You check your inbox every morning. You reply to clients, send quotes, maybe forward an invoice for approval. You’ve never seen anything suspicious, so your email must be safe — right?

Wrong.

By the time you spot something weird in your email, the damage is usually done. A compromised business email doesn’t announce itself with flashing lights. It works silently. It reads your conversations. It learns your patterns. And then it strikes when you least expect it.

The South African reality

In 2025, a KwaZulu-Natal-based logistics company lost over R2.8 million to a business email compromise (BEC) attack. The attacker spent three weeks reading the finance director’s emails, learning exactly how invoices were approved, before intercepting a single payment and rerouting it to a fraudulent account. The company only discovered the loss when the legitimate supplier called to ask why they hadn’t been paid.

This isn’t a sophisticated state-sponsored hack. It’s a crime of opportunity, and it’s rampant.

According to the Southern African Fraud Prevention Service (SAFPS), BEC attacks increased by 41% in 2025 compared to the previous year. The average loss per successful attack? R340,000. For SMEs, that’s often the difference between staying open and shutting down.

The three ways your email gets compromised

1. Credential theft through phishing

This is still the number one method. A convincing email from what looks like your bank, your telco, or even a client asks you to “verify your account” or “confirm your details.” You click, you type, and your password is now in the hands of someone who will use it against you.

South Africa is the third-most targeted country in the world for phishing attacks, behind only the United States and the United Kingdom. The reason is simple: we have a rapidly growing digital economy with relatively low cybersecurity awareness.

2. Session hijacking

Even with two-factor authentication enabled, attackers can steal your active session cookie. This means they don’t need your password at all — they just hijack your already-authenticated session. This technique is increasingly common in South Africa, especially targeting professionals who work from public Wi-Fi in coffee shops, co-working spaces, or hotel lobbies.

3. Third-party data breaches

Your email might not have been compromised directly. But if you use the same password for your email that you used for a retail site, a booking platform, or even a newsletter service that got breached, attackers will try that combination everywhere. This is called credential stuffing, and it’s automated. Bots test millions of stolen credentials against email services every day.

A 2025 breach at a prominent South African e-commerce platform exposed over 1.2 million customer accounts. Many of those users reused their passwords for email. Within weeks, hundreds of business email accounts had been accessed.

How to check if your email has been compromised

Here’s a practical checklist you can run right now.

Step 1: Check Have I Been Pwned

Visit haveibeenpwned.com and enter your business email address. This site aggregates data from thousands of known breaches and will tell you if your email appears in any of them. Don’t panic if it does — the important thing is to act.

Step 2: Check for unusual forwarding rules

This is the most overlooked sign of compromise. Attackers who gain access to your email often set up forwarding rules to copy all incoming emails to an external address. They do this so they can monitor your activity without logging into your account and risking detection.

 – Gmail: Settings → See all settings → Filters and Blocked Addresses

 – Outlook: Rules → Manage Rules & Alerts

 – Your domain control panel: Look for any forwarding addresses you didn’t set up

Step 3: Review recent login activity

Most email providers log recent login attempts. Check for logins from locations or devices you don’t recognise.

 – Gmail: Scroll to the bottom of the inbox → Details (last account activity)

 – Outlook/Office 365: View account activity or sign-in logs

Step 4: Check your sent items

Look for emails in your Sent folder that you don’t remember sending. Attackers often use compromised accounts to send phishing emails to the victim’s contacts, making the attack spread further.

Step 5: API access and third-party apps

Check which third-party applications have access to your email account. Revoke anything you don’t recognise or no longer use. Attackers sometimes register API access to maintain persistent access even after you change your password.

What to do if you find a compromise

1. Change your password — Use a strong, unique password that you haven’t used anywhere else. A password manager makes this easy.

2. Enable two-factor authentication — Use an authenticator app (Google Authenticator, Microsoft Authenticator) rather than SMS-based 2FA, which can be intercepted via SIM-swap attacks.

3. Check for and remove forwarding rules — As described above.

4. Notify your clients — If your email was compromised, any sensitive information exchanged via email may be at risk. Be transparent.

5. Run a security scan — Check your devices for malware. Some email compromises start with a keylogger installed via a malicious attachment.

6. Contact cybersecurity professionals — A proper penetration testing engagement can identify how the compromise happened and prevent it from recurring.

Prevention is cheaper than cleanup

The logistics company in KZN that lost R2.8 million spent over R150,000 on forensic investigation, legal fees, and recovery efforts. They also lost two major clients who cited security concerns.

A comprehensive security awareness training programme costs a fraction of that. Basic email security measures — strong passwords, 2FA, regular audits, and employee training — can prevent the vast majority of BEC attacks. Your security posture can also be evaluated with a proper vulnerability assessment to identify gaps before attackers do.

The bottom line

Your business email is valuable. It’s the key to your client relationships, your financial transactions, and your business reputation. Treat it that way. Don’t wait until a client calls asking why you redirected their payment to a stranger’s bank account.

Check your email security today. A few minutes of inspection could save you millions in damages and protect the trust your clients have placed in you.

As featured in Sunday Times Ignite.

Need help securing your business email? Book a free clarity call — we’ll run a full security assessment and show you exactly where your vulnerabilities are.