Common identity-based attacks explained for SMEs

For many small and medium-sized businesses, the biggest cyber risk is not a dramatic technical break-in. It is someone using a real employee account to get inside your business quietly. Once an attacker has access to email, cloud services, or an admin account, they can cause fraud, disrupt work, and damage trust before anyone notices.

The good news is that most identity-based attacks follow familiar patterns. If you understand how they work, you can reduce the risk without building a large security team. This article explains the main attack types in plain English, the business impact to expect, the warning signs to watch for, and the controls that make the biggest difference for UK SMEs.

Why identity attacks matter for small businesses

What attackers are trying to achieve

Identity attacks focus on people and accounts rather than software flaws. The attacker wants to log in as a real user, or trick someone into approving access, so they can act as if they belong there.

That access can be used to:

• Read emails and learn how your business works
• Change payment details on invoices
• Reset passwords and take over more accounts
• Access shared files and customer information
• Use your systems to send more convincing scams

Why account compromise often leads to wider business disruption

One compromised account can become a gateway to many others. If the account belongs to someone in finance, sales, or management, the attacker may be able to approve payments, impersonate leaders, or extract sensitive information. If the account is an administrator account, the impact can be much wider because the attacker may be able to change settings, lock out users, or disable security tools.

For an SME, that can mean downtime, lost revenue, recovery costs, and time spent reassuring customers and suppliers.

The most common identity-based attacks in plain English

Phishing and fake login pages

Phishing is when an attacker sends a message that looks genuine and tries to persuade someone to enter their password or approve access. The message may appear to come from a bank, a cloud service, a colleague, or even an internal manager.

A common version is a fake login page. The page looks like the normal sign-in screen, but the details entered go straight to the attacker. This is often used to steal passwords and one-time codes.

Password spraying and reused passwords

Password spraying is a low-and-slow attack where the attacker tries a small number of common passwords against many accounts. This avoids triggering some account lockouts. It works best when people reuse passwords across services or choose predictable ones.

Even if your business has a password policy, reused passwords from other websites can still create risk. If an employee uses the same password for work and a personal service that gets breached, the attacker may try that password on your business account.

Multi-factor authentication fatigue and approval prompts

Multi-factor authentication adds a second step after the password, such as a code or an approval on a phone. It is an important control, but attackers have learned to abuse it.

One method is to bombard a user with repeated approval requests until they click yes out of frustration or confusion. Another is to pose as IT support and ask the user to approve a sign-in to “fix” a problem. The attacker is relying on pressure, distraction, or trust.

Business email compromise and impersonation

Business email compromise is when an attacker gains access to, or convincingly imitates, a business email account to trick staff, customers, or suppliers. The aim is often financial fraud.

Examples include:

• Changing bank details on an invoice
• Requesting urgent payments to a new account
• Asking for gift cards, payroll changes, or sensitive documents
• Pretending to be a director or supplier during a busy period

This type of attack is especially effective because it uses trust and routine business processes against you.

How these attacks usually affect an SME

Financial loss and invoice fraud

The most immediate cost is often money leaving the business in the wrong direction. A single fraudulent payment can be hard to recover, especially if the request looked legitimate and was processed quickly. There may also be costs for bank investigations, legal support, and internal time spent checking what happened.

Loss of access to email, files, and cloud services

If an attacker changes passwords or recovery details, staff may lose access to email and shared files. That can stop sales, delay customer work, and interrupt finance processes. In some cases, the attacker may also delete messages or create forwarding rules so they can keep watching communications.

Reputational damage and customer trust issues

Customers and suppliers expect you to handle their information carefully. If an attacker uses your account to send scams, or if confidential information is exposed, people may question how well the business is run. Even when the technical issue is contained quickly, the trust impact can last longer than the incident itself.

Warning signs your accounts may be under attack

Unexpected login alerts or password reset messages

Do not ignore messages about sign-ins from unusual locations, unfamiliar devices, or password reset requests that nobody asked for. These are often early signs that someone is trying to get in.

