It’s a statistic that sends a shiver down the backs of SME owners, managers and employees.
According to the FBI's 2025 Internet Crime Report, business email compromise (BEC) cost US businesses more than $3 billion last year.
This makes it one of the most financially damaging cybercrimes on record.
You click a link, sign in, approve the MFA prompt, and get on with your day. Completely unaware that someone else just logged into your account at the same moment.
That scenario surprises many businesses, particularly those that rely on multi-factor authentication (MFA) to protect cloud accounts.
MFA is a strong front-door lock. But it’s not the only thing that decides whether someone can get in.
After you sign in, your browser keeps you logged in using a session token (often stored as a cookie). It’s the digital version of a wristband at an event: once you’ve been checked, the wristband proves you belong there.
The most dangerous thing in a server room is often the phrase, “Don’t touch that.”
It’s usually said with a half-joke and a grimace. It refers to the old box that “still works”, runs something important, and has survived so many fixes and workarounds that nobody feels confident changing it anymore.
When you first sign up for a software-as-a-service (SaaS) platform, everything is designed to feel effortless.
The problem is that the first real test of a SaaS relationship isn’t the onboarding. It’s the exit.
For many small businesses, the front door is wide open, but the emergency exit is bolted shut: exports are incomplete, key data sits in proprietary formats, and leaving requires expensive vendor help.
Browser add-ons have a funny reputation. They feel “small”. A quick install. A tiny productivity boost. A harmless little helper that lives in your toolbar.
But in practice, a browser extension is more like a micro-SaaS vendor sitting inside your browser session.
A fake recruiter message is one of the cleanest social engineering tricks around because it doesn’t look like a trick.
That’s why LinkedIn recruitment scams work so well inside real businesses.
They don’t arrive as malware. They arrive as a normal conversation that nudges someone toward one small action: click this link, open this file, “verify” this detail, move the chat to a different app.
In the traditional office, a “Clean Desk” policy was a simple habit: shred the sensitive stuff, lock it away, and don’t leave passwords where someone can see them.
In 2026, the same idea still matters but the “desk” has changed.
For many teams, the home office is now the default workspace, and that means physical access can quickly become digital access.
If you want to uncover unsanctioned cloud apps, don’t begin with a policy. Start with your browser history.
The cloud environment most businesses actually use rarely matches the one shown on the IT diagram. It’s built through countless small shortcuts: a “just this once” file share, a free tool that solves one problem faster, a plug-in installed to meet a deadline, or an AI feature quietly enabled inside an app you already pay for.
If your outbound business calls are showing up on recipients' phones as "Spam Likely," "Scam Likely," "Telemarketer," or "Fraud Risk," you're not alone. This is one of the most common issues we hear from our voice customers, and the good news is there are concrete steps you can take to fix it and prevent it from happening again.
