Why “it came from their real email address” is not enough

A finance assistant receives an email from a supplier they deal with every month. The name is right. The email address is right. The message refers to a real invoice and asks for payment details to be updated before the next run.

That is exactly why it is dangerous.

Impersonation emails are often discussed as if they always come from lookalike domains, strange addresses or badly written messages. Many do. But some of the most convincing attacks come from legitimate email accounts that have been compromised. The attacker is not pretending to be the supplier from the outside. They may be using the supplier’s real mailbox.

For a busy team, this changes the whole risk picture. The usual quick checks — sender name, email address, previous conversation history — may not be enough.

What is a compromised email account?

A compromised email account is an account that someone unauthorised has managed to access. That could be through a stolen password, a successful phishing attempt, weak authentication, reused credentials or another security weakness.

Once inside, an attacker may be able to read previous emails, understand relationships, copy writing styles, reply within existing threads, set forwarding rules or send messages from the genuine account. Depending on the circumstances, they may use that access to request payments, steal data, distribute malicious links or widen the attack to other contacts.

The National Cyber Security Centre advises organisations to treat phishing as a layered defence issue, not simply something users must spot every time. Its guidance notes that phishing can be part of targeted attacks and that businesses should combine technical controls, reporting routes, user awareness and account protection.

Why these emails are so convincing

A compromised mailbox gives an attacker context. They may know who approves invoices, when payments are due, what projects are active and how people normally speak to one another.

That context allows them to make a request feel routine rather than suspicious. For example, an attacker may reply to an existing email chain rather than starting a new conversation. They may send a payment change request just before an expected invoice is due. They may refer to real colleagues, real documents or real order numbers. They may also remove obvious warning signs because the message is being sent from a trusted account.

This is why staff should not be expected to rely on instinct alone. A well-written impersonation email from a real account can fool careful people, particularly when they are busy, under pressure or handling a familiar process.

The business processes most at risk

Impersonation emails usually aim to exploit a process, not just an inbox. They work best where a request can be actioned quickly without independent verification.

Common risk areas include supplier bank detail changes, urgent payment requests, payroll amendments, password reset requests, document sharing links, purchase approvals and requests for confidential files.

Finance teams are often targeted because payment processes create obvious opportunities. Senior leaders can also be impersonated because their names carry authority. Operations and administration teams may be approached because they handle suppliers, onboarding, files and day-to-day requests across the business.

The issue is not that these teams are careless. It is that their roles involve trust, speed and routine communication. Attackers take advantage of that.

Why technical email checks still matter

Compromised accounts are difficult because the email may genuinely come from the sender’s normal domain. Even so, email security still matters.

Anti-spoofing controls, filtering, malware protection and suspicious link detection can help reduce the volume and impact of malicious email. The NCSC highlights the value of measures such as anti-spoofing controls, filtering incoming phishing emails, helping users report suspicious messages and protecting accounts with stronger authentication.

Businesses should also review their own email domain security. If attackers can spoof your domain, they may use your brand to target customers, suppliers or staff. If a real account is compromised, the focus shifts to account protection, monitoring and response.

Neither problem is solved by one tool. Email security works best as a combination of controls.

Staff awareness should focus on behaviour, not blame

Security awareness training is most useful when it reflects how people actually work. Telling staff to “check the sender” is no longer enough.

A better approach is to help teams recognise risky requests, even when the email appears to come from someone genuine. Staff should feel comfortable pausing when a message asks for a payment change, unusual urgency, new login, confidential file, gift card purchase, password reset or unexpected download.

A no-blame reporting culture matters. If someone feels they will be criticised for asking, they may stay quiet. If reporting is simple and normal, suspicious emails can be checked earlier, and compromised account activity may be spotted before more damage is done.

Practical checks for businesses

Businesses can reduce the risk of impersonation emails by tightening both technology and process.

Payment changes should usually be verified through a separate trusted route, not by replying to the email. For example, call a known contact using a number already held on record, not a number supplied in the message.

Senior approval requests should have a clear process, especially where money, credentials or sensitive data are involved. Staff should know when they are allowed to pause a request, even if it appears to come from a director, supplier or client.

Account security should also be reviewed. Multi-factor authentication, strong password habits, sensible mailbox permissions and careful monitoring can help reduce the likelihood and impact of account compromise. Password Management & Credential Storage, Email Security and Security Awareness Training may all be relevant where a business wants a more structured approach.

Endpoint protection, patching and monitoring can also play a supporting role, particularly where malicious links or attachments are used to gain access in the first place.

What to do if you suspect a genuine account has been compromised

If an email seems wrong but comes from a real account, do not ignore the doubt.

Avoid clicking links, opening attachments or replying with sensitive information until the request has been checked. Verify the message through another route. Let your IT provider or internal IT contact know, especially if someone has clicked a link, entered details or downloaded a file.

If your own business account may have been compromised, the response may include changing passwords, reviewing sign-in activity, removing suspicious forwarding rules, checking mailbox permissions, scanning devices and reviewing whether any customers, suppliers or staff need to be notified. The exact response depends on the circumstances, the systems involved and whether personal data or financial loss may be affected.

Where personal data, contractual duties, financial loss or regulatory issues are involved, businesses should seek appropriate advice where required.

A better way to think about email trust

The safest assumption is not that every email is dangerous. That would make work impossible.

A more practical assumption is that trust should depend on the request, not just the sender. A routine update from a supplier may need no special action. A change of bank details, unexpected file link or urgent payment request deserves more care, even if it comes from a familiar address.

Impersonation emails work because they fit into ordinary business communication. The answer is not panic. It is a sensible mix of email security, account protection, staff awareness and clear internal processes.