Email is the number one attack vector. Phishing, spoofing, ransomware — they all start with a message in someone's inbox. This page explains how attacks work and how we stop them.
Product brief opens in browser — File → Print → Save as PDF
Email was designed in an era when trust was assumed. Decades later, it carries most of the internet's fraud, malware, and social engineering — precisely because it reaches people directly.
An attacker forges the From: address in an email to impersonate a trusted sender — your CEO, your bank, HMRC, or a supplier. Because the underlying email protocol (SMTP) has no built-in sender verification, this is trivial to do without additional defences. The recipient sees a familiar name and acts — clicking a link, wiring money, or entering credentials. SPF, DKIM, and DMARC exist specifically to close this gap.
Phishing is social engineering by email. The attacker crafts a message designed to look legitimate — a parcel delivery notification, a password reset from IT, an invoice from a supplier — with a link to a fake website that harvests credentials or installs malware. Spear phishing targets a specific individual using personal details gathered from LinkedIn or previous data breaches, making the message far more convincing. Whaling targets senior executives. Our platform scans links in real time and cross-references them against known phishing infrastructure.
BEC is one of the most financially damaging forms of cybercrime. The attacker — often using a spoofed or compromised email account — impersonates an executive or trusted supplier to redirect a payment, request a gift card purchase, or extract sensitive payroll data. Unlike mass phishing, BEC attacks are targeted, patient, and conducted over days or weeks of reconnaissance. The FBI estimates BEC losses exceed $50 billion globally. Strong DMARC policies and multi-factor authentication are the primary mitigations.
Email attachments — Word documents, Excel spreadsheets, PDFs, ZIP archives — are a primary delivery mechanism for malware. A document may contain a macro that downloads and executes a payload when opened. A ZIP may contain an executable disguised as an invoice. A PDF may exploit a vulnerability in the reader. Once executed, the malware can steal credentials, encrypt files for ransom, or install a backdoor that gives the attacker persistent access to the network. Every attachment that arrives at our mail platform is scanned with up-to-date antivirus engines before it reaches your inbox.
Ransomware is malware that encrypts the victim's files and demands payment for the decryption key. Most ransomware infections begin with a phishing email. The attacker delivers a dropper via attachment or link, which installs the ransomware and propagates it across the local network before triggering the encryption. A successful ransomware attack can bring an organisation to a halt for days or weeks. Email is the most common initial access vector — intercepting it before it reaches the desktop is the single most effective preventive control.
Attackers take over email accounts through credential stuffing (using passwords leaked in unrelated breaches), brute force, phishing, or by exploiting weak or reused passwords. Once inside an account, the attacker can read confidential correspondence, set up forwarding rules to silently copy future mail, send fraudulent messages from a trusted address, and reset passwords for other services. Our platform enforces strong authentication requirements and monitors for unusual login patterns such as access from unexpected geographies.
Spam is unsolicited bulk email. Beyond the obvious nuisance, spam clogs mail servers, consumes storage, and — critically — provides cover for phishing and malware campaigns that ride in alongside it. Spammers operate botnets of thousands of compromised machines and rotate sending infrastructure constantly to evade blocklists. We maintain connections to real-time reputation feeds, operate our own DNS-based block lists (DNSBLs), and use honeypot addresses — email addresses published nowhere legitimate — to detect and block new spam sources the moment they start sending.
When an email travels between mail servers, an on-path attacker who can intercept the network traffic — on a compromised router, a public Wi-Fi access point, or within a data centre — may be able to read or modify the message in transit. Without encryption, email travels as plain text: the contents of every message, including attachments and credentials, are exposed to anyone positioned on the network path between sender and recipient. TLS (Transport Layer Security) encrypts the connection between mail servers, preventing passive eavesdropping. DANE (DNS-based Authentication of Named Entities) goes further, using DNSSEC to bind a server's TLS certificate to its DNS record, preventing certificate substitution attacks.
Every FXRM email account comes with a layered security stack configured correctly from day one — not sold as add-ons after the fact.
SPF
Sender Policy Framework. A DNS record that lists every server authorised to send email for your domain. Receiving servers check this list and reject mail from servers not on it.
DKIM
DomainKeys Identified Mail. Every outgoing message is cryptographically signed with a private key held on our servers. Recipients verify the signature using the public key in your DNS, confirming the message hasn't been altered in transit.
