What Happens When Your Business Email Gets Compromised

It Started with a Single Email

It started with a single email that looked like it came from your bank.

The message arrived on a Tuesday morning at 09:14, right in the middle of the daily rush. The subject line read: "Action required: verify your business account details." The logo was correct. The formatting was identical to the bank's usual messages. The sender name looked right. There was a link to "confirm your details" that led to a page that looked exactly — exactly — like your bank's login screen.

Your office manager, Rachel, was in the middle of processing a batch of supplier payments. She had received similar security verification emails from the bank before. She clicked the link. She entered the email address and password she uses for the company email account, because the fake page asked for "your registered email credentials for verification."

The page displayed a brief loading animation, then showed a message: "Thank you. Your details have been verified." Rachel closed the tab and went back to work.

She had no reason to think anything was wrong.

But from that moment, everything was wrong. An attacker on the other side of the world now had Rachel's email password — and with it, access to your company's entire email account. What followed over the next six months would cost your business more than twenty-eight thousand pounds in direct losses, damage client relationships that took years to build, and trigger a regulatory investigation that consumed hundreds of hours of management time.

This is the story of how it unfolds. Not in theory. Not in a cybersecurity textbook. In the real, practical, painful terms that a UK business owner experiences when their email is compromised.

Day 1 — The Click That Opens the Door

The moment Rachel entered her credentials on the fake page, the attacker received them in real time. Within minutes, they tested the password against your company's email login page. It worked. They were in.

The first thing the attacker did was not send a single email. They did not change the password. They did not do anything visible. Instead, they quietly created a forwarding rule — a setting buried deep in the email account that automatically sends a copy of every incoming message to an external address controlled by the attacker.

Then they waited.

This is the most unsettling part of modern email compromise: the attacker does not act immediately. They are patient. They are methodical. They want to learn about your business before they strike.

Days 2 to 7 — The Silent Observer

For an entire week, the attacker did nothing but read. Every email that arrived in Rachel's inbox — and by extension, every email that arrived at your company's main contact address — was copied and studied.

The attacker learned:

• Who your clients are. Names, email addresses, company names, the tone of your relationships.
• How you invoice. Your invoice template, payment terms, the bank account details on your invoices, when you typically send invoices.
• Your payment patterns. Which clients pay large sums, how often, and what the approval process looks like.
• Your communication style. How Rachel writes emails, her sign-off, her typical greetings, the way she refers to colleagues and clients.
• Your internal structure. Who makes financial decisions, who authorises payments, who is out of the office and unlikely to notice something unusual.

By the end of the week, the attacker had a detailed understanding of your business relationships, your financial flows and your communication patterns. They knew exactly which client to target, exactly how to phrase the message, and exactly when to send it for maximum impact.

You, meanwhile, noticed absolutely nothing. Your email worked normally. No messages were missing. No passwords had been changed. Nothing felt different.

Day 8 — The Fraudulent Invoice

On the eighth day, the attacker struck.

Using Rachel's email account — her real email account, not a spoofed address — the attacker sent an email to your largest client, Pemberton Engineering. The email was a follow-up to a genuine invoice that had been sent two weeks earlier, referencing the correct invoice number, the correct project name and the correct amount: twenty-eight thousand pounds.

The message read:

"Hi David, just a quick note regarding invoice #2847. We've recently changed our banking arrangements and the account details on the original invoice are no longer active. Please use the following details for payment: [new account number and sort code]. Apologies for any inconvenience. Best regards, Rachel."

The tone was perfect. The details were accurate. The email came from Rachel's genuine address. There was nothing — absolutely nothing — in the message that would have raised a red flag for David at Pemberton Engineering.

The attacker then set up a rule in Rachel's inbox to automatically delete any replies from David, so that Rachel would never see his response.

Day 10 — The Money Disappears

David at Pemberton Engineering received the email, noted the updated bank details, and forwarded it to his accounts department with a note: "Please update supplier details and process payment." His accounts team updated the records and scheduled the payment for the next payment run.

Two days later, twenty-eight thousand pounds was transferred to an account controlled by the attacker.

