The invoice looked real. It came from the right supplier, referenced the right project, had the right purchase order number, and asked to update the bank details for the next payment. The accounts assistant did what she’d been trained to do, checked the email address, which matched the one in the system, and updated the record. Three weeks later, when the actual supplier called asking where their £14,000 had gone, we walked through what had happened. The sender’s address had been spoofed. The real supplier’s domain had no email-authentication record published. The invoice itself was a near-perfect copy of a previous one because the attacker had been reading the mailbox for two months via a session token (a temporary login key) they’d phished back in February.

That’s a 2026-style email attack. Every layer of defence was either missing or misconfigured. None of the layers individually would have stopped it; together, they would have. Email security splits cleanly into four layers, and defence at any one of them is not enough on its own.

The frame below maps what each layer does, what it doesn’t, and where most SMEs we look at have a gap.

Why a layered model matters in 2026

Two things have changed enough to force the rethink.

The first is that attackers have shifted from one-off spam to long-lived account takeovers. Once an attacker has session-token access to a mailbox they can read everything, learn the writing style, identify pending payments, and time their move. A single layer of defence (spam filtering, say) does nothing once the attacker is already inside.

The second is that the regulatory and underwriting environment has hardened. Cyber-insurance underwriters now expect multi-factor authentication (MFA, needing a code as well as a password, usually a number from an app on your phone) on every account, DMARC enforcement on every outbound domain, and a working incident response process. A policy without these is either getting declined or quoting at multiples of last year’s premium.

Layered means each layer assumes the one outside it might fail, and that is the design principle to hold onto.

The four layers

Layer 1: Authentication, proving the sender is real

What this means in practice: every email leaving your domain is cryptographically signed and validated so other mail servers can verify it really came from you.

This is the SPF, DKIM, DMARC layer: the three email-authentication settings that tell other mail servers your messages are genuine. SPF says which servers are allowed to send for your domain. DKIM signs each message with a key only your domain holds. DMARC tells the receiving server what to do if SPF or DKIM fail: quarantine, reject, or just report.

The 2026 standard is DMARC at p=reject, not p=none and not p=quarantine. That’s what stops spoofed emails using your domain landing in your customers’ inboxes. About 65% of SMEs we audit have SPF and DKIM set up; about 20% have DMARC published at p=none (monitoring only); fewer than 10% are at p=reject. Moving from “no DMARC” to p=reject is the single highest-impact email-security change most SMEs can make.

It’s also the one most likely to break things if it’s done badly. There’s always some legitimate mail-sender (the booking system, the email-marketing tool, the accounting platform) that isn’t included in the SPF record. Move to reject in a hurry and that sender’s mail starts bouncing. The right way is to publish at p=none for 30 days, read the reports, fix the misalignments, then escalate to quarantine, then to reject.

Layer 2: Inbound filtering, blocking what shouldn’t reach the inbox

What this means in practice: a filter sitting between the internet and your mailbox that scores incoming messages and blocks the obvious malicious ones.

Microsoft 365 (M365, the Microsoft cloud bundle: email, Word, Excel, Teams, file storage) and Google Workspace both ship with inbound filtering. Both have a free tier and a paid tier; the paid tier (Microsoft Defender for Office 365 or Google’s equivalent) is what you actually want, not because it catches significantly more spam, but because it does the sandboxing (opening the link or attachment in a safe test environment first) that catches modern phishing (an email pretending to be from someone trustworthy, asking you to click or hand over credentials).

The phishing emails that get through basic filters in 2026 look almost identical to legitimate emails. Same logos, same writing style, same plausible context. The thing that catches them is sandbox analysis: the filter opens the attachment in a virtual environment, or follows the link to see where it lands, and blocks on the basis of behaviour rather than content.

This layer also covers business-email-compromise detection: the filter notices when an external sender is claiming to be the CEO and flags the message even though it’s technically clean.

