The picture most owners hold of an attacker is out of date. Badly written email. Suspicious link. Nigerian prince premise. Awareness training, do not click, multi-factor authentication, move on.
That advice was right in 2018. It is not right now.
Three things have shifted in the last eighteen months. Together they explain why the businesses we audit, almost without exception, find their email security posture is calibrated to the old picture. Worth a calm half hour.
Picture your operations manager opening what looks like a normal Microsoft sign-in page. They type the password. They type the code from the authenticator app. The page loads and they get on with their day.
Behind that page, somebody else just logged in too. Same password. Same code. Same session. They are now sitting inside the mailbox alongside the rightful owner, with no need to ask for the password again.
This is the growth area in attacks against the kind of business you run. The login screen looks exactly like Microsoft’s because it is being proxied to Microsoft. Whatever your operations manager types, the attacker types at the same time. The session cookie is theirs as soon as the legitimate user gets in.
The mental model worth updating is this. The old attack needed you to be wrong. To click. To be fooled. The new one needs you to be right. To do exactly what you would normally do. To sign in. To carry on. There is nothing for awareness training to bite on, because there is nothing the user did wrong.
Multi-factor authentication did not fail. It got bypassed by tooling that did not exist when most owners last looked at any of this.
Once they are inside the mailbox, the interesting part begins.
They set a quiet inbox rule. Often it is a single full stop or a single letter, easy to miss in the rule list. Anything mentioning ‘invoice’, ‘bank’, ‘payment’ or a client name gets routed to a folder nobody opens. The rightful owner of the mailbox never sees the conversation that is about to happen.
They watch a real conversation. A live booking thread. A contractor invoice. A client about to pay a deposit. They take a few days to learn the cadence. Who replies, when, in what tone, with which sign-off.
Then they reply. Inside the genuine thread. From the genuine mailbox. With one detail changed. The bank account.
The other side sees a reply from the right person, on the right thread, at the right time of the month. There is no link to flag. No attachment to scan. No spoof to detect. The first sign anything is wrong is a payment landing in the wrong account, by which point the money is already in motion.
This is the attack pattern that has quietly become the most expensive thing happening to UK recruitment SMEs. The ‘authorised’ in ‘authorised push payment fraud’ is the giveaway. Your team authorised the payment because the email asking for it looked exactly normal.
Recruitment businesses run three workflows that conventional security advice does not handle well.
You accept attachments from strangers all day. CVs, right-to-work documents, signed terms of business. The ‘do not open attachments from unknown senders’ rule is unworkable when the unknown sender is a candidate and your job is to open the attachment.
Your payroll, contractor invoice, and timesheet approval threads are predictable. Same recipient, same week of the month, same approval pattern. That is the exact shape an attacker wants once they sit inside a mailbox.
Your recruiter-to-client thread is a high-trust channel. A compromised client mailbox replying inside a live booking thread is the single hardest message for any filter to flag. Real sender. Real conversation. New bank account.
Underneath all of it sits candidate data. NI numbers, passport scans, salary history, right-to-work documentation. The regulatory bar for documented controls is rising, not falling, and the audit conversation is starting to ask different questions than it did three years ago.
Most recruitment SMEs we work with sit on Microsoft 365 Business Premium. That is the right plan. It is also not, on its own, a configured posture. The licence is a toolkit. The toolkit needs setting up.
The settings that matter, and that we frequently find unset on a default tenant:
Anti-phishing policies that recognise when somebody is impersonating the directors and finance approvers most likely to be spoofed.
An audit of inbox rules that auto-forward, auto-delete, or move replies into hidden folders.
Restricted app permissions, so a member of staff cannot quietly hand a malicious app the keys to read mail without anyone in admin noticing.
Conditional access that requires a managed device or recognised location for mailbox access.
A written payment-change protocol that does not live in email. Two-channel verification, no exceptions, including for the directors.
None of those are exotic. All of them ship with the licence the business already pays for. They just need switching on and tuning.
If you have a Tuesday afternoon and a calm head, three checks are worth more than any awareness session.
Run an inbox rule audit across every mailbox. Look for rules with one-character names, rules that move messages by keyword, rules that forward to outside addresses. Most setups have a few. Most owners have never looked.
Pull a list of every app with permission to read or send mail in the tenant, and remove anything nobody recognises. The grants are usually older than anyone expects.
Sit down with whoever signs off on payments and write a one-page protocol. Two channels for any bank account change. No exceptions, including for you. Make it a written control, not a culture, because cultures dilute under pressure.
The shift in 2026 is not that phishing got worse. It is that the attacker stopped needing the user to be wrong. They just need the user to be busy, the controls to be default, and the conversation to be real.
That is a different problem to solve.
