, ,

Top 5 Tips for Solving the Email Security Problem

email-security

Content

Here’s something that should bother every IT leader: email has been the number one attack vector for over a decade, and yet it somehow keeps catching organisations off guard.

We’re not talking about naive users clicking obvious scams. Modern phishing is engineered. It uses your suppliers’ real email addresses. It clones your bank’s login page down to the favicon. It arrives at 7 am on a Tuesday, written in the exact tone your CFO uses, asking you to approve a transfer before the board meeting. And it works.

In 2024, phishing was the most common initial access vector in data breaches worldwide, responsible for 16% of all incidents, ahead of stolen credentials, unpatched vulnerabilities, and everything. The average breach that starts with a phishing email cost $4.88 million to resolve. Business Email Compromise (BEC) alone handed attackers $2.77 billion in the US last year. Meanwhile, generative AI has pushed phishing email volume up by over 1,265% since 2022, and AI-written phishing messages get clicked at a 54% rate, versus 12% for the old, handcrafted kind.

So, what do you do about it? We’ve put together five things that work — not in theory, but in practice, based on what resilient security teams are getting right.

 

Tip 1: Your Secure Email Gateway Is Not Enough — And Attackers Know It

84.2%  of phishing attacks in 2024 sailed straight through DMARC authentication — a protocol that sits at the heart of most SEG configurations.  — Egress, 2024

When most organisations think about email security, they think about their Secure Email Gateway. And fair enough — SEGs have been the standard for years. The problem is that attackers spent those same years figuring out exactly how to get around them.

Traditional SEGs work by checking emails against known threat signatures, spam patterns, and blacklisted domains. That works fine for the threats of five years ago. Today’s attacks don’t look like threats. They arrive from legitimate cloud services. They use real domains with valid DMARC records. The login page they link to is a pixel-perfect copy of Microsoft 365, hosted on a domain registered three days ago. A legacy SEG looks at that email and sees nothing wrong.

In 2024, 91% of security leaders said they were frustrated with their SEG, and 87% were actively looking to replace or augment it. That’s not a niche opinion anymore — it’s a near-consensus among the people who deal with this daily.

What works is adding a layer that operates post-delivery, inside the mailbox, not just at the perimeter. API-based inline tools analyse email behaviour patterns, flag anomalies in sender relationships, and catch things that look clean at the gateway. They work on different signals entirely — which is exactly what you need when attackers have already reverse-engineered the first layer.

Actions worth taking:

  • Run your current SEG against modern phishing simulation tools — not just legacy malware. See what gets through.
  • Look at post-delivery email security solutions that sit inside the mailbox rather than in front of it.
  • Move from pure signature matching toward behavioural and relationship-based anomaly detection.

Tip 2: DMARC, DKIM, and SPF — Have You Actually Set These Up Properly?

94%  of organisations were successfully phished in 2024 — most of them had email authentication protocols in place.  — Egress Phishing Threat Trends Report, 2024

If your organisation doesn’t have SPF, DKIM, and DMARC configured correctly, stop reading and go fix that first. Genuinely. These protocols are the foundation — they tell receiving mail servers whether an email from your domain actually came from you, and they prevent attackers from impersonating your brand in emails sent to your own customers and partners.

But here’s where a lot of organisations get it wrong: they set DMARC up and leave it in monitor mode. Monitor mode means you’re collecting reports on who’s sending email from your domain. It does not mean spoofed emails are being blocked. That only happens when you move to ‘p=quarantine’ or ‘p=reject’, and plenty of IT teams never make that jump because they’re worried about breaking legitimate email flows.

There’s also a more fundamental limitation worth understanding. DMARC validates the domain in the visible ‘From’ header. That’s it. Attackers get around this by registering lookalike domains — swap one character, add a hyphen — that pass DMARC cleanly because they’re technically different domains. A 2024 analysis found most Fortune 500 companies still hadn’t enforced DMARC at ‘reject’ level. That’s a lot of exposed attack surface.

Actions worth taking:

  • Check SPF, DKIM, and DMARC are configured across all your sending domains — not just your main domain. Subdomains and third-party email services are commonly missed.
  • If you’re in monitor mode, build a plan to move to ‘p=reject’. Map your legitimate email flows first so you don’t break anything.
  • Set up DMARC reporting so you actually see who’s sending on behalf of your domain.
  • Register common misspellings and lookalike variants of your domain before attackers do.

