Email security: defending against phishing and business email compromise

ITHQ 8 min read Cybersecurity
cybersecuritysecuritymanaged-it

Despite decades of evolution in cyber threats, email remains the primary way attackers get into organisations. Over 90% of successful cyberattacks begin with a phishing email. For South African businesses - where email is still the backbone of most business communication - understanding and defending against email-based threats is essential.

The stakes are high. Business email compromise (BEC) alone costs organisations billions globally each year, with individual incidents regularly reaching six and seven figures. These aren’t sophisticated technical exploits - they’re social engineering attacks that manipulate trust, urgency, and authority.

Understanding the threat landscape

Phishing: the broad net

Standard phishing campaigns cast a wide net, sending thousands or millions of emails that impersonate banks, delivery services, cloud providers, or government agencies. The goal is typically to harvest credentials or deliver malware. These attacks rely on volume - even a tiny success rate yields significant results when millions of emails are sent.

Spear phishing: the targeted approach

Spear phishing targets specific individuals or organisations. The attacker researches their target - using LinkedIn, company websites, and social media - to craft a convincing, personalised email. A spear phishing email might reference a real project, use the name of a real colleague, or arrive at a time that aligns with known business events.

Because these emails are tailored, they’re dramatically more effective than generic phishing. They’re also harder for automated filters to catch because they don’t match known phishing patterns.

Whaling: targeting leadership

Whaling is spear phishing aimed specifically at senior executives and board members. The higher the target’s authority, the more valuable the access or action the attacker can extract. A CEO who clicks a malicious link yields different access than a junior employee.

Business Email Compromise (BEC)

BEC is the most financially damaging form of email attack. Unlike phishing that delivers malware, BEC attacks use social engineering to trick people into taking a specific action - usually transferring money or sharing sensitive information.

Common BEC scenarios:

  • CEO fraud - an email appearing to come from the CEO instructs the finance team to make an urgent, confidential payment to a new account
  • Invoice manipulation - an attacker intercepts a legitimate invoice and resends it with changed banking details
  • Account compromise - an attacker gains access to a real employee’s email account and uses it to send fraudulent requests to contacts who trust that sender
  • Vendor impersonation - emails impersonating a regular supplier request payment to updated bank details

What makes BEC devastating is that the emails often contain no malicious links or attachments - they’re just convincing text. This means traditional security filters that scan for malware often miss them entirely.

How BEC attacks unfold

A typical BEC attack follows a pattern:

  1. Reconnaissance - the attacker studies the target organisation’s structure, identifies key personnel, and learns communication patterns. This information is freely available from company websites, LinkedIn, news articles, and financial filings.

  2. Account setup or compromise - the attacker either registers a lookalike domain (e.g., ithq-group.co.za instead of ithq.co.za) or compromises a legitimate email account through credential phishing.

  3. Initial contact - a carefully crafted email establishes the pretext. For CEO fraud, it might be “I need you to handle something confidential” sent on a Friday afternoon when the supposed sender is known to be travelling.

  4. The ask - once engagement is established, the attacker makes their request - a wire transfer, a data export, a change of payment details.

  5. Urgency and pressure - the attacker creates time pressure to prevent the target from pausing to verify. “This needs to happen before end of business today” is a classic tactic.

Technical controls

SPF, DKIM, and DMARC

These three email authentication protocols work together to prevent email spoofing:

  • SPF (Sender Policy Framework) - defines which mail servers are authorised to send email on behalf of your domain. Receiving servers can check whether an email actually came from an authorised source.
  • DKIM (DomainKeys Identified Mail) - adds a cryptographic signature to outgoing emails, allowing recipients to verify the email hasn’t been tampered with in transit.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance) - ties SPF and DKIM together with a policy that tells receiving servers what to do when authentication fails (monitor, quarantine, or reject).

Every organisation should implement all three. DMARC in particular should be progressively moved to a “reject” policy, which prevents attackers from spoofing your domain when targeting your customers and partners.

