Email Security and Business Email Compromise: A Practical Guide for Malaysian SMEs

Why email is still the front door for attackers

Email remains the single most common way criminals get into a small business. It is cheap to abuse, it reaches everyone in the company, and it carries the one thing attackers want most, which is your money and your trust. A factory in Shah Alam or a trading firm in Melaka can have solid antivirus and a locked server room and still lose a large sum because one staff member acted on a convincing email.

The reason is simple. Most other defences protect machines, but email targets people. A well-crafted message that looks like it comes from your boss, your supplier or your bank does not need to break any software. It just needs to be believed for thirty seconds. That is why email security has to combine technical controls with human habits, and why no single tool solves it on its own.

For Malaysian SMEs the risk is rising, not falling. As more business moves to cloud platforms like Microsoft 365 and Google Workspace, a single stolen email password can unlock contacts, files, calendars and chat in one go. The good news is that the defences are well understood, mostly affordable, and within reach of any business willing to set them up properly.

What business email compromise actually is

Business email compromise, usually shortened to BEC, is a scam where a criminal uses email to trick someone into sending money or sensitive data to the wrong place. Unlike mass spam, BEC is targeted and quiet. There is often no malware and no obvious red flag, just a believable request from someone you appear to know, arriving at a believable moment.

A typical version goes like this. A staff member in accounts receives an email that looks like it is from the managing director, asking them to urgently pay an invoice or release funds for a confidential deal. The tone is rushed, the amount is plausible, and the request discourages questions. Because it seems to come from authority, the payment goes out before anyone thinks to check.

Another common form is supplier fraud. A criminal who has watched your email traffic sends a message that looks like it is from a real supplier, saying their bank account has changed and future payments should go to a new number. The next genuine invoice gets paid into the scammer's account, and the loss is often only discovered weeks later when the real supplier chases payment.

How attackers get in the first place

BEC and email fraud usually start with one of two things, a stolen password or a convincing impersonation. A stolen password gives the attacker real access to a real mailbox, which is the more dangerous case because every message they send is genuinely from your account. Passwords get stolen through phishing pages, reused logins exposed in other website breaches, and malware on a home or office device.

Impersonation does not need access at all. The attacker simply forges the display name or the sending address so a message looks like it comes from your domain or from a known contact. If your domain has no protection against spoofing, this is alarmingly easy, and the recipient sees a name they trust with no technical warning that anything is wrong.

Often the two combine. A criminal quietly reads a compromised mailbox for days or weeks, learning who pays whom, what invoices look like and how people write. Then they strike at the perfect moment with a message that matches your normal patterns. Understanding this is the key to defence, because it shows why both account security and anti-spoofing controls are needed together.

Multi-factor authentication is the single biggest win

If you do only one thing after reading this, turn on multi-factor authentication, or MFA, on every email account. MFA means that even if a criminal steals a password, they still cannot log in without a second factor such as a code from an app on the user's phone. It blocks the large majority of account takeovers, and on Microsoft 365 and Google Workspace it is included at no extra cost.

Not all MFA is equal, so choose the stronger options where you can. An authenticator app or a hardware key is far safer than a one-time code sent by SMS, which can be intercepted or socially engineered. For owners and finance staff who handle money, treat the strongest available method as non-negotiable, because those accounts are the prime target.

Roll it out to everyone, not just management. Attackers often break into a junior mailbox first and use it as a launch pad, so partial coverage leaves an open door. We cover the practical setup in detail in our guide to multi-factor authentication for Malaysian SMEs, and it is the foundation every other email control sits on.

SPF, DKIM and DMARC explained in plain language

Three behind-the-scenes records protect your domain from being spoofed, and while the acronyms sound technical, the idea is simple. They are public instructions, published in your domain settings, that tell the world how to recognise genuine email from you and what to do with anything that fails the test. Set up together, they make it very hard for a scammer to send mail that appears to come from your company.

Here is what each one does in everyday terms. Skipping any of them leaves a gap, and the three are designed to work as a set rather than alone.

• SPF (Sender Policy Framework): lists which mail servers are allowed to send email for your domain, so unauthorised servers can be flagged.
• DKIM (DomainKeys Identified Mail): adds a tamper-proof digital signature to your messages, proving they really came from you and were not altered in transit.
• DMARC (Domain-based Message Authentication): ties SPF and DKIM together and tells receiving servers what to do with mail that fails, such as reject it or send it to spam, and can email you reports of attempted abuse.

Most Malaysian SMEs have SPF half-configured and DKIM and DMARC missing entirely, which leaves the domain wide open to impersonation. Getting all three set correctly is a one-time job for someone who knows the platform, and it is one of the highest-value, lowest-cost steps in email security. If you are unsure, this is exactly the kind of task to hand to an IT partner.