Unusual email forwarding rules or sent items

Attackers often create forwarding rules so they can receive copies of emails without staying logged in all the time. If a user reports missing messages, strange folders, or sent items they do not recognise, treat it seriously.

Users reporting strange prompts or missing access

People may notice repeated approval prompts, being locked out of accounts, or being asked to verify a sign-in they did not start. Staff may also report that a shared file, mailbox, or application suddenly behaves differently.

These signs do not always mean a compromise has happened, but they are worth checking promptly.

Practical controls that reduce the risk

Use multi-factor authentication properly

Multi-factor authentication should be enabled for all important accounts, especially email, cloud storage, finance systems, and administrator accounts. Where possible, use stronger methods than text messages, because text messages can be intercepted or redirected.

Just as important, train staff not to approve sign-in prompts they were not expecting. A simple rule helps: if you did not start the login, do not approve it.

Remove unused accounts and improve password hygiene

Old accounts are easy targets. Remove accounts for former staff, contractors, and unused shared mailboxes. Review whether any accounts still have access that they no longer need.

For passwords, focus on practical habits rather than complexity for its own sake:

• Use unique passwords for business accounts
• Use a password manager where possible
• Avoid shared logins unless there is a clear business reason
• Change passwords immediately if you suspect reuse or compromise

Limit admin access and review permissions regularly

Not everyone needs full access. Give people only the access they need to do their job, and keep administrator accounts separate from everyday email accounts where possible. This reduces the damage if a normal user account is compromised.

Review permissions regularly, especially after staff changes, role changes, or supplier changes. Many SMEs keep access in place for convenience long after it is needed.

Turn on useful logging and alerting

You do not need to collect every possible log. Start with the events that help you spot account abuse early, such as sign-ins from unusual places, password resets, mailbox rule changes, and new administrator assignments.

Set alerts for the actions that matter most to your business. If nobody is watching the alerts, they are not helping. The aim is to notice suspicious activity quickly enough to act before it spreads.

What to do if you suspect an identity compromise

Contain the issue quickly and reset access safely

If you think an account has been compromised, act quickly but calmly. Disable the account if needed, reset the password, and revoke active sessions so the attacker cannot keep using the account. If the account is shared with other services, check those connections too.

Do not rush to change everything at once without a plan. A controlled response helps avoid locking out legitimate users or losing useful evidence.

Check for email forwarding, payment changes, and unusual activity

Look for forwarding rules, deleted messages, changes to bank details, and recent emails sent from the account. If finance or supplier communications were involved, verify any payment requests through a separate channel, such as a known phone number or a trusted contact already on file.

Also check whether the attacker tried to access other accounts using the same password or recovery details.

Decide when to bring in outside support

Bring in outside support if the compromise affects an administrator account, involves financial fraud, or appears to have spread across multiple systems. External help can also be useful if you need a structured investigation, help preserving evidence, or support restoring confidence with customers and suppliers.

A simple checklist for SME leaders

Five actions to review this month

• Make sure multi-factor authentication is enabled on email, cloud services, and finance systems
• Remove accounts that no longer need access
• Check who has administrator rights and whether that list is still sensible
• Review email forwarding rules and sign-in alerts
• Test how staff should report a suspicious message or login prompt

Three questions to ask your IT provider

• How do we spot unusual sign-ins and account changes?
• What happens if a director, finance user, or administrator account is compromised?
• How quickly can we disable access and check for forwarding rules or payment changes?

Identity attacks are not just an IT problem. They are a business risk because they can lead to fraud, downtime, and loss of trust. The most effective response is usually a mix of sensible access control, staff awareness, and basic monitoring.

If you want help reviewing your current controls or deciding where to start, a practical security consultant can help you prioritise the changes that matter most for your business.

Speak to a consultant