What are the most common email attacks on small businesses? Give me the rundown.
Email is where small businesses actually get hurt, so it is worth knowing the handful of plays attackers run over and over. Here is the rundown, in roughly the order we see them.
1. Phishing for passwords. The workhorse of email crime. You get a convincing notice, a OneDrive share, a voicemail alert, a DocuSign request, or a password expiration warning, and the link leads to a fake login page that harvests your credentials. This is not really the attack itself; it is the key-copying step that enables everything below. Modern phishing is clean, well-written, and often personalized, so "I would spot it" is not a plan.
2. The breach-and-wait mailbox takeover. This is the one that costs real money. An attacker gets into a mailbox, often with a phished or reused password, and then does nothing loud. They set up hidden forwarding rules, read quietly for weeks, and learn your invoices, your deals, and how you talk to customers. Then, at exactly the moment money is about to move, they act: a wire is being sent, a closing is scheduled, a big invoice is due, and suddenly there is an email with updated payment details. It comes from the real mailbox, in the real thread, in the right tone. The money goes to the attacker, and nobody knows until the real party asks where their payment is.
3. Lookalike domain impersonation, the man-in-the-middle play. Attackers register a domain one character off from yours or your vendor's, think yourcompany versus yourcornpany, then insert themselves into an existing conversation. Each side believes they are talking to the other, while the attacker relays messages in the middle and edits the ones that matter, usually the banking details. Because the thread history is real and the names look right, this one fools careful people.
4. Impersonating the boss or a vendor. No breach required. An email arrives that looks like it is from the owner ("Are you at your desk? I need gift cards for clients, keep it quiet") or from HR-adjacent angles like a payroll direct deposit change request, or from a regular vendor with a new invoice. These prey on speed and politeness: the employee wants to be helpful and does not want to question the boss.
5. Malicious attachments and links. The classic: an invoice PDF, a shipping notice, or a shared document that installs malware when opened. This is a common front door for ransomware, which turns an email mistake into a company-wide outage.
Notice the pattern: every one of these ends at money or credentials, and most of them succeed by being patient and normal-looking rather than technically brilliant. That is also why the defenses are consistent: multi-factor authentication so a stolen password is not enough, email filtering and domain protections (SPF, DKIM, and DMARC) so impersonating your domain is hard, monitoring that flags suspicious sign-ins and hidden forwarding rules, short and regular staff training, and one iron process rule: any change to payment details gets verified by a phone call to a number you already had. If your business runs on email, and nearly every business does, this list is the reason email security is not optional anymore.
Want a straight answer about your setup?
Asheville Computer Company is a local managed IT provider based in Arden, minutes from most of Asheville.
Call (828) 290-9092 or visit ashevillecomputercompany.com for a free, no-pressure consultation.