The money moved quickly. Within hours, it had been transferred through a series of accounts — some in the UK, some overseas — and withdrawn or converted into cryptocurrency. By the time anyone realised what had happened, the money was gone.

This is the brutal mathematics of email fraud: the transfer takes seconds, the movement of funds takes hours, and the discovery takes weeks. By the time the fraud is identified, recovery is almost always impossible.

Week 3 — The Discovery

Three weeks after the initial phishing email, David from Pemberton Engineering called your office. He was following up on a separate project and mentioned, almost in passing, that the payment for invoice #2847 had been processed and asked when he would receive the receipt.

Rachel checked your bank account. No payment had arrived.

"But we paid it," David said. "To the new account details you sent us."

"What new account details?"

That was the moment. The cold, sinking realisation that something had gone catastrophically wrong. Rachel pulled up her Sent folder. There it was — an email she had never written, sent from her own account, with bank details she had never seen, requesting payment for a genuine invoice she had sent weeks earlier.

The next few hours were a blur of phone calls — to the bank, to the police, to your insurance company, to David's finance team. Your bank confirmed that the funds had been transferred out of the receiving account within hours and could not be recalled. Action Fraud gave you a crime reference number. Your insurance company asked for detailed documentation.

David's reaction was a mixture of shock and anger. He had trusted the email because it came from your address. He had paid in good faith. And now he was out twenty-eight thousand pounds — or you were, depending on who bore the liability.

Month 2 — The Investigation

The weeks following the discovery brought a cascade of consequences that went far beyond the financial loss.

The ICO notification

Because the attacker had access to your email account for at least two weeks, they had access to personal data — client names, email addresses, potentially financial information, contracts and other sensitive documents that passed through your inbox. Under GDPR (the General Data Protection Regulation, which governs how businesses handle personal data), you are required to notify the Information Commissioner's Office (ICO) of a personal data breach within 72 hours of becoming aware of it.

The ICO notification triggered an investigation. An ICO officer reviewed your data protection practices, your email security measures and your breach response. They asked pointed questions:

• Did the compromised email account have two-factor authentication enabled?
• Were employees trained to recognise phishing emails?
• What email security measures were in place to prevent unauthorised access?
• How quickly was the breach detected and what steps were taken to contain it?

The answers were uncomfortable. Two-factor authentication had not been enabled. There had been no formal phishing awareness training. The breach had gone undetected for three weeks. The ICO officer was professional but thorough, and the investigation consumed dozens of hours of management time over the following weeks.

The client fallout

You had a legal and ethical obligation to inform all clients whose data may have been accessed during the breach. That meant sending a difficult letter to every client explaining that your email had been compromised, that their personal information may have been exposed, and that you were taking steps to prevent it from happening again.

Some clients were understanding. Others were not. Two clients moved their business to competitors, citing "concerns about data security." Another client demanded a detailed security audit before they would continue the relationship. A prospective client who had been about to sign a contract put the decision on hold indefinitely.

The internal impact

Rachel was devastated. She blamed herself, even though the phishing email had been sophisticated enough to fool most people. The atmosphere in the office was tense. Colleagues were anxious about their own accounts. Morale dropped. Productivity suffered.

Month 6 — The Aftermath

Six months after the initial phishing email, this was the full tally of damage:

• Direct financial loss: Twenty-eight thousand pounds (unrecovered).
• Insurance claim: Partially successful — the insurer paid out twelve thousand pounds after a lengthy review, but disputed the remainder because two-factor authentication had not been enabled.
• Lost clients: Two clients representing approximately fifteen thousand pounds in annual recurring revenue.
• Lost prospect: One near-certain new client worth an estimated eight thousand pounds per year.
• ICO investigation: No fine was issued (the ICO noted that the business cooperated fully), but the investigation consumed over one hundred and fifty hours of management time.
• Legal and advisory fees: Three thousand pounds for advice on GDPR notification, client communication and insurance claims.
• Security remediation: Two thousand pounds for an IT security consultant to audit and secure all email accounts, implement two-factor authentication and train staff.
• Reputation damage: Immeasurable, but ongoing. Six months later, the business was still rebuilding trust with clients who had been notified of the breach.