Layer 3: Account security, protecting the credentials

What this means in practice: every mailbox is protected by MFA, with session-token revocation in place and impossible-travel detection (login from London at 9am, then Manchester at 9:15) running.

This is where the modern attack lives. The attacker doesn’t break encryption, they phish a password, then steal a session token that bypasses MFA for the next 30 days, then sit in the mailbox reading at their leisure.

The 2026 standard is three things: MFA on every account (no exceptions, including the executive assistant and the part-time bookkeeper); conditional access policies that block sign-ins from unusual locations or unusual devices; and session-token lifetimes capped at 24 hours or less for high-risk accounts. The “no exceptions” is the bit that trips SMEs. There’s always the director who travels and finds MFA inconvenient, or the finance manager who’s exempted from conditional access because of a legacy app. Exemptions are how attackers get in.

If MFA is the single most important access-control on the layer, conditional access is the most underrated. It’s what catches the login attempt at 03:00 from a residential IP in Lisbon when the user is in London.

Layer 4: User awareness, the last line

What this means in practice: every user has been trained to recognise the patterns of modern phishing, knows how to report a suspicious message, and isn’t punished for reporting false positives.

The first three layers will stop most attacks. The ones that get through are designed specifically to defeat the technical controls, which means the user is the last line. Awareness training in 2026 is not a 45-minute video once a year; that’s a tick-box exercise that doesn’t change behaviour. What works is short, frequent, scenario-based training (5 minutes a month), combined with regular simulated phishing exercises that test actual response.

The reporting culture matters as much as the training. If users are afraid of looking stupid for reporting a real email, they won’t report the real phishing either. The IT team needs to be able to say “thanks for reporting, this one was legitimate” and walk them through the reason without making the user feel stupid. That’s how you build the reflex that catches the next attack.

Where SMEs trip

Three patterns repeatedly:

The first is treating the layers as alternatives. “We have MFA, so we’re fine on email security.” MFA without DMARC means your domain can be spoofed at someone else. DMARC without inbound filtering means malicious emails from third-party domains still land. Inbound filtering without user training means the one that beats the filter still wins. The layers compound; they don’t substitute.

The second is exempting the executive layer. Founders and directors get MFA-fatigue exemptions, get to use personal devices, get to bypass conditional access. They’re also the highest-value targets in the business. The right answer is the opposite: tighter controls on the accounts with the most authority, not looser.

The third is buying the paid filter and never tuning it. The default policies are good but not great. Quarterly review of what’s been blocked, what’s been released, and which rules need adjusting is what turns a £6-per-user-month spend into a £6-per-user-month spend that actually works.

What good looks like

When this is working, the email security posture is layered and verifiable. DMARC published at p=reject with quarterly reports being read. Inbound filtering paid-tier, tuned, and catching the modern threats. MFA on every account with no exemptions, conditional access live, session tokens limited. Users trained monthly, simulated phishing run quarterly, reporting rate climbing. Cyber-insurance questionnaire fills itself.

The measurable outcome we hold ourselves to is zero successful business-email-compromise incidents per year, and that is the bar we expect a working email-security posture to clear.

Where this lands with us

Email security sits inside our Security Solutions practice. For managed clients we hold every layer, we publish and tune DMARC, configure the paid filter, set conditional access policies, run the training programme, and handle incident response if something does land. For self-managed clients we’ll do the assessment and the layer-1 and layer-3 configuration work and hand over the training programme.

Either way, the £14,000 invoice fraud at the top of this post is a real shape of loss, and it’s the small one. The bigger one is the months of mailbox access an attacker had before the fraud landed, the customer data they walked off with, and the cyber-insurance claim that gets queried because the questionnaire said one thing and the reality said another. Four layers, configured and tuned and verifiable, is what keeps that conversation off your calendar.

If a renewal questionnaire is asking about DMARC and MFA and you’re not sure where you stand, that’s our Security Solutions practice. Drop us a note at info@jmopartners.co.uk and we’ll do an initial scorecard.

JMO|Partners · Enterprise IT, sized for SMEs.