Back to Previous

An introductory guide to email account security

Date published

This blog from Mitigo gives an overview of common methods of attack against a business' email systems, and tips to help protect against them.

Your business email account is the most common entry point for criminals and is at the root of most successful cyber-attacks. It is not surprising that the most used function in a business is the one that criminals use to exploit. What is surprising, is that the security of a firm’s email system isn’t made a higher priority.

In this summary we will describe how attacks start in order to give an insight into the key things that you need to defend against. We will also describe some common consequences of an attack to help to understand why this subject deserves real attention. Finally, we give ten top tips on how to avoid becoming a victim.

Top 4 attack approaches
Here are the common methods of attack against a business’ email systems.

  1. Phishing. The criminals send blanket emails to every address they have acquired from social media, the dark web and website scraping. They pose as legitimate suppliers and trick you into giving away your email login credentials. In our simulated attacks 20% of untrained staff typically fall for this type of attack.
  2. Malicious attachments. Emails with fake attachments will tempt you to open them with headings like “missed message”, “urgent invoice”, “bank statement” etc. They will have malicious code that will attempt to get control of your computer in some way.
  3. Account hijack. With credentials purchased from the dark web, automatically breaking weak passwords, or tricking you with phishing attacks, the criminals get access to your account. They login as you, with full functionality including access to all your email history.
  4. Spoofing. The criminals create their own email accounts and pretend to be you. They are not inside your account but send emails to employees to try and get access to business systems and data.

Top 3 consequences
Here are the consequences if the criminals are successful in the approaches above.
  1. Ransom. This is the most damaging consequence and can be business ending. The criminals use the access they have gained first to steal confidential and personal information, and then to encrypt your systems. They threaten to release the data if you don’t pay a ransom fee. The average business downtime is now 26 days. The average ransom payment in 2021 was £628,000.   
  2. Virus spreading spam email. The most common consequence is thousands of emails being sent from your email to every contact associated with your business. The aim of the email is to contaminate their systems with a view to stealing money from them. We probably don’t need to describe how damaging this can be for a previously trusted business.
  3. Payment diversion. The main object here is to get money diverted to their bank accounts by tricking you or a client into sending money to the wrong payee. There is the obvious financial and reputational damage but the conversations with the ICO will not end well if a client has lost thousands of pounds because you didn’t protect their data sufficiently.

Top tips to help structural engineers defend against email attacks
Here are the top 10 areas you must address to defend against the greatest cyber threat facing your business.
  1. Appropriate business email account. Free and basic email systems are not good enough. You may need to upgrade to get the appropriate level of capability.
  2. Good employee disciplines. Email addresses should be for work purposes only and you need to make this clear to staff. The dark web is littered with business email addresses that have been used on personal accounts (e.g. Amazon, eBay etc) that have then been lost along with passwords and critical information.
  3. Unique, strong passwords and strong authentication. The password should not be a repeat of anything you have used elsewhere, and it is essential that authentication has another factor e.g. a code on your phone.
  4. Inbound filters. Get these expertly set and don’t rely on defaults. If done well it will stop the deceptive emails ever getting into staff inboxes.
  5. Domain records. The end of your email,, is called the domain. There are important records that need to be set in the domain control panel to avoid criminals easily spoofing your address.
  6. Staff training and simulation. Make sure your staff get annual training and run simulated attacks to make sure they know what to expect.
  7. Access methods. You need to have a clear policy on how staff access emails e.g. from a laptop, mobile, through a web browser, etc. The more you reduce this, the more access points can be switched off in the security settings.
  8. Payment methods. Make sure that there is a robust process that ensures that changes to payee details have strong challenge processes.
  9. Antivirus & browser integration. Your web browser, email service and antivirus software need to be configured to work in unison to stop attacks. This is the most important retrospective control as it is unwise to rely on staff spotting the criminals’ tricks.
  10. Alerts and blocks. Make sure that the alerting from security systems is properly configured and is going to your technical support and that rules are set to block, not allow.

This guide gives you a starting point and a roadmap. Please invest some time and resources to getting this right, it will be the best money you spend this year.

We have partnered with Mitigo to offer cybersecurity risk management services with exclusive discounts for our members.

For more information visit the Mitigo website, or you can contact them on 020 8191 1590 or email [email protected].

Related Resources & Events

two people at a desk looking over a contract

Protect your designs – a practical guide to intellectual property

This half-day, online course will equip self-employed engineers with an understanding of the commercial value of their Intellectual Property. The course contains practical advice on how you can protect your design copyright, business name, confidentiality, and inventions.

Date ‐ 17 October 2023
Location ‐ Online
Price ‐ £225 - £355 + VAT
two people shaking hands

Client appointments and terms of engagement: a legal toolkit

This advanced one-day, in-person course enables engineers of middle and senior levels to understand the complex commercial contracts, analyse issues and possible legal implications, and confidently formulate new negotiating strategy.

Date ‐ 6 July 2023
Location ‐ The Institution of Structural Engineers
Price ‐ £305 - £485 + VAT
The Structural Engineer
Woman looking over documents

Professional indemnity insurance: dealing with the 'run-off' risk

In this second ‘back to basics’ article, Graeme Tinney of professional indemnity brokers Griffiths & Armour looks at the implications of the ‘claims made’ nature of PI insurance, the importance of run-off cover and the impact of market conditions.

Date ‐ 14 November 2022
Author ‐ Graeme Tinney
Price ‐ £9
The Structural Engineer
Man signing contract

Professional indemnity insurance: taking care of business

Griffiths & Armour Professional Risks Director, Graeme Tinney, looks at some of the considerations for anyone purchasing professional indemnity insurance and the challenges they are likely to face.

Date ‐ 3 October 2022
Author ‐ Graeme Tinney
Price ‐ £9
Blue abstract blocks

SME business practice conference 2021

Date ‐ 13 April 2022
Author ‐ Various
Price ‐ Free
The Structural Engineer
Personal dialling telephone

Back to basics in troubled times – your notification obligations to your insurer

This CPD module, sponsored by Griffiths & Armour, offers guidance to engineers on when they should notify their professional indemnity insurers about potential claims on their policy.

Date ‐ 1 February 2022
Author ‐ Griffiths & Armour
Price ‐ £0