Total quantifiable cost: approximately fifty-six thousand pounds — from a single click on a phishing email.

The UK Statistics — This Is Not Rare

The story above is not an extreme case. It is not a worst-case scenario designed to frighten you into action. It is, unfortunately, a typical example of what happens when a UK business's email is compromised.

The numbers confirm this:

Business email compromise costs UK businesses over 245 million pounds annually

According to Action Fraud (the UK's national fraud and cyber crime reporting centre), business email compromise — the specific type of attack described in this article — costs UK businesses an estimated 245 million pounds or more every year. That figure includes direct financial losses from fraudulent payments, but it does not account for the additional costs of investigation, remediation, lost clients and reputational damage.

84% of cyber attacks on UK businesses involve phishing

The UK government's Cyber Security Breaches Survey 2025 found that 84 per cent of businesses that experienced a cyber breach or attack reported phishing as the attack vector. Phishing — a fake email designed to trick someone into revealing their credentials or clicking a malicious link — remains the overwhelmingly dominant method of attack. It works because it exploits human trust, not technical vulnerabilities.

The average BEC loss exceeds ten thousand pounds

While headline-grabbing cases involve losses of hundreds of thousands or millions of pounds, the average business email compromise loss in the UK is over ten thousand pounds. For a small business with tight margins, that can be the difference between a profitable year and a catastrophic one.

Small businesses are the primary target

Contrary to what many business owners believe, small and medium-sized businesses are targeted more frequently than large enterprises. The reason is simple: large enterprises typically have dedicated security teams, mandatory two-factor authentication, email filtering systems and staff training programmes. Small businesses often have none of these — making them easier, more profitable targets for attackers.

What Would Have Stopped Each Stage

The most important part of this story is not what happened — it is what could have been prevented, and how straightforwardly. Let us walk back through each stage and identify the specific measure that would have stopped the attack in its tracks.

Stage 1: The phishing click — stopped by awareness training

Rachel clicked the link because the phishing email was convincing and she had never been trained to spot the subtle signs of a fake message. With basic phishing awareness — checking the sender's actual email address (not just the display name), hovering over links before clicking them, verifying unexpected requests through a different channel — she would have recognised the email as suspicious and reported it instead of clicking.

Training does not need to be expensive or time-consuming. Even a short annual briefing on common phishing tactics significantly reduces the risk of an employee falling for a fraudulent email.

Stage 2: The password theft — stopped by two-factor authentication

Even though Rachel entered her password on the fake page, the attacker should not have been able to log in. Two-factor authentication (often abbreviated to 2FA) adds a second layer of security: after entering your password, you must also enter a one-time code generated by an app on your phone. Without that code, the password alone is useless.

If two-factor authentication had been enabled on Rachel's account, the attacker would have had her password but would have been unable to access her email. The attack would have ended right there — at day one, with zero damage.

Two-factor authentication is the single most effective protection against email compromise. It takes less than five minutes to enable and blocks over 99 per cent of automated attacks.

Stage 3: The silent observation — stopped by security monitoring

The attacker spent a week reading emails undetected because nobody was monitoring for unusual account activity. A good email provider monitors for suspicious behaviour — logins from unfamiliar locations, unusual forwarding rules being created, large volumes of email being accessed in a short time — and alerts the account owner or administrator when something looks wrong.

If the system had flagged the creation of an unfamiliar forwarding rule on the same day as a login from an unexpected location, the compromise would have been detected within hours instead of weeks.

Stage 4: The fraudulent invoice — stopped by domain protection

In this case, the attacker used the real email account. But in many BEC attacks, the attacker sends the fraudulent invoice from a spoofed address — one that looks like your domain but is not. Domain protection measures (think of them as a published list that tells the world "only my authorised servers can send email from my domain") prevent anyone from impersonating your email address. If a fake email is sent claiming to be from your domain, the recipient's mail server checks your published list, finds that the sending server is not authorised, and blocks or quarantines the message.

This does not help when the attacker is using the real account (as in our story), but it blocks the vast majority of BEC attacks where the attacker spoofs the sender address rather than gaining actual account access.

