and attach a verifiable signature proving the sender’s identity. Both sender and recipient need compatible certificates for full encryption. It is widely supported in enterprise platforms such as Microsoft Outlook and Apple Mail.
PGP
Pretty Good Privacy provides a strong alternative frequently used in technical and open-source environments. It operates through a web-of-trust model rather than relying exclusively on a central certificate authority.
Both S/MIME and PGP can deliver genuine end-to-end encryption. The correct option depends on the email clients in use, technical capacity and whether external communication partners can support the same protocol.
Mail Server to Mail Server
Protects the transmission channel between supporting mail systems.
S/MIME Encryption
Uses certificates for message encryption and sender verification.
PGP Encryption
Provides end-to-end encryption using public and private keys.
For businesses subject to GDPR, HIPAA or PCI DSS, encryption requirements depend on the information being transmitted and the applicable regulatory standard. Sensitive information should not be sent through ordinary unprotected email.
Hybrid and Remote Working
How Should Your Business Approach Email Security for a Remote or Hybrid Workforce?
Remote and hybrid working expands the email attack surface. Employees may access company email through personal devices, home networks and unmanaged hardware. Protection therefore requires MFA, device management, conditional access and a clear policy covering personal device use.
An employee reviewing business email on a personal phone over a home broadband connection presents a different security profile from an employee using a managed workstation inside the office. Both scenarios are now normal, but only one is typically covered by traditional perimeter controls.
Personal devices may lack endpoint protection, full-disk encryption and remote-wipe capability. When company email is accessed on these devices, the organisation has limited control over the security of the stored information.
Conditional Access
Conditional access policies in Microsoft Entra allow an organisation to define which devices, users, locations and risk levels may access Microsoft 365.
- Require devices to be enrolled and marked as compliant.
- Block sign-in attempts from regions where the business does not operate.
- Require MFA for access outside trusted locations.
- Restrict access from outdated operating systems or browsers.
- Limit downloads of sensitive data on unmanaged devices.
Personal Email Forwarding
Forwarding business email to a personal Gmail or similar account removes the message from the security controls your organisation has applied. Your policy should prohibit this practice and the mail platform should enforce the restriction technically.
Shadow IT
Employees working remotely may use personal email, WhatsApp or consumer file-sharing platforms for convenience. This can move sensitive business data outside approved systems. Security training for remote staff should address the use of unauthorised communication tools directly.
Common Security Gaps
What Email Security Mistakes Are SMBs Still Making?
Common SMB email security mistakes include using Microsoft 365 with default settings, leaving DMARC permanently at p=none, relying on passwords without MFA, running awareness training only once a year and failing to provide a clear method for reporting suspicious messages.
No MFA
Email accounts remain protected only by usernames and passwords that can be stolen or reused.
DMARC Stuck at p=none
Reports are collected, but spoofed messages are not blocked or quarantined.
Annual Training Only
Employees receive outdated training that does not reflect current attack techniques.
No Reporting Procedure
Employees who recognise a suspicious email do not know how or where to report it.
Default Microsoft 365 Settings
The organisation assumes default protection is equivalent to a properly secured configuration.
Unencrypted Sensitive Data
Personal, legal or financial information is transmitted without sufficient protection.
No Multi-Factor Authentication
Microsoft’s published security research has stated that MFA can prevent more than 99.9% of account compromise attacks. Enforcing MFA across a Microsoft 365 tenant can often be completed from the administration environment without purchasing a separate email security product.
DMARC Left Permanently at p=none
A p=none policy provides visibility but does not prevent domain spoofing. The purpose of monitoring is to identify legitimate sending services, fix authentication failures and progress safely toward quarantine and rejection.
Annual Training That Does Not Reflect Current Attacks
Threat techniques evolve faster than annual training cycles. Quarterly simulations using relevant scenarios, followed by targeted guidance, can create a more sustainable improvement in employee behaviour.
No Internal Phishing Reporting Procedure
Employees frequently ignore suspicious emails because they have not been told what action to take. A phishing-report button in Outlook or a clearly publicised internal reporting address can turn employees into an early-warning network.
A campaign reported by one employee can potentially be quarantined across the wider organisation before additional users interact with it.
Sending Sensitive Information Through Ordinary Email
Customer personal information, legal files and financial account details should not be sent through unprotected email. TLS provides the baseline for transmission, while stronger end-to-end protection may be required for higher-risk data.
Regulatory Requirements
What Email Security Compliance Do US and UK Businesses Need to Meet?
