Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com

Daily SMB Cyber Intelligence Brief

Supplier breach watch: ISP email logins exposed – expect phishing and account takeover attempts

What small and medium-sized businesses should look out for today.

High Sunday 28 June 2026, 18:35 UK time
Today’s look-out: Supplier incident scams and email account takeover

What to look out for today

Watch for a spike in email-related scams and account takeover attempts following a reported breach affecting email logins linked to multiple internet service providers (ISPs).

  • Phishing emails claiming to be from an ISP or “mail admin” asking you to “re-validate”, “unlock”, or “increase storage”.
  • Unexpected password reset emails for business mailboxes.
  • Login alerts from unfamiliar locations/devices for Microsoft 365, Google Workspace, or your ISP-hosted email.
  • Complaints from customers/suppliers about strange emails “from you”.

Why this matters to smaller businesses

Email accounts sit at the centre of invoicing, approvals and access to other services. If attackers obtain (or can guess) email credentials, they may:

  • Break into mailboxes and silently monitor conversations.
  • Send convincing invoice/payment-change emails to your customers or suppliers.
  • Reset passwords for other systems that use email for account recovery.
  • Use your real account to phish staff and contacts (making scams harder to spot).

Warning signs

  • Staff receiving repeated “incorrect password” or “too many login attempts” messages.
  • Mailbox rules you didn’t set up (e.g., auto-forwarding, “move to archive”, “mark as read”).
  • Sent items containing messages the user didn’t send.
  • New MFA prompts or approval requests the user did not initiate.
  • Changes to payment details being requested over email without an independent verification step.

How attackers may exploit the situation

  • Password stuffing: trying exposed username/password combinations on other services (email, payroll, accounting, file sharing).
  • Targeted phishing: “ISP security update” or “mailbox migration” messages to harvest fresh credentials.
  • Business email compromise (BEC): taking over a real mailbox to redirect invoices or request urgent bank changes.
  • Account recovery abuse: using access to email to reset passwords for linked SaaS tools.

What to do today

  • Send a short staff warning to treat any ISP/email ‘verification’ requests as suspicious and to report them.
  • Prioritise MFA for email (and admin accounts) and confirm it’s enforced, not optional.
  • Reset passwords for any accounts that share passwords with ISP/mail credentials (and stop password reuse going forward).
  • Check for mailbox forwarding rules and other unusual inbox rules on key accounts (finance, directors, shared mailboxes).
  • Reinforce payment-change controls: call-back to known numbers, second-person approval, and never rely on email alone.

Ask your IT provider

  • Do we have alerts enabled for risky sign-ins, impossible travel, and mass login failures for email accounts?
  • Is MFA enforced for all users (especially finance and admins) and do we block legacy/basic authentication where possible?
  • Can you audit for auto-forwarding rules and suspicious mailbox rules across the tenant?
  • What’s our process for quickly locking a mailbox, preserving evidence, and notifying customers if an account is compromised?
  • Do we have DMARC/SPF/DKIM set up to reduce email spoofing using our domain?

Patch watch - only one short paragraph, and only if relevant

No specific patch action from this news. The practical focus today is on account protection (MFA, password hygiene), monitoring for suspicious logins, and tightening payment-change verification.

One action today

Message all staff today: “Ignore and report any ‘ISP/email account verification’ emails; do not click links—use bookmarks or known portals only, and confirm any payment-detail changes by phone to a known number.”

Related Actions On Cyber resource

Actions On Cyber checklist: Business Email Compromise (BEC) and invoice fraud controls

Sources

This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.