The Email Your Client Will Send You After Your Breach — Before You Even Know It Happened

Thought Leadership Financial Impact

May 2026  ·  8 min read

In many SMB breaches, the business owner doesn't find out from their security team. They find out from a client who received a phishing email that appeared to come from them, lost money because of it, and wants to know what happened. That conversation — after the fact, without warning, at full financial exposure — is one of the most damaging moments a small business can face.

---

It's 9:17am on a Wednesday. You're on your second coffee, answering emails, when one arrives from a client you've worked with for four years. The subject line reads: "Did you send this?"

They've forwarded you an email that appears to come from your address — your name, your logo, your email domain — asking them to update their payment details for an invoice. They paid it. The payment went to an account you've never seen. They want to know if you authorized it, and whether their other financial details are safe.

You didn't send the email. You had no idea your domain was being used this way. And you're now in a conversation you have no script for — with a client who has lost real money because of a security gap in your business that you never knew existed.

This scenario plays out in small businesses across the country every week. Business email compromise cost businesses $16.6 billion in 2024 — more than ransomware, data breaches, and every other cybercrime category combined, according to FBI IC3 data. And the defining feature of almost every case is the same: the business whose domain was spoofed or compromised found out from their client, not from their own security monitoring.

$16.6B lost to business email compromise in 2024 — more than any other cybercrime category FBI Internet Crime Complaint Center (IC3), 2024

308 days average time to identify and contain a BEC attack — the second-longest of any breach type IBM Cost of a Data Breach 2025

$129K average cost per BEC incident — before client losses, legal exposure, and relationship damage FBI IC3 / Arctic Wolf 2025

The three ways your client finds out before you do

There are three distinct scenarios through which a client discovers your breach before you do. Each carries its own financial and legal exposure. Each has a specific technical gap that made it possible.

📧

Scenario 1 — Your domain is being spoofed

Your client received an email that appeared to come from you. You never sent it.

Most common

An attacker researched your business — your name, your email format, your client relationships, visible from your website and LinkedIn — and sent your client a targeted email that appeared to come from your domain. No malware. No hacked account. Just a spoofed sender address exploiting the fact that your domain has no DMARC enforcement in place.

Your client received what looked like an email from you requesting a payment update, an invoice, or sensitive information. They acted on it. By the time they forwarded it asking "did you send this?" the money or data is already gone.

The technical gap that made this possible Missing or unenforced DMARC. Without DMARC set to p=quarantine or p=reject, any attacker can send email that appears to come from your domain. Over half of all domains with DMARC records are still stuck at p=none — monitoring only, with no enforcement. Your client had no way to know the email wasn't from you.

🔓

Scenario 2 — Your email account was compromised

The attacker was sending from your real inbox. The emails were completely legitimate-looking.

Most financially damaging

An attacker obtained your email credentials and gained access to your actual inbox. They read months of correspondence to understand your clients, your projects, your payment processes, and your writing style. Then they inserted themselves into active conversations, intercepting invoices and redirecting payments.

When your client received the email, it came from your actual email address. The writing style matched. The context matched. There was nothing to flag it as suspicious — because technically, it was sent from your account. The attacker monitored your inbox for weeks without you knowing.

The technical gap that made this possible Compromised credentials with no MFA — or MFA bypassed via push bombing or AiTM proxy attack. The attacker also likely set up inbox forwarding rules to receive copies of all incoming mail. BEC attacks that begin with account compromise take an average of 308 days to detect.

🌐

Scenario 3 — Your client's data appeared somewhere it shouldn't

A client contacts you after finding their information on a dark web marketplace or breach notification.

Most legally complex

Your client received a notification — from HaveIBeenPwned, from their identity monitoring service, or from a credit bureau — that their personal details appeared in a data breach traced back to your systems. Client names, email addresses, contact details, or payment information you held on their behalf was exfiltrated in a breach you hadn't yet detected.

63% of all data breaches tracked since January 2025 involved small and mid-sized businesses. Many of those businesses discovered the breach only after affected individuals surfaced the exposed data. The client calling to ask about their information is frequently the first notification the business receives.

The legal exposure this creates Courts have found businesses liable for BEC losses when they were negligent in maintaining their email accounts or knew about "red flags" and failed to notify affected parties. When your client discovers their data before you've notified them, it raises a direct question about whether you knew and failed to disclose — regardless of whether you actually knew.

