What is email fraud?

Email fraud is an umbrella term for phishing and other malicious activities that use email to deceive; often with the goal of stealing money or accessing sensitive business information. These scams traditionally involve impersonating suppliers, contractors, or senior staff to trick recipients into transferring money or sharing confidential information. It’s a form of real-time phishing and a social engineering attack, in which the attacker relies on familiarity and trust to bypass security concerns; sadly the person being targeted is often unaware until the damage is done. 

For firms handling client data, financial details, or legal documents, the risks are serious. A single successful scam email can lead to significant financial loss. At PCM, we specialise in small business IT support. In this guide, our IT experts explain what phishing is and how small businesses can prevent email fraud. 

How it works

Fraudsters pose as contractors, suppliers, creditors, finance teams and in some cases senior management to request payments or changes to bank details.

Typically, someone in finance receives an email from a familiar name. It might be a supplier or a colleague. The message includes a payment request, either with a fake invoice attached or bank details in the body that differ slightly from previous payment requests. The recipient makes the payment on behalf of their business, only to realise retrospectively the sender wasn’t who they claimed to be.

These scams often begin with a single email that looks legitimate. The invoice format, company signature, and overall presentation match previous communications. In more advanced cases, scammers have already infiltrated your systems. They observe how your team writes and mimic it to increase their chances of success. Because the email feels familiar, it doesn’t raise alarms. The goal is to slip through unnoticed and quietly defraud your business. 

Falling victim: what if I accidentally opened a spam email attachment?

If you’ve opened a suspicious email, be cautious. You should not immediately reply to the message, click any further links, or enter login credentials. It is essential to mark the message as junk or spam, block the sender and report the incident to your IT support team who can then accurately assess any potential risk.

Once the immediate risk is addressed, it’s important to build your team’s confidence in recognising phishing attempts and to feel comfortable questioning any email that requests action. Verifying emails before responding is key to reducing your exposure to phishing attempts.  

Here are some common tell-tale signs of phishing PCM recommends watching out for: 

  • Suspicious sender details. The name might look familiar, but the email address is often from a free domain like Gmail or with subtle misspellings, instead of the business domain. Check the full address carefully. 
  • Reply address doesn’t match. You draft a response and before sending the email redirects to a different address. If the reply-to field doesn’t match the original sender, confirm by phone before taking any action. 
  • Unexpected bank details. The invoice includes new account information that doesn’t match previous payments. It is best to confirm any changes over the phone with a trusted contact, before transferring the requested sum. 
  • Unusual tone or formatting. The mail you have received feels too formal, missing a usual sign-off, or lacks the company’s email signature. If the tone doesn’t sound like the person you know, double-check. 
  • Missing or incorrect purchase order numbers. If your business uses PO numbers, make sure the invoice references a valid one. If it doesn’t match what you expected, verify with your finance team before continuing. 
  • Requests that don’t make sense. You’re asked to pay for something you didn’t order or weren’t expecting. If it feels out of the blue, or a request irrelevant to your role, don’t hesitate to discuss with your team or the sender over the phone. 

Protecting your business: PCM's IT support tips

You may now be wondering, “How do I protect my small business from phishing and email fraud?” 

At PCM, our IT support helps businesses implement practical, enhanced protections. Our approach combines technical solutions with user awareness to reduce the risk of your business falling victim 

Here are the key protections we recommend: 

  • Two-Factor Authentication (2FA). This adds an extra layer of security to your login process by requiring two forms of identification, most commonly a password and code sent to your mobile device or backup email. Even if a password is compromised, attackers remain unable to access your account without the second factor. 
  • Conditional Access. A security framework that restricts login access based on location, device type, or user behaviour. Businesses can additionally block logins from abroad, unapproved devices, or outside office hours to reduce exposure. 
  • Safe Links and Email Filtering. This add-on feature scans email links and attachments in real time, helping prevent users from clicking on malicious content. It’s a simple and effective way to prevent threats. 
  • Token Theft Detection. Token theft is a newer method where attackers steal session tokens, the data that keeps you logged in, instead of passwords. PCM uses endpoint protection and session monitoring to detect and block threats before they escalate. 
  • Staff Training. Educating employees to recognise suspicious emails, verify payment requests, and report unusual activity is one of the most effective defences. Awareness reduces the chance of human error. 
  • Domain Protection. We configure SPF, DKIM, and DMARC records to prevent email spoofing and monitor for impersonation attempts. These protocols help ensure that only authorised senders can use your domain, making it harder for scammers to pose as your business. 

Final thoughts

All in all, scam emails are becoming harder to detect. They’re designed to look seemingly routine and focus on mimicking everyday communication to bypass filters and catch recipients off guard. As these attacks become increasingly advanced, businesses need layered protections including add on features, like safe links and conditional access alongside clear, thorough reporting processes and teams trained to question suspicious messages. 

If you're looking for a managed service provider for your IT, we are here to help. Speak to our IT support team about your anti-virus and email configuration settings to make sure your technology is working as hard as possible to protect you from email fraud.  We’ll help you build a safer, smarter system.