DMARC
Domain-based Message Authentication, Reporting & Conformance. Ties SPF and DKIM together with a policy — reject, quarantine, or monitor — telling receiving servers what to do with mail that fails both checks, and sends you reports of any failures.
Every attachment and embedded link in inbound mail is scanned in real time before delivery. We run up-to-date antivirus signatures against all attachment types — including archive formats that try to hide payloads inside nested ZIP or RAR files. Dangerous file types are blocked outright regardless of disguised extensions. Suspicious links are checked against known malware distribution and phishing infrastructure at the point of click, not just at delivery, catching campaigns that activate their payloads after initial scanning.
All connections to and from our mail servers are encrypted using TLS 1.2 or higher. When a receiving server supports TLS, we enforce it — we do not fall back to unencrypted transmission. This means the data packets carrying your email across the internet cannot be read by anyone positioned on the network path between servers. Connections that cannot negotiate TLS are rejected for outbound mail to domains with a DANE or MTA-STS policy, providing a cryptographic guarantee that the server you're delivering to is the one it claims to be.
DNS is the phonebook of the internet — and it's also one of the most effective places to intercept threats before they arrive. We subscribe to multiple real-time DNS block lists (DNSBLs) that track known spam sources, phishing infrastructure, and malware command-and-control servers. When a connection arrives from a listed IP address, it is refused before a single byte of the message is accepted.
We also operate honeypot email addresses — addresses published nowhere legitimate that exist solely to attract spam and phishing campaigns. Any mail sent to a honeypot address comes from a sender with no legitimate reason to contact us. This lets us identify new phishing campaigns and spam operations the moment they start, often within minutes of the first message, and block them across the entire platform before they reach a real inbox.
Beyond DMARC, we apply heuristic analysis to catch messages that pass technical checks but exhibit patterns consistent with phishing — mismatched display names, lookalike domains (e.g. arnazon.com instead of amazon.com), urgency language, and suspicious link structures. Messages from external senders who share a display name with one of your own users are flagged to reduce the risk of impersonation attacks going unnoticed.
Product Brief
A two-page summary of the threat landscape and our defences — designed to share with your team, board, or clients. Free, no sign-up required.
Free · 2 pages · File → Print → Save as PDF
Plain-English definitions for the technical terms used in email security — so you know what you're protecting and why.
A targeted fraud where attackers impersonate executives, suppliers, or colleagues — usually via spoofed or compromised email accounts — to trick employees into transferring money, changing payment details, or sharing sensitive data. BEC attacks are distinguished by their patience and specificity: attackers research their targets thoroughly before making contact.
A cryptographic email authentication standard. The sending mail server signs each outgoing message with a private key. The receiving server looks up the corresponding public key in DNS and uses it to verify the signature, confirming that the message originated from an authorised server and was not modified in transit.
A policy layer that ties SPF and DKIM together. A DMARC record in DNS tells receiving mail servers what to do with messages that fail both SPF and DKIM checks — reject them, quarantine them (send to spam), or simply report the failure. DMARC also generates aggregate reports that let domain owners see who is sending mail on their behalf.
A protocol that uses DNSSEC to bind a mail server's TLS certificate to its DNS record. This prevents an attacker from substituting a fraudulent certificate to intercept encrypted mail traffic — a form of on-path attack that would otherwise be difficult to detect.
The internet does not send files or messages as single continuous streams. Instead, data is broken into small chunks called packets, each labelled with its source, destination, and sequence number. Packets travel independently across the network and are reassembled at the destination. An on-path attacker who can intercept packets can read or modify the data they contain — which is why encryption is essential.
A real-time database of IP addresses known to send spam, host phishing sites, or operate malware infrastructure. Mail servers query DNSBLs for every incoming connection: if the sending IP is listed, the connection is refused before the message is accepted. FXRM subscribes to multiple DNSBLs and maintains its own.
A set of cryptographic extensions to DNS that allow DNS responses to be verified as authentic. Without DNSSEC, an attacker who can interfere with DNS resolution can redirect email or web traffic to infrastructure they control. DNSSEC signs zone data with a private key; resolvers verify responses with the corresponding public key before trusting them.
The process of transforming readable data (plaintext) into an unreadable form (ciphertext) using a cryptographic algorithm and key. Only someone who holds the correct decryption key can recover the original data. In email, encryption is used at two layers: in transit (TLS encrypts the connection between mail servers) and at rest (stored messages can be encrypted on disk). These are distinct protections.
