Is email security awareness broken?

Home » Email Security Awareness: Protect Your Business from Cyber Threats

Email Security > Managed Phishing Awareness Training

Is email security awareness broken?

By Cian Fitzpatrick | 12th August 2025

Table of Contents

Introduction – The uncomfortable truth about email security
The scale of the problem
Everyday awareness gaps
Why M&A makes everything more dangerous
Attackers know M&A is their moment
Why awareness alone won’t cover the gap
The fix: Culture, technology, and timing
The business case for early action
Conclusion – Making cybersecurity non-negotiable in M&A

Billions are spent on email security technology every year. AI-powered detection systems, secure gateways, encrypted communication channels showcase how the tech is impressive, and only getting smarter by the day.

And yet, human error still accounts for an estimated 80–90% of email-related data breaches.

This is an uncomfortable truth to face and one most security leaders already know: the weakest link in the chain isn’t the technology, it’s the people using it.

Worryingly, cybercriminals understand this better than anyone.

That’s why email is still the number-one communication tool for most organisations. It remains the front door for phishing campaigns, business email compromise (BEC), ransomware delivery and other social engineering attacks.

The statistics are sobering:

According to the UK’s Cyber Security Breaches Survey, over 80% of businesses experience phishing attempts each year.
The FBI’s 2023 Internet Crime Report recorded 21,489 BEC complaints resulting in $2.9 billion in adjusted losses. This is a 7% increase in losses compared to 2022.
Human error continues to outpace technical vulnerabilities as the leading cause of security incidents.

These numbers make one thing clear: email security awareness is broken. And if it’s broken in everyday operations, it’s even more fragile during times of organisational change, most especially during mergers and acquisitions.

Keep your email ecosysytem secure

Everyday awareness gaps: why traditional training isn’t enough

Security awareness training is meant to address human error. Unfortunately, in many organisations, it’s treated as a box-ticking exercise:

Infrequent – one or two sessions a year, quickly forgotten.
Generic – recycled slide decks that don’t reflect emerging threat tactics.

Detached from reality – little or no simulation of how real phishing attacks look in a busy inbox.

Even companies that invest in training often lack continuous reinforcement. Without regular testing, real-world simulations and targeted feedback, employees revert to risky habits.

And attackers have become masters of exploiting predictable human behaviour:

Urgency triggers: “Your account will be suspended in 24 hours.”
Authority cues: “This is the CEO. I need you to process a payment immediately.”
Curiosity hooks: “Click here to view your confidential HR report.”

If your training hasn’t evolved to mimic these tactics, your staff are unlikely to know how to recognise them and may fall for them.

Why M&A makes everything more dangerous

Mergers and acquisitions are already complex. The legal teams are negotiating, finance teams are modelling the deal, operations are mapping integration. Cybersecurity often unintentionally ends up somewhere down the priority list. Guess what? This is exactly what attackers count on.

During M&A, three main risk accelerators appear:

Disparate IT and security systems
Merging companies rarely have identical email and security platforms. Integrating Microsoft 365 with Google Workspace, for example, can leave temporary gaps. Misconfigured email filtering, inconsistent DMARC policies or unpatched vulnerabilities in legacy systems can create entry points for attackers.
Different cybersecurity cultures
One company might run monthly phishing simulations, while the other hasn’t updated its password policy in five years. These cultural differences can result in confusion and inconsistent threat response during integration.
A distracted, uncertain workforce
Staff worry about job security, reporting lines and new processes. In this distracted state, they’re more likely to overlook red flags in an email or fail to follow reporting protocols.

Attackers know M&A is their moment

Cybercriminals monitor the news and public filings. If your deal is in the media, they know:

Email addresses for executives and key staff are often easy to find.
The merging companies’ domains will both be in use for months.
There will be inevitable confusion over who’s who, and which requests are legitimate.

They’ll exploit this with:

CEO fraud – targeting finance with urgent payment requests.
Credential phishing – luring employees to fake login pages to capture credentials.
Malware delivery – hidden in documents that appear to be deal-related.

Why awareness alone isn’t enough in M&A

Some executives assume that a strong awareness programme will “cover the gap” during an acquisition. But without the right technology and integrated policies, even well-trained staff can slip up.

Imagine you’ve trained employees to check email headers before clicking links. If they suddenly start receiving legitimate internal emails from a new domain (the acquired company’s), the habit breaks down.

Or consider a phishing simulation programme that works perfectly in Company A’s Microsoft 365 environment but Company B is still on a legacy Exchange server with weaker filtering. Staff in Company B are statistically more likely to see real phishing attempts land

Contact Topsec for all your email security needs

The fix: a combined approach of culture, technology, and timing

If we accept that email security awareness is broken, and more so during M&A, then the fix must be proactive, integrated, and continuous.

Here’s what works in practice:

Put cybersecurity at the deal table
Cyber due diligence should start as early as financial due diligence. Identify risks in both organisations before integration begins.
Align on a single security culture immediately
From the announcement of the deal, communicate a unified set of security expectations. This needs to include how to handle suspicious emails, verify requests and report incidents.
Deploy advanced, email-specific protection
General endpoint protection isn’t enough. Use intelligent email security tools that filter threats, detect anomalies and adapt to evolving attack patterns in real time.
Run continuous, targeted training
Use phishing simulations tailored to M&A scenarios. Test employees with realistic spear phishing attempts that mimic deal-related language.
Maintain clear communication channels
Give employees an easy, fast way to verify requests from the “other side”, ideally a direct security hotline or dedicated email.

The business case for early action

The cost of not addressing email security during M&A can be devastating:

Financial loss – from fraudulent payments, regulatory fines, and remediation costs.
Reputational damage – public breaches can undermine investor confidence.
Operational disruption – incident response diverts resources from integration work.

By contrast, organisations that integrate security early can turn it into a value driver:

Strong security posture can increase deal valuation.
Cultural alignment builds trust between teams.
Reduced breach risk protects the ROI of the acquisition.

The bottom line

Email security awareness is already on shaky ground in most organisations. During mergers and acquisitions, the combination of technical integration challenges, cultural differences and human distraction makes it a prime target for cybercriminals.

If you want to protect the value of a deal, and avoid costly breaches, cybersecurity can’t be an afterthought. It must be embedded from the very start, combining culture change, smarter training and adaptive technology.

Topsec Cloud Solutions helps organisations strengthen email security at every stage of mergers and acquisitions. This includes everything from early risk assessment to ongoing phishing prevention.

Don’t leave your business exposed.

Talk to our security experts today and make cybersecurity a built-in advantage, not an afterthought.