IMPORTANT Website terms of use and cookie statement

Why email is the weakest (security) link

David Fleming, Chief Technology Officer of Security Services at Mitigo, explains how email attacks start and the key factors that practices need to defend against to prevent becoming a victim.

Even if using the internet for basics such as email, submitting invoices, or sharing designs, all architectural practices are at risk.

With so much written about cyberattacks, it is surprising how many architectural practices are oblivious to the risk posed by their email system.

Even if using the internet for basics such as email, submitting invoices, or sharing designs, all architectural practices are at risk. The fact is, a business email account is the most common entry point for cyber criminals and is at the root of most successful cyberattacks.

These can vary from someone impersonating a practice director via email and fraudulently requesting a dividend payment from the accounts team, or sending malicious attachments that once opened render the workstation unusable.

So, what should practices be wary about and how can emails be made more secure?

The top four ways criminal attack

Firstly, it’s useful to understand the most common method of attacks against a practice’s email systems:

  1. Phishing: Criminals send blanket emails to every address they have acquired from social media, the dark web and website scraping. They pose as legitimate suppliers and trick recipients into giving email login credentials. In simulated phishing attacks instigated by Mitigo, 20% of untrained staff typically fall for this type of attack.
  2. Malicious attachments: Emails with fake attachments with headings like ‘missed message,’ ‘urgent invoice’ or ‘bank statement’ will tempt many people to click on and open them. These emails will have malicious code that will attempt to get control of the computer in some way.
  3. Account hijack: In this form of breach criminals get access to email accounts with credentials purchased from the dark web, automatically breaking weak passwords, or tricking recipients with phishing attacks. They can then log in using these details, and get full access including all your email history.
  4. Spoofing: Another very common approach for criminals is to create their own email accounts and pretend to be you. They are not inside the account they mimic, but send emails to employees to try and get access to business systems and data.

Email security breaches can have costly and devasting business consequences for architecture practices.

What are the likely consequences of email breaches?

Consequences can vary and might include demanding a ransom or getting fraudulent payment. Email security breaches can have costly and devasting business consequences. Commonly these are:


This is the most damaging consequence and can be business-ending. Criminals use the access they have gained, first to steal confidential and personal information, and then to encrypt your systems. They threaten to release the data if a ransom fee is not paid.

The average business downtime is now 26 days. The average ransom payment in 2021 was £628,000. Architects may be falsely lulled into thinking they are safe from such cyberattacks because they think their data is not valuable enough to attract criminals. However, a number of practices have reported getting held to ransom in this way.

Read how architects are at risk of cyber attacks through email systems.

Virus-spreading spam email

The most common consequence is a large number of emails being sent from your email to every contact associated with your business. The aim of the email is to contaminate their systems with a view to stealing money from them. It will damage a practice’s reputation and dent client trust.

Payment diversion

The main object here is for criminals to get money diverted to their bank accounts by tricking practices or a client into sending money to the wrong payee.

There is the obvious financial and reputational damage but the subsequent conversations with the Information Commissioner’s Office will not end well if a client has lost thousands of pounds because their architect did not protect their data sufficiently.

Top tips to help defend against email attacks

  1. Choose an appropriate business email account: Free and basic email systems are not good enough. You may need to upgrade to get the appropriate level of capability.
  2. Impose good employee discipline: Email addresses should be for work purposes only and you need to make this clear to staff. The dark web is littered with business email addresses that have been used on personal accounts (eg, Amazon, eBay etc.) along with passwords and critical information.
  3. Demand that staff set unique, strong passwords and ensure the system has robust authentication protocols: Passwords selected should not be a repeat of anything staff members may have used elsewhere, and it is essential that authentication requires an additional gateway like sending a code to a mobile phone.
  4. Safeguard inbound filters: Get these expertly set and do not rely on defaults. If done well it will stop the deceptive emails ever getting into staff inboxes.
  5. Tightly control domain records: The end of an email is called the domain and there are important records that need to be set in the domain control panel to avoid criminals easily spoofing email addresses.
  6. Train staff: Staff should receive annual training and be taken through simulated attacks to make sure they know what to expect.
  7. Tighten access: Practices need to have a clear policy on how their staff access emails from a laptop, mobile, or through a web browser. The more this is tightened the more access points can be switched off in the security settings.
  8. Set up robust payment methods: Make sure that there is a robust process that ensures that changes to payee details have strong challenge processes.
  9. Integrate antivirus software and browser: Web browser, email service and antivirus software need to be configured to work in unison in order to stop cyberattacks. This is the most important retrospective control as it is unwise to rely on staff to spot the criminals’ tricks.
  10. Properly configure alerts and blocks: Make sure that the alerting from security systems is properly configured and is going to your technical support and that rules are set to block, not allow.

Following these tips provides a starting point and a roadmap for staying secure. Investing time and resources to get this right will be the best money practices may well spend this year.

RIBA has partnered with Mitigo to offer technical security services. For more information contact Mitigo on 0161 88 33 507 or email

keyboard_arrow_up To top