UK and US businesses face overlapping email security obligations. GDPR applies when processing UK or EU personal data, HIPAA covers US healthcare organisations and business associates, PCI DSS applies to card-payment environments and ISO 27001 provides a broader information security management framework.
| Standard | Who It Applies To | Core Email Requirement | Potential Consequence |
|---|---|---|---|
| GDPR | Organisations processing UK or EU personal information. | Appropriate encryption, retention controls and breach notification procedures. | Regulatory penalties can reach €20 million or 4% of worldwide annual turnover. |
| HIPAA | US healthcare providers and relevant business associates. | Protection of PHI, access controls, audit logging and appropriate agreements with vendors. | Financial penalties, corrective action and reputational damage. |
| PCI DSS | Businesses storing, processing or transmitting cardholder data. | Cardholder information must not be transmitted through unprotected email. | Network penalties, higher processing costs or loss of card processing privileges. |
| ISO 27001 | Organisations operating or pursuing a certified information security management system. | Documented information-transfer policies, access controls and security evidence. | Loss of certification or exclusion from procurement opportunities. |
GDPR
GDPR requires personal information transmitted by email to be protected using appropriate technical and organisational measures. TLS is an important baseline, while stronger encryption may be required for special-category or highly sensitive information.
Organisations should also maintain an email data-retention policy defining how long messages containing personal information are stored and how they are securely removed after the retention period expires.
HIPAA
US covered entities and business associates must apply safeguards to email containing Protected Health Information. Access to systems containing PHI should be controlled, logged and auditable. Relevant third-party service providers may also need a Business Associate Agreement.
PCI DSS
Card numbers, security codes and expiry dates should not be requested or accepted through ordinary email. Customers who attempt to send payment details through email should be directed to an approved, secure payment platform.
ISO 27001
ISO 27001 places email controls within a wider information security management system. Relevant areas include information transfer, acceptable use, access control, supplier security and documented operational procedures.
Certification requires documented controls, evidence of implementation and ongoing internal and external review. Many enterprise and public-sector procurement exercises now request ISO 27001 certification from suppliers.
Assess Your Current Email Configuration
Cyber Security Solutions Ltd helps organisations across the UK and US identify email-control gaps and implement appropriate technical and procedural safeguards.
Email Security FAQs
Frequently Asked Questions
Practical answers to common questions about business email protection, phishing, Microsoft 365 security and incident response.
How do I know if my business email account has been compromised?
Signs include sent messages you did not write, contacts reporting suspicious emails from your address, unexpected password-reset notifications, login alerts from unknown locations or devices and forwarding rules you did not create. Review account sign-in logs, revoke active sessions, reset the password and enforce multi-factor authentication before restoring normal access.
What is the difference between spam and phishing?
Spam is unsolicited bulk email, commonly involving irrelevant marketing or advertising. Phishing is malicious communication designed to steal credentials, install malware or trigger a fraudulent transaction. Spam filters block much ordinary spam, while modern phishing requires stronger authentication, behavioural analysis and user-verification procedures.
Can phishing emails still get through with a Secure Email Gateway?
Yes. No platform blocks every attack. Spear phishing messages sent from legitimate compromised accounts may pass authentication because the sending domain is genuine. MFA, employee reporting, payment-verification procedures and security training remain necessary alongside gateway protection.
How often should email security settings and policies be reviewed?
Review SPF, DKIM and DMARC when adding or changing a sending service. Review gateway rules and Data Loss Prevention controls quarterly. Review DMARC reports regularly during enforcement and run recurring phishing simulations using current attack scenarios. Static configurations become outdated as systems and threats change.
Does Microsoft 365 Business Standard include enough email security?
Microsoft 365 Business Standard includes Exchange Online Protection for baseline spam and known malware filtering. It does not provide every advanced feature available through Microsoft Defender for Office 365. Organisations handling sensitive or regulated information should assess whether Plan 1, Plan 2 or a third-party gateway is appropriate.
What should I do in the first hour after a phishing attack?
Revoke the compromised account’s active sessions and access tokens. Reset the password, enforce MFA and inspect sent items, inbox rules and forwarding rules. Alert employees who may have received messages from the account. Where money or financial data is involved, contact the relevant bank immediately and report the incident to the appropriate authority, such as FBI IC3 in the US or Action Fraud in the UK.
What is BIMI and is it worth implementing for a small business?
BIMI can display a verified brand logo beside authenticated emails in supported mail platforms. It normally requires DMARC at p=quarantine or p=reject and may require a Verified Mark Certificate. It is most valuable after the organisation’s core authentication controls have been correctly implemented.
What is quishing and how is it different from standard phishing?
Quishing uses a QR code image rather than a normal clickable text link. The encoded destination may not be visible to basic text-based email scanners. When an employee scans the code on a personal phone, the destination opens outside the managed email environment. Protection requires image and QR code analysis as well as employee awareness.
Protect Your Organisation
Build a Complete, Layered Email Security Stack
Email security is not a single product that can be installed and forgotten. SPF, DKIM and DMARC authenticate your domain. A properly configured gateway filters threats. MFA protects accounts. Encryption protects sensitive information, while clear policies and regular training help employees respond correctly when something suspicious reaches the inbox.