Tip 3: Your Annual Security Training Isn’t Working — Here’s What Does

33.2%  of employees with no recent training will click a phishing link. With continuous simulation-based training, that rate drops below 5%.  — KnowBe4, 2024

Almost every organisation does security awareness training. Almost none of them do it in a way that actually changes behaviour.

The typical setup: once a year, employees watch a 20-minute video about not clicking suspicious links, answer a quiz, get their certificate, and move on. From a compliance standpoint, the box is ticked. From a security standpoint, virtually nothing has changed. People forget 90% of what they learned within a week, and they’ve learned nothing about the specific types of attacks their role and organisation actually face.

The harder truth is that phishing works not because people are careless or uninformed, but because attackers are genuinely good at what they do. In 2024, 47% of employees who clicked a phishing link said they were distracted at the time. Senior executives — who you’d expect to be the most informed — are 23% more likely to fall for AI-personalised attacks than the average employee, because they’re high-value targets who receive highly tailored lures. New hires are 44% more likely to click in their first 90 days, before they’ve built up enough context about how their organisation operates to spot something off.

What actually works is training that’s continuous, role-specific, and delivered through realistic simulation rather than passive video. Organisations that run adaptive phishing simulation programs see reporting rates reach 60% within a year — compared to 7% for teams doing only quarterly training. The difference isn’t huge effort; it’s a different model entirely.

There’s also a cultural piece that’s easy to overlook. Phishing breaches drag on for an average of 254 days — partly because the employee who clicked was embarrassed to say anything. If your culture makes people afraid to report mistakes, you’re paying for the cover-up in detection time.

Actions worth taking:

  • Replace one-and-done annual training with ongoing, simulation-based programs that test and teach simultaneously.
  • Tailor scenarios by role — the threats facing your finance team look nothing like the ones facing your developers.
  • Make reporting easy and genuinely blame-free. The faster someone reports a click, the faster you can respond.
  • Flag new hires as high-risk during onboarding and run targeted scenarios in their first three months.

Tip 4: MFA Can Be Beaten — Make Sure Yours Can’t

146%  surge in adversary-in-the-middle (AiTM) attacks in 2024 — a technique that intercepts sessions and bypasses MFA entirely.  — Verizon DBIR / Bright Defense, 2025

MFA is one of the best investments you can make in access security. It’s also increasingly a false sense of security for organisations that haven’t thought carefully about how they’ve implemented it.

Here’s what an AiTM attack looks like in practice. An employee gets a convincing phishing email and clicks through to what looks like their Microsoft 365 login page. They enter their credentials, complete their MFA push notification — everything looks fine. What actually happened: a malicious proxy sat between them and the real login page, captured their session cookie the moment MFA completed, and handed the attacker live access to the account. The MFA event happened. It just didn’t stop anything.

Then there’s MFA fatigue, which is exactly what it sounds like. Attackers flood a user’s authenticator app with push requests until they approve one just to make it stop. The Lapsus$ group used this to get inside Microsoft, Okta, and several other major organisations in 2022. It required zero technical exploitation — just persistence.

The solution is phishing-resistant MFA. FIDO2 authentication — hardware keys like YubiKey or passkeys on modern devices — works differently to push-based MFA. It cryptographically binds the authentication to the specific legitimate domain. A cloned login page on a slightly different domain produces a different cryptographic challenge, which fails. There’s no session cookie to capture because there’s no way to complete the authentication through a proxy in the first place.

Actions worth taking:

  • Audit where you’re currently using SMS or push-based MFA on high-value systems — email, finance tools, admin consoles.
  • Prioritise moving privileged accounts and finance-facing roles to FIDO2/passkey authentication.
  • If you can’t move to FIDO2 immediately, at minimum enable number matching on push notifications to make fatigue attacks harder.
  • Set up alerting for repeated failed MFA attempts — that pattern often signals an active attack.

Tip 5: Stopping the Email Is Not Enough — Think About What Happens After

$2.77B  lost to Business Email Compromise in the US in 2024. Average wire transfer request: $24,586. And none of those emails contained malware.  — FBI IC3 / Hoxhunt, 2025

This is the one that catches a lot of security teams out. The entire focus of email security investment tends to be on the inbox — stop the bad email from arriving, and the problem is solved. But the most costly email attacks often don’t involve a ‘bad’ email in any technical sense.

