Email security for small business: stopping BEC and phishing on a budget

If you need the cheapest useful email-security upgrade, start with five things: MFA on business email, a callback rule for any payment or bank-change request, SPF/DKIM/DMARC on your domain, short phishing-reporting training, and monitoring for suspicious sign-ins and mailbox rules.

That stack is not glamorous. It is effective.

The FBI still treats business email compromise as one of the most financially damaging online crimes, and the 2025 IC3 Annual Report lists 24,768 BEC complaints with $3,046,598,558 in reported losses.

Sources: FBI BEC overview, 2025 IC3 Annual Report

The direct answer: what to fix first

If the business is budget-constrained, I would fix email security in this order:

1. MFA on every mailbox, especially admin and finance accounts
2. a hard callback rule for wires, ACH changes, gift-card requests, and invoice changes
3. SPF, DKIM, and DMARC so your own domain is harder to spoof
4. a simple way for employees to report suspicious email
5. mailbox and identity monitoring for unusual sign-ins, forwarding rules, and OAuth abuse

That sequence matters because a lot of small businesses buy filtering first and process second. The FTC's small-business scam guidance says scammers often rely on urgency, impersonation, and unusual payment pressure. Process failures are exactly what those attacks target.

Source: FTC Scams and Your Small Business

What BEC really looks like in a small business

BEC does not always look like malware.

Often it looks like:

• a vendor "updating" bank details
• a fake invoice that seems routine
• a message from the owner asking for gift cards
• a mailbox rule created after a phished login
• an attacker sitting inside a real mailbox and waiting for a payment thread

That is why this topic should not be reduced to "buy better spam filtering."

The FBI's BEC page says criminals make a legitimate-looking request from what appears to be a known source. The FTC makes the same point in its phishing guidance for businesses: the message often seems to come from a vendor, client, or co-worker.

Sources: FBI BEC overview, FTC small-business phishing guidance

1. Turn on MFA, but do not stop there

Email is still the reset point for everything else. If someone takes the mailbox, they often get the power to reset banking, payroll, SaaS, and document-system accounts next.

CISA's guidance for small and medium businesses says businesses should require MFA and should aim for phishing-resistant MFA where possible.

Source: CISA: Require Multifactor Authentication

My practical version for a small business:

• turn on MFA for every mailbox
• prioritize owners, finance, HR, and admins first
• use an authenticator app or better, not SMS if you can avoid it
• review old break-glass and shared accounts while you are there

MFA will not stop every session-theft attack, but no-budget email security starts here.

2. Make payment verification a business rule, not a suggestion

This is the cheapest high-impact control on the list.

Write one rule and make it universal:

"No bank-detail change, wire request, ACH update, or urgent payment is approved from email alone."

Then require a callback or separate known-good channel before money moves.

That is boring. It is also exactly how you stop a large share of BEC losses.

The FTC's small-business scam guidance specifically calls out fake invoices, impersonation, and pressure tactics. If finance can be rushed, the business is still open even if the spam filter is decent.

Source: FTC Scams and Your Small Business

3. Set up SPF, DKIM, and DMARC on your own domain

This is where many small businesses quietly stay weak for years.

The FTC says email authentication helps keep your business's email from being used in phishing schemes. CISA's DMARC guidance explains that DMARC builds on SPF and DKIM and tells receiving mail systems how to handle messages that fail authentication.

Sources: FTC Email Authentication, CISA DMARC guidance

Plain English:

• SPF says which systems may send mail for your domain
• DKIM signs the message so receivers can validate it
• DMARC tells receivers what to do when those checks fail

You do not need to be a mail engineer to care about this. If attackers can spoof your domain easily, your own customers, vendors, and staff are easier to trick.

4. Teach employees to report, not just to "be careful"

The best budget email-security program does not ask staff to become forensic analysts.

It asks them to do three things:

• slow down on urgent or unusual requests
• avoid using links in unexpected email for logins
• report suspicious messages fast

The FTC tells businesses to train staff on phishing and make security part of regular business. CISA's phishing guidance also centers on recognizing and reporting suspicious messages.