Choosing and tuning a good mail filter

A quality spam and malware filter is your automated first line of defence, catching the bulk of dangerous mail before a human ever sees it. Microsoft 365 and Google Workspace both include strong filtering as standard, and for most SMEs the built-in protection, properly configured, is enough. The mistake is assuming it is switched on at full strength by default, when it often is not.

Spend time tuning the settings rather than leaving them at the minimum. Enable protection against impersonation and lookalike domains, quarantine suspicious attachments, and turn on safe-link and safe-attachment scanning where your plan offers it. These features check links and files at the moment a user clicks, not just when the mail arrives, which catches threats that go live after delivery.

Review the quarantine and reports from time to time so you understand what is being blocked and whether anything important is caught by mistake. A filter that no one ever checks slowly drifts out of step with how the business works. Treating it as a living setting, not a one-off switch, keeps protection high without frustrating staff with lost legitimate mail.

Spotting a phishing or BEC email

Even with strong filters, some bad mail will reach the inbox, so staff need to recognise the warning signs. Most fraudulent messages share a few traits, and a calm thirty-second check defeats the majority of them. The biggest tell is pressure, because urgency is the scammer's main weapon for stopping people from thinking.

Train everyone to pause on the common signals. None of these alone proves fraud, but two or three together should trigger a verification call before anyone acts.

• Unexpected urgency, secrecy or pressure to act immediately.
• A request to change bank account or payment details.
• A sender address that is slightly misspelled or uses a public domain instead of the company one.
• Greetings, grammar or tone that feel a little off for that person.
• Links that, on hovering, point to an address that does not match the supposed sender.
• Requests for gift cards, wire transfers or confidential staff data.

We keep a running set of real-world examples in our article on phishing examples for Malaysian SMEs, which is a useful reference to share with your team. Familiar examples stick better than abstract warnings, and the more your staff have seen, the faster they spot the next one.

The payment verification rule that stops the biggest losses

The most effective single defence against BEC has nothing to do with software. It is a simple, written rule that any change to payment details, or any unusual or large payment request, must be confirmed by a second channel before money moves. That usually means a phone call to a known number, not a reply to the email and not a number supplied in the email itself.

Make the rule specific and unavoidable so it does not rely on memory or mood. For example, require that any supplier bank-account change is verified by calling the supplier's existing contact, and that any payment above a set amount needs a second approver. Write it down, put it in your finance process, and make clear that following it is never something anyone will be blamed for, even if it slows a payment.

The power of this rule is that it works even when every technical control fails. If the email is a perfect forgery sent from a genuinely compromised account, the phone call still catches it, because the real person on the other end never made the request. For most SMEs this one habit prevents the largest losses they would ever face.

Protecting your email accounts and passwords

Strong account hygiene closes the door that stolen passwords open. Every staff member should use a long, unique password for their work email, never reused from another website, because reused passwords exposed in unrelated breaches are a leading cause of account takeover. A password manager makes unique passwords practical, since no one can remember dozens of strong ones.

Pair good passwords with sensible account settings. Remove access promptly when someone leaves, review which apps and devices are connected to each mailbox, and watch for sign-ins from unexpected locations, which both Microsoft 365 and Google Workspace can alert you to. These small administrative habits catch a compromise early, often before any money is at risk.

Be especially careful with the accounts that matter most. The owner, the finance team and anyone with administrator rights are the highest-value targets, so give them the strongest MFA, the tightest settings and the most frequent reviews. A breach of an ordinary mailbox is bad, but a breach of an admin account can expose the entire organisation.

Mobile phones and email on the go

Business email increasingly lives on phones, which is convenient but adds risk. A lost or stolen phone with a logged-in mailbox is a direct route into your business, and small screens make it harder to spot a suspicious sender or hover over a link to check it. Email security has to cover the devices people actually use, not just office desktops.

Set a few baseline rules for mobile access. Every phone with work email should have a screen lock and encryption enabled, and you should be able to remove company email remotely if a device is lost. On managed platforms this is straightforward to enforce, and it means a missing phone is an inconvenience rather than a breach.

Encourage staff to treat requests received on mobile with the same caution as on a computer. Scammers know people are more rushed and less careful on their phones, often replying between meetings or while travelling. The payment-verification rule applies just as firmly to a message read on a phone as to one read at a desk.

When an account is already compromised

Sometimes the breach has already happened, and how you respond in the first hours decides how much damage it does. The warning signs include colleagues or customers reporting strange messages from you, emails appearing in your sent folder that you did not write, mail rules you did not create that quietly forward or delete messages, and unexpected password-reset notices.

