What are the biggest threats to email systems today?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You open your inbox and there's an urgent message from your bank. The logo looks right, the tone sounds right, and the link takes you to a page that looks exactly like the real site. By the time you realize it's fake, your credentials are gone. That's the email threat landscape in a nutshell: it exploits trust.
Here are the biggest threats hitting email systems right now.
Phishing and its nastier cousins
Phishing is still the top threat by a wide margin. Attackers send emails that impersonate a trusted brand or person to steal credentials, money, or data. Spear phishing targets specific individuals (your CFO, your IT admin) rather than blasting everyone. Business email compromise (BEC) takes it further: an attacker either spoofs or actually takes over an executive's email account, then instructs finance to wire money somewhere. No malware, no attachments. Just a convincing email. BEC losses run into the billions every year.
Malware delivery
Ransomware, trojans, and information stealers frequently arrive by email. Sometimes it's an attachment (a "invoice.pdf" that's actually an executable). Sometimes it's a link to a page that silently downloads something. Spam filters have gotten better at catching these, but attackers adapt fast, using password-protected archives, cloud storage links, and multi-step redirects to slip past detection.
Account takeover
Weak or reused passwords, combined with phishing, give attackers a way into real email accounts. Once they're in, they can send from a legitimate address, intercept conversations, and access anything in the inbox. A compromised account at an email service provider is especially damaging because it lets an attacker send from trusted infrastructure at scale.
Domain spoofing and impersonation
Attackers fake the "From" address to make email look like it came from your domain (or a domain close enough to fool a quick glance, like paypa1.com). Proper email authentication with SPF, DKIM, and DMARC is the main defense here. Without it, anyone can send email that appears to come from your domain, and your recipients have no technical way to tell the difference.
Spam as a gateway
High-volume spam isn't just annoying. It's often a delivery mechanism for the threats above, or a way to probe which addresses are active before a more targeted attack. Spam that carries no obvious malware can still train recipients to ignore warnings, which makes the eventual phishing attempt more effective.
The common thread across all of these is that email is built on trust, and attackers exploit that trust wherever the technical defenses are weakest. If you want to understand how domain owners defend against spoofing specifically, the next step is looking at how domain owners protect their reputation. If something feels off with your own setup, you're welcome to run it by our SOS hotline, it's free and there's no pitch.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.