Email filtering and gateway security

Modern email security platforms go beyond simple spam filtering:

  • URL analysis - checking links at time of click (not just delivery) against threat intelligence feeds
  • Attachment sandboxing - executing attachments in an isolated environment to observe behaviour before delivering them
  • Impersonation detection - identifying emails that use display names matching internal executives or known contacts but originate from external addresses
  • Natural language analysis - detecting patterns common in BEC emails: urgency, financial requests, secrecy

Sandboxing

When a suspicious attachment arrives, sandboxing detonates it in a controlled virtual environment. If the file tries to download additional malware, encrypt files, or establish network connections, the sandbox detects this behaviour and blocks delivery. This catches zero-day threats that signature-based detection would miss.

Robust email security should be a core component of your cybersecurity and security operations programme.

Human controls

Security awareness training

Technology catches the majority of phishing attempts, but some will inevitably reach inboxes. Your people are the last line of defence, and they need to be equipped for it.

Effective email security training:

  • Regular cadence - monthly or quarterly short sessions, not an annual checkbox exercise
  • Simulated phishing - sending controlled phishing emails to test and reinforce awareness. Follow up with immediate, non-punitive education for anyone who clicks.
  • Role-specific content - finance teams need training on BEC and invoice fraud specifically. Executives need training on whaling. IT staff need training on credential phishing targeting admin accounts.
  • Reporting culture - make it easy and rewarding to report suspicious emails. A “report phish” button integrated into the email client reduces friction. Acknowledge and thank reporters.

Verification procedures

For high-risk actions - particularly financial transactions and changes to payment details - implement out-of-band verification:

  • New payment requests must be verified by phone call to a known number (not one provided in the email)
  • Changes to supplier banking details require verbal confirmation with a known contact at the supplier
  • Urgent requests from executives are verified through a separate communication channel before action

These simple procedural controls prevent the majority of BEC losses.

Incident response for email compromise

When an email account is compromised, the response must be swift and thorough:

  1. Contain - reset the compromised account’s password immediately. Revoke active sessions and tokens.
  2. Investigate - review the account’s sent items, deleted items, and mail rules. Attackers often create forwarding rules to maintain access even after the password is changed.
  3. Assess scope - determine what the attacker accessed, what emails they read, and what actions they took (sent emails, downloaded contacts, accessed connected applications).
  4. Notify - if the compromised account was used to send fraudulent emails to contacts, notify those contacts promptly.
  5. Remediate - address the root cause (usually credential phishing), strengthen controls, and conduct additional training for the affected user and their team.
  6. Review - update your security controls and training programme based on lessons learned.

Integrating email security with your broader identity and access management strategy - including conditional access policies and privileged account protections - reduces both the likelihood and impact of account compromise.

Real-world patterns in South Africa

South African businesses face some specific patterns:

  • Load shedding-themed phishing - emails purporting to be from Eskom or municipal providers with fake schedule downloads
  • SARS impersonation - particularly active during tax season, these emails mimic SARS communications to harvest credentials or distribute malware
  • Banking fraud - emails impersonating South African banks requesting “security verification”
  • Supplier fraud - in a business environment where many transactions still involve manual processes and email-based invoicing, supplier impersonation and invoice fraud are particularly prevalent

A proactive managed IT approach ensures that email security configurations are continuously monitored, updated, and aligned with the evolving threat landscape.

Building your email defence

Effective email security is not a single product - it’s a layered programme:

  1. Implement SPF, DKIM, and DMARC on all company domains
  2. Deploy advanced email filtering with sandboxing and impersonation detection
  3. Enable MFA on all email accounts without exception
  4. Establish out-of-band verification procedures for financial transactions
  5. Run regular security awareness training with simulated phishing
  6. Monitor for compromised accounts and respond rapidly
  7. Review and improve continuously based on incident data and threat intelligence

Protect your business from email threats

Email security deserves sustained attention and investment. The cost of a robust email security programme is a rounding error compared to the potential losses from a successful BEC attack.

Contact our team to assess your current email security posture. We’ll identify gaps, strengthen your technical controls, and help build the human awareness that stops the attacks technology can’t catch.

Need help with cybersecurity?

Our team can help you implement the solutions discussed in this article.

Get in touch