In 2019, a Lithuanian national named Evaldas Rimasauskas pleaded guilty to stealing over $100 million from Google and Facebook using nothing more than a series of fake email messages. He impersonated a legitimate hardware vendor, sent invoices from a lookalike domain, and two of the most technologically sophisticated companies on earth wired him the money. If it can happen to them, it can absolutely happen to your organization.

A fake email — whether it's a spoofed sender, a phishing lure, or a carefully crafted business email compromise — remains the single most effective weapon in a threat actor's arsenal. The FBI's Internet Crime Complaint Center (IC3) reported that business email compromise alone accounted for over $2.9 billion in losses in 2023, dwarfing every other category of cybercrime. This post breaks down exactly how fake emails work, how to spot them, and what to do when one inevitably lands in your inbox.

What Makes a Fake Email So Dangerous?

Most people think they'd never fall for a fake email. I've run phishing simulations for organizations of every size, and the click rate on a well-crafted lure consistently lands between 15% and 30% on the first attempt. That's not because people are stupid. It's because these emails are engineered to exploit how humans actually process information.

A modern fake email doesn't come from a Nigerian prince. It comes from what looks like your CEO's email address at 4:47 PM on a Friday, asking you to urgently process a wire transfer. Or it arrives as a Microsoft 365 password reset notification with a pixel-perfect login page waiting behind the link. The social engineering is precise, contextual, and increasingly powered by AI-generated text that eliminates the grammar mistakes we once relied on as red flags.

The Three Main Types You'll Encounter

  • Spoofed emails: The "From" field is forged to display a trusted sender. Without SPF, DKIM, and DMARC configured on your domain, these sail right through.
  • Phishing emails: Designed to steal credentials or install malware. They mimic banks, SaaS platforms, shipping companies, or internal IT teams. The goal is credential theft — getting your username and password.
  • Business Email Compromise (BEC): A threat actor either compromises or impersonates a real executive's account. These emails rarely contain links or attachments, making them invisible to most security filters.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report put the global average cost of a data breach at $4.88 million. Phishing was the most common initial attack vector. The math is straightforward: one employee clicks a link in a fake email, enters their credentials on a spoofed login page, and within hours a threat actor has lateral movement inside your network.

From there, it's ransomware deployment, data exfiltration, or both. The Verizon 2024 Data Breach Investigations Report found that 68% of breaches involved a human element — social engineering, errors, or misuse. The fake email is almost always where the chain starts.

This is why security awareness training isn't optional. It's a frontline control. If you haven't started yet, cybersecurity awareness training at computersecurity.us gives your team the foundational knowledge to recognize and report these attacks before damage is done.

How to Spot a Fake Email: A Practical Checklist

Forget the generic advice about "looking for typos." Modern fake emails are polished. Here's what actually works in 2026.

1. Inspect the Actual Sender Address

The display name might say "John Smith — CFO" but the actual email address could be [email protected]. Always hover over or tap the sender field to reveal the real address. One swapped character is all it takes.

Hover over every link. If the URL doesn't match the organization it claims to be from, stop. Threat actors register domains like microsoft-secure-login.com or paypa1.com. Look at the root domain, not the subdomain.

3. Watch for Urgency and Authority Pressure

"This must be completed within the hour." "Do not discuss this with anyone else." "The CEO has personally requested this." These are textbook social engineering pressure tactics designed to short-circuit your critical thinking. Any email that demands immediate, secretive action deserves a phone call to verify.

4. Check for Mismatched Reply-To Addresses

A spoofed email might display the correct "From" address but set the "Reply-To" to a completely different domain. If you hit reply and the address changes, that's a fake email.

5. Be Skeptical of Unexpected Attachments

An invoice you weren't expecting. A "voicemail" in .html format. A shared document requiring you to enable macros. These are payload delivery mechanisms. Verify with the sender through a separate communication channel before opening anything.

What Is a Fake Email, and How Does It Bypass Security Filters?

A fake email is any electronic message that misrepresents its origin, intent, or content to deceive the recipient. It bypasses security filters through several techniques: domain spoofing (when the target domain lacks proper DMARC enforcement), homoglyph attacks (using visually similar Unicode characters in domain names), compromised legitimate accounts (which pass all authentication checks), and zero-day phishing URLs that haven't yet been flagged by threat intelligence feeds. This is why technical controls alone are insufficient — trained humans remain the last line of defense.

Why Multi-Factor Authentication Isn't Enough

I hear this constantly: "We have MFA, so we're covered." Multi-factor authentication is essential — it stops the majority of credential theft from resulting in account takeover. But it's not bulletproof.

Adversary-in-the-middle (AiTM) phishing kits like EvilProxy and Evilginx2 can intercept MFA tokens in real time. The user clicks a link in a fake email, enters credentials on a proxied login page, completes MFA, and the threat actor captures the authenticated session cookie. The attacker is in. MFA never fired a single alert.

This is why a zero trust approach matters. Don't trust any single control. Layer MFA with conditional access policies, endpoint detection, and — critically — employees who know how to spot a fake email before they ever reach the login page.

Build a Human Firewall That Actually Works

Technical controls catch a lot. Email gateways, sandboxing, URL rewriting, DMARC enforcement — deploy all of it. But the Verizon DBIR data tells us year after year that the human element remains the biggest variable. You need both.

Effective phishing awareness training for organizations goes beyond annual compliance checkboxes. It includes regular phishing simulations that mirror real-world campaigns, immediate feedback when someone clicks, and measurable improvement over time. I've seen organizations cut their phish-susceptibility rate by more than half within 90 days of starting consistent simulation programs.

What to Do When You Receive a Suspicious Email

  • Don't click anything. No links, no attachments, no images.
  • Report it. Use your organization's phishing report button or forward to your security team.
  • Verify out-of-band. Call the supposed sender using a known phone number — not one from the email.
  • If you already clicked, disconnect from the network immediately and contact IT. Time matters.

Your Email Domain Might Be Part of the Problem

If your organization hasn't implemented DMARC with an enforcement policy, threat actors can send fake emails that appear to come from your exact domain. Your customers, partners, and employees will see your real domain in the "From" field with zero indication it's fraudulent.

CISA has published detailed guidance on email authentication at BOD 18-01, and every organization — regardless of size — should have SPF, DKIM, and DMARC configured and enforced. It's one of the highest-impact, lowest-cost security controls available.

The Threat Is Evolving. Your Defenses Should Too.

Generative AI has made fake emails dramatically more convincing. Threat actors use large language models to craft messages that match the tone, terminology, and formatting of legitimate business communications. The era of spotting phishing by broken English is over.

What hasn't changed is the fundamental playbook: create urgency, exploit trust, and push the target to act before thinking. That's why ongoing training and a healthy culture of skepticism remain your most effective countermeasures. Every employee who pauses, inspects, and reports a fake email is a sensor in your security architecture.

Start building that capability today. Explore cybersecurity awareness training to give your team the skills they need, and deploy phishing simulation training to measure and improve your organization's resilience against the attacks that are already in your inbox.