In 2026, email compromise is one of the most damaging risks facing South African SMEs. The attacks are simple, believable, and targeted at the exact point where money moves: invoices, suppliers, finance teams, directors, and customers.
The worst part is that these attacks often look like normal business communication. A supplier sends updated banking details. A customer asks for an invoice. A director sends an urgent WhatsApp. A "private banker" offers help. By the time anyone realizes something is wrong, the money is gone.
Fake Banking Detail Changes
A common attack starts with a message that looks like it came from a known supplier. The email says their banking details have changed and asks accounts to update the payment record before the next invoice run.
Real-world example: a company receives a familiar-looking supplier invoice with a small banking change note. The email thread looks legitimate because the attacker has copied the tone, signature, and formatting from previous correspondence. The business pays, only to discover the real supplier never changed banks.
Intercepted Invoices
Attackers often monitor compromised inboxes and wait for invoice conversations. When the timing is right, they replace the PDF invoice or send a follow-up with altered banking details.
Real-world example: a customer asks for an invoice and receives two emails minutes apart. The second one says, "Please use this updated invoice instead." The fake version is almost identical, except for the bank account.
Private Banker Scams
Criminals also impersonate banking staff. They may phone or email claiming to be from a private banking department, fraud desk, or payment verification team. Their goal is to create urgency and move the victim away from normal verification steps.
Real-world example: a business owner receives a call from someone who knows their name, bank, and recent payment context. The attacker asks them to "secure" or "verify" a transaction, then guides them into approving the wrong action.
Email Spoofing And Lookalike Domains
Some attacks use spoofed email addresses that appear to come from the real sender. Others use lookalike domains, such as replacing one letter or using a different extension. At a glance, the email looks correct.
This is why finance teams should never rely only on display names. The visible name in an inbox can say anything. The real protection sits in proper domain authentication, careful DNS records, and disciplined payment verification.
WhatsApp Impersonation
WhatsApp has become part of business communication, which makes it part of the attack surface. Attackers impersonate directors, owners, managers, suppliers, and even family members to push urgent payment requests.
Real-world example: a staff member receives a WhatsApp from a number using the owner's profile picture. The message says the owner is in a meeting and needs a supplier paid urgently. The pressure is social, not technical.
How SPF, DKIM And DMARC Help
SPF tells receiving mail servers which systems are allowed to send email for your domain. DKIM adds a cryptographic signature to prove the message was not changed in transit. DMARC tells receiving servers what to do when SPF or DKIM checks fail.
These records do not stop every scam, but they make domain spoofing harder and give your business better control over who can send on your behalf. Without them, attackers have a much easier time pretending to be you.
Why Cheap Email Hosting Becomes Dangerous
Cheap email hosting often means weak filtering, poor logging, shared reputation problems, limited support, missing security features, and no serious help during an incident. That is a problem when your mailbox is where deals, invoices, and payment instructions live.
A business email system should have strong authentication, spam filtering, malware scanning, mailbox security, recovery options, and someone who can actually investigate when things go wrong.
How To Protect The Business
- Verify banking detail changes by phone using a known number, not the number in the email.
- Enable SPF, DKIM, and DMARC for every sending domain.
- Use multi-factor authentication on all email accounts.
- Train finance teams to treat urgency as a warning sign.
- Review mailbox forwarding rules after suspicious activity.
- Move important domains away from weak email hosting.
Final Thought
Email compromise works because it attacks trust, timing, and routine. The businesses that survive it best are the ones that treat email as infrastructure, not just a mailbox.