Merula
Email security · June 2026

“We’re too small to be a target” — what actually happens when criminals send email in your name

The most expensive sentence in small-business security is “nobody would bother attacking us.” The EU’s cybersecurity agency ENISA studied exactly this in its report Cybersecurity for SMEs, and its conclusion is blunt: criminals attack companies of every size, and they often prefer smaller firms — precisely because smaller firms assume they’re not targets and defend themselves accordingly. There’s a second reason, too: small companies supply larger ones, which makes a small firm’s email account a stepping stone into its customers’ organisations.

The stakes aren’t abstract. In ENISA’s survey of European SMEs, more than 80% said a serious cybersecurity incident would significantly harm their business within a week — and 57% said it would likely put them out of business entirely.

A real case, and what it cost

One incident documented in the ENISA report deserves to be read by every business owner. A marketing agency with fewer than 25 employees moved its email to the cloud. One employee fell for a phishing message and entered their login details on a fake page. The criminals took over the mailbox — and then used it to email the agency’s clients: some received fake invoices with new bank details, others received phishing links.

The fraud was discovered by one of the agency’s customers. That customer then cancelled all future business — worth €200,000 to €300,000 per year — citing concerns about the agency’s security.

Notice what actually caused the damage. Not data loss. Not downtime. The agency’s domain and identity were turned into a weapon against the people who trusted it, and the lasting cost was trust.

Why email is the front door

ENISA’s threat analysis found that the overwhelming majority of cyberattacks — 84% — rely on social engineering: manipulating a human rather than breaking a machine. And the medium of social engineering is email, because email has a forty-year-old design flaw: by default, anyone can put your domain in the From field. The classic CEO-fraud pattern (also documented in the ENISA report) needs no hacking at all — just a message that looks like it comes from the boss, asking finance to pay an urgent invoice.

There are two distinct attacks here, and they need different defences:

Account takeover — criminals steal a real mailbox login. Your defences are multi-factor authentication and staff awareness.

Domain spoofing — criminals send from their own servers but forge your domain as the sender. No password is stolen; nothing of yours is “hacked.” Your defence is making receiving mail servers reject the forgery — and that is exactly what DMARC, built on SPF and DKIM, does when configured with an enforcement policy.

Most small businesses have partially addressed the first and completely ignored the second — usually because nothing visibly breaks. Spoofing is invisible to you by default: the fraudulent mail goes to your customers and suppliers, not to you.

The checklist, in order of impact

ENISA’s recommendations for SMEs emphasise that effective security doesn’t have to be expensive — most measures are about discipline, not budget. For email specifically:

  1. Turn on multi-factor authentication for every mailbox, today. This single step would have prevented the agency incident above.
  2. Publish a DMARC record with reporting. Within days you’ll see every server on the internet sending mail as your domain — including ones you didn’t authorise.
  3. Move DMARC to enforcement (p=reject) once your legitimate senders are aligned. From that point, forged mail in your name gets blocked by Gmail, Outlook and every other major receiver before your customer ever sees it.
  4. Institute a payment-verification rule: no change of bank details and no urgent transfer is ever executed on the strength of an email alone — confirm by phone or in person. ENISA recommends exactly this pairing of technical and procedural controls.
  5. Train, briefly and regularly. Staff who have seen one simulated phishing mail recognise the real one faster.

Only 28% of SMEs in ENISA’s survey had assigned security responsibility to anyone at all. You don’t need a CISO. You need someone who owns this checklist — internally or through your IT provider.

The supply-chain clock is ticking

One more reason to act now rather than eventually: under the EU’s NIS2 framework, larger companies are legally required to manage security in their supply chains. In practice, that means questionnaires and contract clauses flowing down to their suppliers — including small ones. “Do you enforce DMARC?” is appearing on those questionnaires. Being able to answer yes, with evidence, is becoming a condition of doing business with bigger customers — not a nice-to-have.

Merula monitors your SPF, DKIM and DMARC configuration continuously and guides you from a first DMARC record to full enforcement, one explained step at a time. Merula is in development and launches after summer 2026.