In all three scenarios, the business has the same problem: no monitoring in place that would have surfaced what was happening before the client called. The client call is not the beginning of the incident. It is the moment when an incident that's been running for weeks or months finally surfaces — at maximum financial and reputational exposure, with zero preparation time, and with the client already holding evidence of your failure.

The email that reveals your liability — whether you're ready for it or not

Here is the email you don't want to receive. It's a composite of documented BEC incident patterns.

Email — Inbox

From: Sarah Chen — Meridian Consulting

To: You

Date: This morning

URGENT: Did you send this invoice? We've already paid it.

Hi,

I hope I'm catching you quickly on this. We received an invoice from your email address last week requesting we update our payment details for the Q2 retainer. The email looked exactly like your previous invoices — your logo, your signature, your email address — so our finance team processed it on Thursday.

The payment went out for $18,500. I was reviewing accounts today and something looked off, so I pulled the original email. The bank details were different from what we've always used for you.

Can you please confirm whether you sent this and whether the bank account details were legitimate? If not, we need to know immediately what information of ours you hold and whether it may have been compromised.

We've contacted our bank to try to recall the payment, but they've told us recovery at this point is unlikely.

I'll be honest — we're very concerned. We've worked together for four years and this is not what we expected. We need answers today.

— Sarah

That email is a financial loss you didn't cause and can't immediately recover. It's a client relationship under maximum stress with no preparation time. It's a legal question about your liability for a payment made based on your spoofed or compromised email address. And it's the beginning of a conversation you are completely unprepared for.

Courts have found businesses liable for BEC losses in cases where the company was negligent in maintaining its email accounts. The legal framework varies — some courts apply the UCC "ordinary care" standard, others apply contract principles — but the consistent thread is this: if your email domain was being exploited and you had no controls in place to prevent or detect it, your failure to act is relevant to the liability determination. Your client's loss may partially become your loss, in a courtroom.

What determines whether this happens to your business

The difference between businesses that receive that email and businesses that don't comes down to three technical controls — all checkable in under 30 minutes using free tools, and none requiring a security team to implement.

DMARC enforcement. Without DMARC set to p=quarantine or p=reject, anyone can send an email that appears to come from your domain. Checking your DMARC record takes 60 seconds at mxtoolbox.com. Moving from p=none to p=reject closes Scenario 1 entirely. Over half of all domains with DMARC are still at p=none — very likely including yours.

MFA on every email account, enforced. Not available — enforced. Not on most accounts — all of them. Scenario 2 requires access to your actual email account. MFA with number matching makes that access dramatically harder to obtain. Partial MFA leaves the specific accounts attackers target most exposed.

Credential monitoring. If your email credentials have appeared in a breach database, attackers may already be testing them. Continuous monitoring of your domain against known breach databases gives you the window to change credentials before the access happens. Scenario 2 starts with credentials. Monitoring closes the window at the source.

The businesses that never receive that client email aren't necessarily more secure in every dimension. They're the ones who closed the specific gaps that make domain spoofing and email account compromise possible — DMARC enforcement, complete MFA, and credential monitoring. Three controls. Each checkable today for free. The gap between having them and not having them is the gap between receiving that email and never having to.

The conversation you'll wish you'd never had to have

When your client calls or emails to say they received something suspicious from your address, there is no good version of that conversation. There is the version where you can say "we had controls in place and are investigating how this happened despite them." And there is the version where you have to say "we weren't monitoring for this and we didn't know."

The first version is recoverable. The second version is where client relationships end, where legal exposure begins, and where the 38% customer churn that follows a breach starts its slow, quiet accumulation.

Your client's email will tell you what your security posture actually is — not what you hoped it was. The only question is whether you find out that way, or whether you find out first.

📚 Credential Security Series — Read the full series

Part 1 → Your Password Policy Isn't Protecting You. Your Employees' Habits Are. Part 2 → Your Credentials Are Already For Sale. Here's How to Find Out in 60 Seconds. Part 3 → You Turned MFA On. Attackers Already Have Three Ways Around It. Part 4 → What Attackers Do With Your Data in the First 60 Minutes Part 5 → The 30-Minute Security Audit Every SMB Owner Should Do This Week Part 6 → The First 24 Hours After You Discover a Breach

Know what attackers see when they look at your domain — before your client does. Veriti Spottr's beta is free.

Join the free beta →

VS

Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com