Stage 5: The payment — stopped by verification procedures

David's accounts team processed the payment without independently verifying the change of bank details. A simple policy — "we always verify changes to payment details by phone before processing" — would have stopped the fraudulent payment. David's team would have called Rachel, Rachel would have said "I never sent that email," and the fraud would have been discovered before any money moved.

This is not a technical measure — it is a business process. And it is one that every business should implement immediately, regardless of their email security setup.

The Emotional Cost Nobody Measures

Financial reports and statistics capture the monetary cost of email compromise. They do not capture the human cost — and for the business owner living through it, the human cost can be worse than the financial one.

The stress and anxiety

In the weeks following the discovery of the breach, you do not sleep well. You lie awake wondering what the attacker read, who they contacted, what other damage they may have done that you have not discovered yet. Every email from a client feels like it might be the next shoe dropping. Every phone call could be another piece of bad news.

The feeling of violation

Having your email compromised feels personal. Someone read your private business communications. They studied your client relationships. They used your name and your words to steal from someone who trusted you. The violation is not just financial — it is an invasion of your professional identity.

The damaged relationships

The hardest conversation is the one with the client who was defrauded. David at Pemberton Engineering was your client for four years. You had built a relationship based on trust and reliability. Now that trust has a crack in it that may never fully heal. Even though David understands, intellectually, that you were a victim too — the fact remains that his company lost twenty-eight thousand pounds because of an email that came from your address.

The blame and guilt

Rachel carries the guilt of having clicked the link, even though the phishing email would have fooled most people. You carry the guilt of not having implemented basic security measures that would have prevented the entire incident. Both of you know, rationally, that blame is not productive — but the feelings persist for months.

These emotional costs are real, they are significant, and they are entirely preventable. Every measure described in this article — two-factor authentication, domain protection, security monitoring, staff awareness — costs a fraction of the emotional and financial toll that a breach inflicts.

Does Insurance Cover This?

One of the first calls you make after discovering a breach is to your insurance company. The answer you receive is often disappointing.

Standard business insurance: usually no

Standard commercial insurance policies — public liability, professional indemnity, office contents — typically do not cover losses arising from cyber crime. The policy may cover physical theft or property damage, but a fraudulent bank transfer initiated through a compromised email account usually falls outside the scope of standard coverage.

Cyber insurance: yes, but with conditions

A dedicated cyber insurance policy can cover losses from business email compromise, including the direct financial loss, the cost of forensic investigation, legal fees, client notification costs and business interruption. However, these policies typically come with conditions:

• Security baseline: Many cyber insurers require you to have basic security measures in place — including two-factor authentication, regular software updates and employee training. If you did not have these measures at the time of the breach, the insurer may reduce or deny your claim.
• Prompt notification: Most policies require you to notify the insurer within a specified timeframe (often 48 to 72 hours) of discovering the breach.
• Cooperation with investigation: You may be required to engage a forensic investigator approved by the insurer and to preserve all evidence related to the breach.
• Sub-limits and deductibles: Coverage for social engineering fraud (which includes BEC) often has a separate, lower limit than the main policy. A policy with a general cyber limit of five hundred thousand pounds might have a social engineering sub-limit of only fifty thousand pounds.

The lesson is clear: insurance is a safety net, not a strategy. Relying on insurance to cover the cost of a breach while neglecting the security measures that would prevent it is like driving without a seatbelt because you have car insurance.

Rebuilding Trust — The Long Road Back

After the immediate crisis passes — the accounts are secured, the ICO is notified, the insurance claim is filed — the real work begins: rebuilding the trust that was damaged by the breach.

With affected clients

Transparency is essential. Clients need to know what happened, what data may have been exposed, and what steps you have taken to ensure it does not happen again. Vague reassurances do not work. Specific, concrete actions — "we have implemented two-factor authentication on every account, we have engaged a security consultant, we have trained all staff" — demonstrate that you are taking the situation seriously.

Some clients will accept this and continue the relationship. Others will not. The clients you lose are often the ones you can least afford to lose — because they are the ones with the highest security expectations, which typically correlates with the highest-value contracts.

