If you’re a small business, email is the front door to your company. Here are 7 practical settings that reduce phishing and account takeover risk fast.
Email Security Basics for Small Businesses: 7 Settings That Stop Most Attacks
Most security incidents I see in small businesses start with email. Not because people are careless – because attackers are persistent and email is where work happens.
The good news: you don’t need a “big company” budget to make a big improvement. You need a handful of settings and habits that close the most common gaps.
Here are 7 practical email security moves that stop a huge percentage of real-world attacks.
1) Turn on MFA for every mailbox (not just the owner)
Multi-Factor Authentication (MFA) means a password alone isn’t enough to log in. If someone steals a password, MFA can still stop them.
What to do:
Require MFA for every user
Make sure it covers email + admin accounts
Avoid “MFA optional” setups
2) Protect admin accounts like they’re the keys to the building
Admin accounts control everything. If an attacker gets admin access, they can:
create hidden forwarding rules
reset passwords
disable security settings
What to do:
Use separate admin accounts (don’t browse email as admin)
Enforce MFA and strong login rules
Limit who has admin privileges
3) Block legacy sign-ins (older login methods attackers love)
Some older sign-in methods don’t support modern security controls and are commonly abused.
What to do:
Disable legacy authentication where possible
Review sign-in logs for unusual attempts
4) Turn on strong spam/phishing filtering (and confirm it’s actually active)
Many businesses assume filtering is “on by default.” Sometimes it is. Sometimes it isn’t configured well.
What to do:
Confirm phishing protection is enabled
Quarantine suspicious messages (don’t just deliver them with a warning)
Make it easy for staff to report suspicious emails
5) Train one simple habit: verify money and password requests out-of-band
If an email asks for:
a password
gift cards
wire transfers
banking changes …it should be verified using a known phone number or in-person confirmation.
This one habit prevents a lot of expensive mistakes.
6) Watch for auto-forwarding rules (a common “silent” compromise)
Attackers love to set forwarding rules so they can quietly read email and wait for the right moment to strike (like an invoice or payroll request).
What to do:
Audit mailbox rules periodically
Block external auto-forwarding unless there’s a real business reason
7) Have a “first 60 seconds” plan if someone clicks something
Phishing happens. What matters is how fast you respond.
If someone clicks a suspicious link or enters credentials:
Disconnect from Wi‑Fi (if possible)
Change the email password (from a different device if you can)
Report it immediately to IT
Don’t delete the email – keep it for investigation
Want a quick sanity check?
If you’re not sure whether these are set correctly in Microsoft 365 or Google Workspace, that’s normal. The settings are not always obvious.
If you’d like, I can do a quick review and tell you what I’d fix first.