If you suspect a compromise, act quickly and in order. Change the password immediately, sign out all sessions, and confirm that MFA is on and controlled by the right person. Then check for malicious mailbox rules and forwarding that the attacker may have set up to keep reading your mail, because removing their access is pointless if a hidden rule is still feeding them copies.

Once contained, warn anyone the attacker may have emailed, especially finance contacts and suppliers, so they treat recent messages with suspicion and verify any payment instructions. If money has already moved, contact your bank without delay, since fast action sometimes allows a transfer to be recalled. This is also the moment to bring in IT help to investigate how the breach happened and close the gap.

Backups protect you when email fails

Email security and backup belong together, because even good defences are never perfect. If an account is compromised and mailboxes are deleted, or a malicious message triggers ransomware that spreads from a click, a reliable backup is what lets you recover rather than rebuild from nothing. Many SMEs wrongly assume their cloud provider keeps permanent copies of everything, which is not how it works.

Microsoft 365 and Google Workspace protect against their own outages, but they are not a substitute for a proper backup of your data. Deleted items eventually age out, and a user or attacker with access can remove content that the platform will not restore forever. A dedicated backup keeps independent copies you control, with longer retention and faster recovery.

Treat email as one of the critical systems in your wider recovery plan. Our guide to backup and disaster recovery for Malaysian SMEs walks through how to protect cloud email alongside files and servers, so that whatever goes wrong, you can get back to work quickly with your data intact.

Building a simple email security policy

All of these measures work best when they are written into a short, plain policy that staff actually read. It does not need to be a thick document. A single page that sets out the rules, who is responsible, and what to do when something looks wrong is far more useful than a long manual that sits unread in a drawer.

Cover the essentials in language anyone can follow. State that MFA is required, that payment changes need second-channel verification, that suspicious mail should be reported rather than deleted quietly, and that personal accounts should not be used for company business. Name a person to contact when staff are unsure, because a quick question is always cheaper than a wrong guess.

Revisit the policy at least once a year and after any incident, because both the threats and your business change. Pair the document with brief, regular reminders, since security awareness fades without repetition. A short refresher every few months keeps the habits alive far better than a single training session that everyone forgets.

What it costs and where to start

The reassuring part is that strong email security is mostly affordable, and the highest-value steps cost little or nothing beyond a bit of setup time. MFA, SPF, DKIM, DMARC and the filtering built into Microsoft 365 and Google Workspace are included in plans you may already pay for. The real investment is the effort to configure them correctly and the discipline to keep good habits.

Start with the steps that block the most damage for the least cost. Turn on MFA everywhere, set up SPF, DKIM and DMARC, tune your mail filter, and write the payment-verification rule. Those alone defeat the large majority of attacks a typical SME will face, and they can usually be completed within a week or two.

Where time, confidence or in-house skill runs short, bringing in help is sensible. Cybergate provides managed IT support from RM500 a month and onsite support from RM150 for the first hour, covering email security setup, monitoring and staff guidance for businesses across Shah Alam, the Klang Valley and Melaka. The cost of prevention is always a fraction of the cost of a single successful scam.

Email security as part of a bigger picture

Email is the most exploited channel, but it is one part of a wider security posture. The same accounts, devices and people that handle email also handle banking, customer data and cloud files, so good email habits naturally reinforce everything else. Treating security as a whole, rather than a list of separate products, is what keeps a small business genuinely safe.

That bigger picture includes keeping devices patched and protected, controlling who has access to what, backing up your data, and staying mindful of PDPA obligations when personal information is involved. Each piece supports the others, and a weakness in one often becomes the way attackers reach the rest. Email is simply the door they try first.

If you want a structured view of where your business stands, our cybersecurity services page lays out how the pieces fit together for a Malaysian SME. Starting with email is the right move, because it removes the most common and most expensive risk, and it builds the awareness that makes every other improvement easier.

Key takeaways

Email is where most attacks on small businesses begin, and business email compromise is the costliest form because it relies on trust rather than malware. The defence is a layered one, mixing technical controls that machines enforce with human habits that no software can replace, and neither half works well without the other.

Prioritise the steps that block the most harm for the least cost, and do them now rather than later. The combination below covers the vast majority of real-world email fraud aimed at Malaysian SMEs, and most of it uses tools you likely already own.

• Turn on MFA for every email account, strongest method for finance and admins.
• Set up SPF, DKIM and DMARC to stop your domain being spoofed.
• Tune your mail filter and review the quarantine regularly.
• Enforce a written payment-verification rule using a second channel.
• Keep passwords unique, remove access when staff leave, and watch for odd sign-ins.
• Back up your cloud email and know the steps to take if an account is compromised.