Take Business Email Compromise. A BEC attack doesn’t need to deliver malware or bypass a spam filter. The email itself is the weapon — a message that looks exactly like it came from your CEO or a trusted supplier, asking someone in accounts payable to update banking details or approve a transfer. If the message gets through and the person doesn’t question it, the money leaves and it doesn’t come back. There’s nothing for your SEG to flag. There’s no malicious link. It’s a social engineering attack delivered over email, and it’s extraordinarily effective.

The response to this isn’t purely a technology problem. It’s partly process — high-risk financial actions triggered by email should require out-of-band verification regardless of how legitimate the email looks. A quick phone call to confirm a banking change costs nothing. Wiring money to the wrong account costs a lot.

On the technology side, effective protection means integrating your email security signals with your wider detection infrastructure — your EDR, your SIEM, your identity platform. A suspicious email event should trigger downstream monitoring, not just a one-time filter verdict. Vendor Email Compromise, where attackers compromise a legitimate supplier’s email account and send fraudulent payment instructions from it, rose 66% in 2024. No spam filter will catch an email from a real supplier you’ve worked with for three years. Behavioural anomaly detection is the only thing that will.

Actions worth taking:

  • Wire transfers, banking changes, and credential resets triggered by email should always require a second verification through a different channel.
  • Integrate your email security tooling with your SIEM and EDR — correlated detection across systems catches what individual tools miss.
  • Look at behavioural analytics for payment patterns — flagging unusual payment instruction emails, even from legitimate addresses.
  • Audit your SaaS app permissions. Calendar access, file sharing integrations, and CRM connectors all extend the attack surface beyond the inbox.

 

How Sthenos Can Help

Email security isn’t a product you buy and forget. It’s a set of overlapping decisions — about architecture, tooling, process, and people — that need to work together. Getting one layer right while leaving gaps in another is how organisations end up spending money on security and still getting breached.

We’ve worked with enterprises across industries on exactly this problem. Our approach starts with understanding where your real exposure is, not just running through a compliance checklist. That means looking at your actual email flows, your current tooling, where your people are clicking, and how your authentication is configured — then prioritising fixes based on genuine risk, not theoretical frameworks.

Specifically, we help with:

  • Email Security Assessments — reviewing your SEG configuration, authentication setup, MFA implementation, and awareness posture, with a practical roadmap of what to address first.
  • Security Architecture — designing and building layered email security that combines perimeter and post-delivery controls, integrated with your existing stack.
  • Identity & Access Management — hardening MFA across your environment, migrating high-risk accounts to phishing-resistant authentication, and tying identity controls to email security signals.
  • Security Awareness Programs — building continuous, simulation-based training that reflects the threats your organisation actually faces, not generic content.
  • MDR Integration — connecting email security into your broader SOC environment so threats that make it past the inbox don’t disappear into a blind spot.

If you want to know where your gaps actually are, we’re happy to start with a conversation. The answer is usually more specific — and more fixable — than most teams expect.

Final Thoughts

Email has been the top attack vector for years, and it’s not losing that position any time soon. If anything, AI is making the problem harder — better lures, more volume, faster adaptation to whatever defences you put in place.

None of the five tips here are magic. But they do represent where the gap tends to be between organisations that take email security seriously and those that are still relying on a gateway and an annual training video. At $4.88 million average breach cost and 254 days average detection time, the downside of doing the minimum is getting clearer every year.

The good news is that the fundamentals are well understood. Most organisations aren’t being breached because the attackers are technically superior — they’re being breached because the basics weren’t done, or weren’t done completely. That’s a solvable problem.

Start my Digital Journey

Reduce risks and set a solid foundation for your larger-scale projects.

Book a Consultation Now

Subscribe

Get exclusive insights, curated resources and expert guidance.

Related Articles

Contact us
Partner with Us for
Comprehensive IT

We’re happy to answer any questions you may have and help you determine which of our services best fit your needs.

Call us at: +1 (703) 945-5300
Your benefits:
  • Client-oriented
  • Independent
  • Competent
  • Results-driven
  • Problem-solving
  • Transparent
What happens next?
1

We Schedule a call at your convenience 

2

We do a discovery and consulting meeting 

3

We prepare a proposal 

Request a Free Consultation