Sources: FTC Cybersecurity for Small Business, CISA Secure Our World: Recognize and Report Phishing

This is where a simple phishing training program for small business helps. Not because training solves everything, but because it gives the business a repeatable reporting habit.

5. Watch for the patterns that show up after the phish

Most small businesses think "email security" means catching the message before it lands.

That matters, but identity-layer monitoring often catches the attack after a phish succeeds:

• impossible-travel or unusual sign-ins
• suspicious inbox or forwarding rules
• OAuth consent to a malicious app
• session replay or token theft indicators

That is why I do not separate email security from identity security in practice. If you want coverage for those patterns, Managed ITDR is the more natural commercial page than a generic mailbox-filtering pitch.

What to buy later, not first

A secure email gateway can absolutely help. So can more advanced filtering, attachment sandboxing, and link rewriting.

But for a typical small business on a budget, I would not buy those first if these basics are still weak:

• no MFA
• no callback rule
• no email authentication
• no reporting process
• no visibility into mailbox rules or identity alerts

Fix the cheap control failures first. Then spend on more filtering if the threat level and budget justify it.

A practical low-budget rollout

This week

• Turn on MFA for every mailbox
• Create a written callback rule for any money movement or bank-detail change
• Tell staff exactly how to report suspicious email

This month

• Review SPF, DKIM, and DMARC on the domain
• Remove stale forwarding rules and shared mailbox access that nobody can explain
• Run one short phishing lesson for staff

This quarter

• Test a fake invoice or executive-impersonation scenario
• Review sign-in logs and mailbox-rule alerts
• Decide whether you need outside help watching identity events after hours

That is a far more realistic budget plan than "buy enterprise email security and hope."

How this fits the rest of the security stack

Email security does not live alone.

The businesses that stop BEC better usually combine:

• email and identity controls
• endpoint visibility
• payment verification
• short recurring awareness training

That is why the natural internal cluster here is:

• phishing training for small business
• what controls cyber insurers require in 2026
• Managed ITDR

If you want vertical examples of what BEC looks like after the attacker gets in, the live law-firm and dental BEC articles are useful follow-on reads, but this draft is intentionally broader and more budget-focused.

My practitioner take

For small businesses, the cheapest useful email-security stack is not an appliance. It is discipline.

MFA. Callback verification. Domain authentication. Reporting. Monitoring.

Those controls are not flashy, but they line up with how the FBI, FTC, and CISA all describe the problem. And they reduce the kinds of losses that hit small businesses hardest: redirected payments, fake invoices, mailbox takeover, and phishing-led account compromise.

FAQ

What is the cheapest way for a small business to improve email security?

Start with MFA on business email, a written callback rule for payment and bank-detail changes, SPF/DKIM/DMARC on your domain, a simple phishing-reporting workflow, and some way to review suspicious sign-ins and mailbox-rule changes.

What is business email compromise?

The FBI describes BEC as a scam where criminals use a compromised or spoofed email account to send a message that appears legitimate, often to trigger a payment, redirect funds, or steal sensitive information.

Does email security mean buying a secure email gateway first?

Not always. A gateway can help, but many small businesses cut more risk, faster, by fixing MFA, business process, training, and email authentication first.

How much damage does BEC still cause?

The FBI's 2025 IC3 Annual Report lists 24,768 BEC complaints and $3,046,598,558 in reported losses, which is why email remains one of the most important small-business controls.

What should employees do with suspicious emails?

Report them quickly through one clear process, avoid clicking unexpected links or attachments, and verify urgent requests through a separate trusted channel you already know is real.

Can phishing training stop BEC by itself?

No. Training helps people recognize and report suspicious requests, but BEC also depends on identity controls, payment verification, mailbox monitoring, and good domain authentication.

Does better email security help with cyber insurance?

Yes. Cyber insurers increasingly require MFA on email, tested backups, and email authentication before they will bind or renew a policy, and weak email controls are a common reason applications get declined or priced higher. Fixing MFA, payment verification, and SPF/DKIM/DMARC is often a prerequisite for coverage — see what controls cyber insurers require in 2026.