This is a real incident. One employee. One email. One click. The business that let it happen had no DMARC, no training, and no incident plan. By the time they realised what had happened, the attackers had been inside their systems for four days.
How It Started
The email looked completely normal. It appeared to come from a supplier the business worked with regularly — same logo, same tone, even the same sign-off. It asked the finance manager to review an updated invoice and click a link to download it.
She clicked.
Within seconds, credential harvesting software was running silently in the background. The attackers now had her Microsoft 365 login. And because her password was reused across two other systems, they had those too.
Why the Email Got Through
This is where email authentication matters directly. The spoofed supplier email passed because the supplier's domain had no DMARC policy set. There was nothing to stop someone impersonating their domain and sending convincing emails as them.
Your own domain's configuration also matters here. If your email isn't authenticated — SPF, DKIM, and DMARC all in place — criminals can send emails that appear to come from your business. Your suppliers, clients, and partners become targets through you.
- SPF — tells receiving servers which mail servers are authorised to send on your behalf
- DKIM — cryptographically signs your emails so they can't be tampered with
- DMARC — tells receiving servers what to do if SPF or DKIM fail (quarantine or reject)
Without all three, your domain is open for impersonation. And so are your suppliers', if they haven't set them up either.
What Happened Next
The attacker spent four days in the business's systems — reading emails, mapping the org chart, identifying key contacts and payment processes. Then they struck: a carefully crafted email to the MD, appearing to come from the finance manager, authorising an urgent supplier payment of £22,000.
The money was transferred before anyone questioned it.
The total cost: £22,000 in lost funds, £8,000 in IT recovery, two weeks of disruption, and six months rebuilding trust with partners who'd received malicious emails appearing to come from this business.
The Three Failures That Made This Possible
This wasn't bad luck. It was a predictable outcome of three specific gaps:
- No email authentication — DMARC wasn't configured, so spoofed emails could be delivered without warning
- No phishing awareness training — staff hadn't been shown what to look for, how to verify, or who to call when something looked wrong
- No incident response plan — when the breach was discovered, no one knew what to do first, costing critical hours
Ben's Take: What Leaders Need to Act On
I work with business leaders who assume their IT team has "handled security." In most cases, the basics are in place — antivirus, firewall, backup. But email authentication is still missing on a surprisingly high number of UK business domains.
Here's the thing: configuring DMARC, SPF, and DKIM costs nothing beyond an hour or two of IT time. It doesn't require new software. It doesn't interrupt your operations. But it removes one of the most common entry points for exactly the kind of attack described above.
The first step is to know where you stand. Run a check on your domain. Find out whether you're protected or exposed. Then make a decision based on facts, not assumptions.
Is Your Domain Open to Spoofing Right Now?
Check your email authentication in 60 seconds. Find out whether your domain could be used to send phishing emails — to your clients, your suppliers, or your team.
Check My Domain Free Book a Call with Ben →Not sure where to start? Book a 20-minute call with Ben Richards at SecureMyEmails. We'll review your domain setup and tell you exactly what needs fixing — no sales pressure, just clarity.
Originally published on: Good Choice IT
This article is republished from Good Choice IT, with a canonical link preserving SEO credit to the original source.