Spotting phishing and business email compromise before it costs you
Fake invoices, urgent requests from the 'CEO', and credential-stealing emails are the most common – and most expensive – attacks on Israeli SMBs. Here is how to recognize and stop them.
The most damaging attacks on small businesses rarely look dramatic. There is no obvious virus or locked screen – just a convincing email that persuades an employee to transfer money, change bank details, or hand over a password. This is business email compromise (BEC), and for many Israeli SMBs it causes larger direct losses than ransomware. Because it relies on deception rather than malware, it often slips past technical defenses and lands directly in front of a busy person.
What Business Email Compromise Looks Like
BEC takes a few recognizable forms. In CEO fraud, an attacker impersonates a manager or owner and asks an employee to make an urgent payment or buy gift cards 'quietly.' In invoice fraud, a real or spoofed supplier sends an invoice with new bank details, redirecting a legitimate payment to the attacker. In account takeover, a real mailbox is compromised and the attacker watches conversations, then inserts themselves at the moment a payment is due. The common thread is money or credentials, plus a sense of urgency that discourages double-checking.
Red Flags to Train Your Team On
Teach staff to slow down when an email combines money or sensitive data with pressure to act fast or stay discreet. Watch for sender addresses that are subtly wrong (a lookalike domain or a reply-to that differs from the display name), unexpected changes to bank or payment details, requests that bypass normal procedures, and unusual phrasing from a familiar contact. A link that asks you to 'log in to view a document' is a classic credential-harvesting trap – hover before clicking, and never enter your Microsoft 365 password into a page you reached from an email.
Technical Controls That Reduce the Risk
Awareness works best alongside technical safeguards. Enforce MFA everywhere so a stolen password is not enough to take over a mailbox. Configure SPF, DKIM, and DMARC on your domain so attackers cannot easily spoof your own company's address. Enable external-sender warning banners and anti-impersonation protection in Microsoft Defender for Office 365. Together these controls block a large share of attempts and flag the ones that get through.
Build a Verification Habit
The single most effective defense against payment fraud costs nothing: verify any change to bank details or any unusual payment request through a second, trusted channel – a phone call to a known number, not the contact details in the suspicious email. Make this an explicit, non-negotiable procedure so employees feel empowered to pause a payment without fear of overstepping. Attackers rely on urgency and authority; a calm 'let me confirm that directly' defeats most of them.
Closing the gap before it costs you
If you are not sure whether your domain is protected against spoofing or whether your team would recognize a well-crafted BEC attempt, that uncertainty is the gap attackers exploit. NetFortress helps Israeli SMBs lock down email authentication, configure Microsoft 365 anti-phishing controls, and run practical staff awareness – without the jargon. A short call with our team will give you a clear picture of where your business stands.
Frequently asked questions
What is business email compromise (BEC)?
BEC is an attack that uses a convincing email – rather than malware – to persuade an employee to transfer money, change bank details, or hand over a password. For many Israeli SMBs it causes larger direct losses than ransomware, because it slips past technical defences and targets a busy person.
What are the most common forms of BEC?
CEO fraud (an attacker impersonates a manager and demands an urgent payment), invoice fraud (a supplier's bank details are changed to redirect a real payment), and account takeover (a genuine mailbox is compromised and the attacker steps in when a payment is due). All combine money or credentials with urgency.
What red flags should our team watch for?
Pressure to act fast or stay discreet around money, sender addresses that are subtly wrong, unexpected changes to bank or payment details, requests that bypass normal procedures, and any link asking you to 'log in to view a document'. Hover before clicking and never enter your password into a page reached from an email.
How do we stop payment fraud specifically?
Build a verification habit: confirm any change to bank details or any unusual payment request through a second, trusted channel – a phone call to a known number, not the details in the email. Make it a non-negotiable procedure so staff feel safe pausing a payment.
Which technical controls reduce phishing risk?
Enforce MFA everywhere, configure SPF, DKIM, and DMARC so attackers cannot easily spoof your domain, and enable external-sender warnings and anti-impersonation protection in Microsoft Defender for Office 365. Together these block a large share of attempts and flag the rest.
Related articles
A practical cybersecurity checklist for Israeli SMBs with no in-house IT team
Plenty of small businesses run without anyone whose job is IT. This is a plain checklist you can work through yourself, grouped by how much difference each item makes, so an owner or office manager can see where they stand.
Read articleWhy ransomware hits small businesses – and what to fix first
The common weak points attackers exploit and the first protections SMBs should prioritize.
Read articleSPF, DKIM, and DMARC: stop attackers spoofing your business email
Three DNS records decide whether a stranger can send email that looks exactly like it came from your company. Most small businesses have them half-configured or missing. Here is what SPF, DKIM, and DMARC do, in plain language, and how to roll them out without breaking your email.
Read articleRelated services
Security Awareness Training
Practical, plain-language employee training that reduces phishing risk and builds everyday security habits across your team.
Learn moreCloud Services / Microsoft 365
Microsoft 365 setup, identity security, permissions review, and secure configuration for the cloud environment your business runs on.
Learn moreReady to secure your business without building an internal IT team?
Book a free consultation and get a practical first look at your IT and Microsoft 365 security posture.