With your team

If an employee was the entry point for the attack (as Rachel was in our story), they need support, not blame. Phishing emails are designed to deceive. Blaming the employee creates a culture of fear where people are afraid to report suspicious activity — which makes the next breach more likely, not less.

Instead, use the incident as a catalyst for positive change. Implement training. Discuss real phishing examples. Create a clear, no-blame process for reporting suspicious emails. Turn a painful experience into a stronger security culture.

With your own confidence

It takes time to stop second-guessing every email, every link, every unusual request. The anxiety fades gradually as new security measures become routine and the immediate crisis recedes into the past. But the experience changes you — and that change, uncomfortable as it is, ultimately makes your business more resilient.

What Good Email Protection Actually Looks Like

After reading this article, you may be wondering what you should look for in an email provider to protect your business from this kind of attack. Here is what genuine, effective email protection includes — in plain language, without jargon.

Automatic domain protection

Your email provider should publish a set of records that tell the world: "Only my authorised servers can send email from this domain. If you receive a message claiming to be from this domain that did not come from my servers, block it." This prevents attackers from impersonating your email address. The best providers configure this automatically at the strictest possible settings, so you do not need to understand the technical details.

Two-factor authentication on every account

Every email account in your business should have two-factor authentication available — and ideally enabled by default. This single measure blocks the overwhelming majority of password-based attacks. If your current email provider does not offer two-factor authentication, that alone is reason enough to switch.

Encryption in transit

Emails should be encrypted as they travel between servers, so that they cannot be intercepted and read during transmission. The best providers enforce encryption and will not deliver messages over unencrypted connections. Think of it as sending your letters in sealed, tamper-proof envelopes rather than on open postcards.

Security monitoring

Your provider should monitor for unusual activity on your account — logins from unexpected locations, sudden changes to forwarding rules, bulk email access — and alert you when something looks suspicious. This reduces the window between compromise and detection from weeks to hours or even minutes.

UK-based support for incident response

If the worst happens and your account is compromised, you need to be able to reach a real person who understands your situation, speaks your language and operates in your time zone. A UK-based support team can respond immediately, help you secure your account and guide you through the notification and recovery process.

How epost.plus Protects Against Every Stage of This Attack

Let us map the protections offered by epost.plus directly against each stage of the attack described in this article.

Against the phishing click (Stage 1)

epost.plus includes advanced spam and phishing filtering that analyses incoming messages for known phishing patterns, suspicious links and impersonation attempts. While no filter catches every phishing email, epost.plus significantly reduces the volume of malicious messages that reach your inbox — meaning fewer opportunities for an employee to click on a dangerous link.

Against the password theft (Stage 2)

Every epost.plus account supports two-factor authentication. Even if an attacker obtains a password, they cannot access the account without the second authentication factor. This single measure would have stopped the entire attack described in this article at day one.

Against the silent observation (Stage 3)

epost.plus provides account activity monitoring and alerts for unusual behaviour, helping to detect compromises quickly if they occur despite other protections.

Against email impersonation (Stage 4)

epost.plus runs its domain protection at the strictest possible settings — the digital equivalent of a locked door that refuses entry to anyone without the right key. The full authentication stack includes multiple layers of verification that work together to prevent anyone from sending fake emails using your domain. Additional protections ensure that email connections are encrypted and that the identity of the sending server is verified through cryptographic certificates.

Against the broader attack surface

Beyond the specific stages of BEC, epost.plus protects your business email with:

• UK and EU data centres — your email data is stored within European jurisdiction, ensuring GDPR compliance and data sovereignty.
• Free SSL encryption — all connections to your email are encrypted, whether you access it through webmail, a desktop application or a mobile device.
• Webmail and ActiveSync — secure access from any device, anywhere, without compromising security for convenience.
• Compatible with eM Client — a professional desktop email application that supports all epost.plus security features and provides a modern, productive email experience.

The security measures are not optional add-ons or premium features. They are built into every epost.plus business email account from the moment it is created. You do not need to enable them, configure them or pay extra for them. They simply work.

Frequently Asked Questions

See Also

• How to Protect Your Business from Email Fraud
• Working Remotely? How to Keep Your Team Email Secure
• Where Is Your Email Data Stored? Why UK Businesses Should Care