.png)
This week, we received what looked like an official Request for Proposal (RFP) email from a local business we know. It was well-written, professional, and completely believable.
Here’s a summarized version of the email that was sent:
“We are pleased to inform you that your firm has been selected to submit a proposal for the upcoming project opportunity. We encourage you to review the project details and consider participating in the competitive bid process." <Professional and flattering introduction>
"The full project package is available at the following link: [File name (Preview)] This document outlines the scope of work, deliverables, and the contractual terms that will govern the engagement." <a very detailed and official looking file name>
"Please review all materials thoroughly and submit your completed proposal electronically by 3:00 PM October 22, 2025.” <A very specific call to action with a deadline>
At first glance, nothing seemed off. It used familiar language, came from a trusted sender with a full and accurate email signature, and even had the kind of tone you’d expect in a real RFP. In a mouse trap, its all about the cheese, and this RFP was a very nice piece of "cheese". Any growing business would love to get a request like this for a new opportunity.
But there was a serious problem, though, the message wasn’t from that company at all.
Their Microsoft 365 email account had been hacked, and this fake RFP had gone out to their entire contact list.
Because we use advanced email protection, our system automatically flagged the suspicious link, and we always have a warning header for outside senders. It recognized that the “PDF” link wasn’t actually a file, but a malicious link to a brand-new domain designed to steal credentials or deliver more harmful content.
When I called the business to let them know, they were understandably alarmed and a bit embarrassed. Their account had been compromised, and now their contacts were receiving fake emails “from” them. They had been getting phone calls all day long.
Unfortunately, this is a real-world example of what happens when a business email account is breached. It can happen to anyone, and the damage can spread quickly. If I hadn't had security in place, my computer could have been infected with malware, or I could have provided confidential information to the "fake" RFP. As you can understand, and unsuspecting victim would be very upset.
🕵️♀️ How to Spot a Fake RFP Email
Even seasoned professionals can be fooled by a well-crafted phishing message. Before clicking, always check:✅ Sender address: Look closely at the domain - even one letter off (like @companny.com instead of @company.com) is suspicious. In this case the address was correct - it was actually a hacked account.
✅ Links: Hover over the link before clicking. If it doesn’t match the company’s website, don’t open it.
✅ Tone and timing: Unexpected or urgent messages that pressure you to act quickly should raise a red flag.
✅ Attachments disguised as links: A “.pdf” that’s actually a link is often a trick.When in doubt, pick up the phone and confirm with the sender.
What Really Happens When Your Email Gets Hacked
When a cybercriminal gains access to your email account, it’s not just a nuisance. It’s a direct hit to your business reputation, your finances, and your clients’ trust. Here’s what can follow:
1. Damage to Your Reputation
Once hackers send messages from your account, your contacts and clients start receiving fake emails that look like they came from you. Even if you’re the victim, people may lose trust - and that can hurt business relationships.
2. Exposure of Confidential Information
A hacker can read everything in your mailbox - invoices, client lists, contracts, and sensitive internal conversations. That’s a data breach, even if nothing was “downloaded.” Let that sink in: a hacker can read everything in your mailbox.
3. Financial Fraud and Invoice Tampering
This is one of the most common next steps. Hackers quietly monitor legitimate email threads about payments or projects and then step in to change a few details - such as updating a bank account number for an upcoming payment. These messages can look completely legitimate.
4. Unauthorized Access to Other Systems
Email is often the gateway to everything else - your cloud storage, accounting system, or other online apps. Once inside, criminals can use password resets to move deeper into your network.
5. Legal and Compliance Risks
If personal or client data is exposed, you may have to report the incident under state privacy laws or industry regulations. Even if no harm occurs, the process can be costly and time-consuming.
How It Happens
Email hacks often start with something simple... and preventable.
Weak or Reused Passwords
Many accounts are compromised because the password was easy to guess or reused from another site that was breached. Once attackers have your password from one source, they try it everywhere else.
No Multifactor Authentication (MFA)
MFA adds a second layer of protection - like a code sent to your phone - that prevents attackers from logging in even if they know your password. Without MFA, one stolen password is all it takes.
Phishing Emails and Fake Login Pages
Hackers send messages that look legitimate, prompting users to “sign in” to Microsoft 365, PayPal, or another platform. The link actually leads to a fake site that collects credentials.
No Security Monitoring or Alerts
Many small businesses don’t have continuous monitoring in place. That means if someone logs in from another country at 2 a.m., no one notices. By the time the breach is discovered, the damage is already done.
🚨 3 Signs Your Email Account May Already Be Compromised
People report receiving strange emails “from you.”
You notice messages in your “Sent Items” folder that you didn’t send.
You can’t log in or your password suddenly stops working.
If you see any of these, change your password immediately and contact your IT support team to investigate.
How You Can Prevent It
Here’s the good news - there are straightforward, affordable steps that can dramatically reduce your risk.
✅ Use Strong Passwords and MFA
A strong, unique password and multifactor authentication are your first line of defense. Even if your password is stolen, MFA stops hackers from logging in.
✅ Train Your Team
Security awareness training helps employees recognize phishing attempts and suspicious messages. If something looks unusual - like a strange link or an urgent payment request - it’s always better to double-check.
✅ Monitor Your Email for Threats
At Ekaru, our Security Operations Center (SOC) monitors client email environments around the clock. AI-powered tools look for signs of compromise - like impossible login locations, brand-new domains, or behavior that doesn’t fit a normal pattern - and automatically block threats before they reach inboxes. This is a case where AI, specifically Machine Learning (ML) really help us defend against threats. Creating a forwarding rule, or travelling to a different location are common events, but certain changes in combination with each other can show an IOC - "Indicator of Compromise"
In the RFP example above, it is also important to note that email security on the RECEIVING side are also important. With a warning banner, and protection against unsafe links, you can help avoid falling for a scam or threat.
✅ Review Forwarding Rules and Permissions
Hackers often set up hidden forwarding rules so they continue to receive copies of your emails even after you regain control. Regular reviews can help detect these silent threats.
✅ Back Up and Secure Your Data
Regular backups ensure you can recover quickly if anything goes wrong. Cloud email platforms like Microsoft 365 still benefit from separate backup protection.
The Takeaway
Email breaches don’t just happen to big corporations; they happen to local businesses every day. The good news is that with a few simple protections in place, you can stop most attacks before they start.
If you’re not sure whether your email system is fully protected, let’s talk. A quick, no-pressure security review can go a long way toward keeping your business, and your reputation, safe.
At Ekaru, we’re proud to help local businesses take practical, affordable steps to protect their data and their peace of mind.
About the author:
Ann Westerheim, PhD is the Founder and President of Ekaru, a Technology Service Provider of cybersecurity and IT services for small and medium businesses in the greater Boston area. Ann is an accomplished technology innovator and leader with three engineering degrees from MIT. She has twenty years of high tech experience in research, advanced development, product development, and as an entrepreneur. Her career has spanned a vast range of technology endeavors including research in thin film semiconductors and superconductors, microprocessor fabrication, development of early Internet medical applications, and now focusing on the application of technology in business. She has an avid focus on the "last mile" of technology and decreasing the digital divide.
https://www.linkedin.com/in/annwesterheim/ Let's connect!