What spam filters are actually built to catch

Spam filters work by scanning for known bad patterns — suspicious sender domains, links to blacklisted sites, common phishing phrases, malicious attachments. They're genuinely good at this. The volume of obvious junk that gets blocked before it reaches your inbox is enormous.

But the threats that actually cost UK businesses money are increasingly built to pass those checks. They don't come from suspicious domains. They don't contain dodgy links. They look, from a technical standpoint, completely legitimate — because in many cases they are technically legitimate. The problem is who is sending them, and why.

Here are the three categories worth understanding.

Business Email Compromise — when the threat looks like your boss

Business Email Compromise (BEC) is one of the most financially damaging cyber threats facing UK businesses. The setup is straightforward: an attacker impersonates someone inside your organisation — usually a director, the MD, or someone in finance — and sends a request to a member of staff.

The request is typically urgent. Transfer funds to this account. Pay this invoice before close of business. Don't put it through the normal process — I need this done today.

These emails often arrive from a spoofed address that looks almost identical to the real thing, or in some cases from an address that genuinely has been compromised. There's no malicious link. No attachment. Nothing for a spam filter to flag. It's just a plausible-sounding email from what appears to be someone senior.

The NCSC has documented cases where UK businesses have lost tens of thousands of pounds to a single BEC attack. The losses are hard to recover because the transfers are often processed quickly and the funds moved on.

The defences are process-based, not technical. Any request to transfer money or change payment details should require a verbal confirmation via a known phone number — not a reply to the email itself. That one step stops most BEC attempts.

Supplier impersonation and invoice fraud

A variant on BEC that's increasingly common targets the supplier relationship rather than the internal hierarchy. The attacker identifies a supplier your business works with regularly, then contacts your finance team impersonating that supplier.

The message is simple: we've changed our bank account details. Please update your records and ensure this month's payment goes to the new account.

The email may arrive from a slightly altered domain — invoices@suppliernam e.com instead of [email protected] — or in some cases from a genuine supplier account that has itself been compromised. Either way, the request looks routine. Finance teams process it. The next payment goes to the attacker's account.

This is sometimes called Authorised Push Payment (APP) fraud, and UK Finance reported that APP fraud losses across UK businesses ran into hundreds of millions of pounds in 2024 alone. The "authorised" element is what makes it difficult — the payment was made by a real employee following what appeared to be a legitimate instruction.

Again, the countermeasure is procedural: any change to supplier payment details should be confirmed by calling the supplier directly using a number from your own records, not from the email itself.

Account takeover — when a real inbox is the weapon

The most convincing email attack of all is one that comes from a real account that has been taken over. If an attacker compromises a supplier's email account through a phishing attack or credential theft, every email they send from that account is technically legitimate. It passes every spam check. It comes from a real domain. It's the real person's email history, signature, and writing style.

From there, the attacker can read the inbox to understand relationships and ongoing conversations, then insert themselves at the right moment. They might intercept an ongoing invoice discussion and redirect payment. They might impersonate the supplier in a way that references real project details. There's nothing obviously wrong because nothing technically is wrong — at the email layer.

Protecting against this requires strong authentication on your own accounts and encouraging the same in your supply chain. Where your platform supports it, passkeys are now the better option — they're tied to a specific device and can't be phished in the way a password can. Where passkeys aren't yet available, MFA is the next best thing. Either way, removing the single-password-only route significantly reduces the risk of a compromised account being used against you.

What your business can do

The good news is that the practical steps aren't complicated. They don't require large budgets or technical expertise to implement. What they require is consistency.

  • Verify any financial request out of band. A phone call to a known number, not a reply to the email. This applies to internal requests (BEC) and supplier payment changes alike.
  • Use passkeys where available, MFA where not. Passkeys can't be phished and don't rely on a shared secret — they're a meaningful step up from traditional MFA. Microsoft 365 and Google Workspace both support them. If your accounts aren't using passkeys or MFA yet, that's the first thing to address.
  • Set up email authentication records. SPF, DKIM, and DMARC records on your domain make it harder for attackers to spoof your email address convincingly. Your IT provider can set these up in under an hour.
  • Train staff to pause before acting on urgent requests. BEC attacks rely on urgency. A short delay — just enough to verify — breaks the loop.
  • Review your supplier payment change process. If your finance team doesn't currently have a formal procedure for verifying bank account changes, write one. It's a short document that could save you a significant sum.

Raising the bar without creating friction

None of these measures require your staff to become cybersecurity experts. They require sensible habits and clear processes — the kind of thing a good IT partner can help you put in place and keep current.

The businesses that tend to get caught are not careless. They're busy. They trust their colleagues and suppliers. They process payments efficiently because that's good practice. Attackers exploit exactly those qualities.

The answer isn't to slow everything down or treat every email with suspicion. It's to add lightweight checkpoints at the specific moments where fraud typically happens — payment requests, account detail changes, urgent authorisations — and make those checkpoints habitual.

Your spam filter handles the junk. These measures handle the threat that your spam filter was never designed to see.