IT Security: Protecting Your Business Email

Business email compromise — where an attacker gains access to a staff member's email account or impersonates a trusted sender — is responsible for more financial losses among Singapore SMEs than any other cyber attack type. The attack typically involves intercepting or forging emails related to payment instructions, causing businesses to transfer funds to fraudulent accounts. Protecting your business email requires a combination of technical controls, staff awareness, and verification procedures that most SMEs can implement within a week.

How Do Business Email Compromise Attacks Work?

The most common method is credential theft through phishing. An employee receives an email that appears to come from Microsoft, Google, or their email provider, asking them to "verify their account" or "review a shared document." The link leads to a fake login page that captures their username and password. The attacker now has full access to their email account — reading all messages, sending emails as that person, and monitoring for payment-related correspondence.

With access to an email account, attackers monitor for high-value transactions. They wait for an invoice, payment request, or bank detail notification, then either modify the email before it reaches the recipient or send a follow-up email claiming "our bank details have changed, please use this account instead." The fraudulent email comes from a real, trusted email address — making it extremely convincing.

Alternatively, attackers register domains that look similar to yours — replacing a letter or adding a character — and send emails from these lookalike domains. A supplier at "abccompany.com" becomes "abccompany.co" or "abc-company.com." Staff who do not scrutinise the sender domain carefully respond to or act on these emails as if they are genuine.

What Technical Controls Prevent Email Compromise?

Multi-factor authentication is the single most effective protection. Even if a password is stolen through phishing, MFA prevents the attacker from logging in without the second factor — typically a code from an authenticator app or SMS. Enable MFA on all email accounts immediately. This one step prevents the vast majority of email account takeovers.

SPF, DKIM, and DMARC records protect your domain from being spoofed. SPF tells receiving mail servers which servers are authorised to send email from your domain. DKIM adds a cryptographic signature to your emails proving they are genuine. DMARC instructs receiving servers to reject or quarantine emails that fail SPF and DKIM checks. Together, these three DNS records make it much harder for attackers to send convincing emails pretending to be from your domain.

Email filtering and threat detection catch many phishing attempts before they reach inboxes. Microsoft 365 and Google Workspace include built-in phishing detection that improves over time. Additional email security tools from providers like Proofpoint or Mimecast add another layer of detection for sophisticated attacks that bypass basic filtering.

Conditional access policies restrict email access based on location, device, and risk level. If your team only works from Singapore, blocking login attempts from other countries eliminates a large category of attacks. Requiring managed devices for email access prevents compromised personal devices from providing an attack path.

What Procedures Should You Implement?

Payment verification procedures prevent the most costly email compromise outcomes. Any request to change bank account details — from a supplier, client, or internal staff — must be verified through a separate communication channel. If an email requests a bank detail change, call the sender using a phone number from your existing records (not from the email) to confirm. This simple procedure prevents the majority of payment fraud.

Regular password changes combined with MFA reduce the window of opportunity for stolen credentials. Even if a password is compromised, a 90-day change cycle limits how long the attacker has access — and MFA prevents access even with a valid password.

Staff awareness training is essential because technical controls cannot catch everything. Train your team to recognise phishing emails — checking sender addresses carefully, hovering over links before clicking, and questioning unexpected requests. Regular simulated phishing exercises identify staff who need additional training and maintain awareness over time.

Frequently Asked Questions

How do I know if my business email has been compromised?

Warning signs include unexpected password reset emails, login notifications from unusual locations or devices, emails in your sent folder that you did not send, auto-forwarding rules you did not create, and contacts reporting suspicious emails from your address. Check your email account's login history regularly — both Microsoft 365 and Google Workspace show recent login locations and devices. If you suspect compromise, change your password immediately and review all account settings for unauthorised changes.

Is Microsoft 365 or Google Workspace more secure for business email?

Both provide strong baseline security with continuous improvements. Microsoft 365 Business Premium includes advanced threat protection features. Google Workspace has strong built-in phishing detection. The security difference between them is less significant than whether you enable and properly configure the security features either platform provides. MFA, proper DNS records, and conditional access policies matter more than the platform choice.

What should I do if an employee clicks a phishing link?

Act immediately. Change the employee's email password. Check for unauthorised forwarding rules or account changes. Review sent emails for any messages the attacker may have sent. Notify your IT team or provider to scan for broader compromise. If the employee entered credentials on a phishing site, assume those credentials are compromised for any other service where the same password was used. Use the incident as a training opportunity without blame — phishing attacks are increasingly sophisticated and anyone can be caught.