A decoy resource — in email security, an address that has never been shared with anyone legitimate — used to detect and study malicious activity. Any mail sent to a honeypot comes from someone who obtained the address from a scraped or leaked source, making it an immediate signal of spam or phishing. Honeypot hits allow us to identify and block new attack campaigns within minutes of launch.
A network connecting devices within a limited area — an office building, a home, or a data centre. Within a LAN, devices communicate directly with each other rather than routing traffic through the public internet. An attacker who gains access to a LAN (physically or via a compromised device) may be able to intercept unencrypted traffic between devices on the same network segment — including internal email if it is not encrypted.
A mechanism that lets a domain declare, via an HTTPS-hosted policy file and a DNS record, that receiving mail servers support TLS and that sending servers should refuse to deliver mail over an unencrypted connection. Unlike opportunistic TLS, MTA-STS prevents downgrade attacks where an on-path attacker strips encryption from the connection. It complements DANE — MTA-STS does not require DNSSEC, making it easier to deploy, while DANE provides stronger cryptographic guarantees where DNSSEC is available.
Software designed to damage, disrupt, or gain unauthorised access to a system. Malware delivered via email includes viruses (which attach themselves to other files), trojans (which disguise themselves as legitimate software), ransomware (which encrypts files and demands payment), keyloggers (which record keystrokes to steal credentials), and spyware (which silently monitors activity and exfiltrates data).
An attack where a third party secretly intercepts and potentially alters communication between two parties who believe they are communicating directly. In the context of email, an on-path attacker positioned between two mail servers on a network can read message contents, modify attachments, or inject malicious content — unless the connection is encrypted with TLS.
A social engineering attack conducted by email that attempts to trick the recipient into revealing credentials, clicking a malicious link, or opening a dangerous attachment, by impersonating a trusted entity. Variants include spear phishing (targeted at a specific individual using personal details), whaling (targeting senior executives), and vishing (voice phishing conducted by phone after initial email contact).
A category of malware that encrypts the victim's files — or threatens to publish them — and demands a ransom payment (typically in cryptocurrency) for the decryption key. Modern ransomware groups operate sophisticated criminal enterprises with customer support, negotiation teams, and leak sites. Email is the most common initial access vector. Effective email security, combined with offline backups, is the primary defence.
The protocol used to send email between mail servers. SMTP was designed in the early 1980s and has no built-in mechanism for verifying the identity of the sender. This fundamental design limitation is why SPF, DKIM, and DMARC were developed as additions to the protocol — they are compensating controls for a problem baked into the original design.
Unsolicited bulk email, typically sent for commercial purposes but also used as a delivery vehicle for phishing and malware campaigns. Spammers operate botnets — networks of thousands of compromised computers — to send billions of messages per day while evading IP-based blocks by rotating through a large pool of sending addresses.
A DNS record that specifies which mail servers are authorised to send email for a domain. When a message arrives, the receiving server checks the sending server's IP address against the domain's SPF record. If the IP is not listed, the message fails SPF — a signal that it may be spoofed. SPF alone is not sufficient; it should be combined with DKIM and enforced via DMARC.
Forging the sender information in an email to make it appear to come from someone other than the actual sender. Domain spoofing forges the domain in the From address (e.g., making a message appear to come from yourbank.com when it does not). Display name spoofing uses a familiar name with an unrelated email address. Both exploit the fact that email clients often show only the display name, hiding the actual sending address.
The cryptographic protocol that encrypts data in transit between two systems. In email, TLS encrypts the connection between mail servers (SMTP over TLS) and between mail clients and servers (IMAP/POP3/SMTP over TLS). It prevents passive eavesdropping on the network path. TLS does not encrypt messages at rest — once delivered to a mailbox, message encryption is a separate concern.
Malware that disguises itself as legitimate software. A trojan might arrive as an email attachment labelled as an invoice, a CV, or a software update. When opened, it installs a payload — a keylogger, ransomware, a remote access tool — while potentially displaying a decoy document to avoid immediate detection. Unlike viruses, trojans do not self-replicate; they rely on the victim to execute them.
Every FXRM email account comes with SPF, DKIM, and DMARC configured correctly, TLS enforced, virus scanning active, and honeypot-driven blocking — included as standard, not as extras.