Fake Email: How to Spot It Before It Costs You

In March 2022, the FBI's Internet Crime Complaint Center reported that Business Email Compromise — attacks built on a single convincing fake email — caused $2.4 billion in adjusted losses in 2021 alone. That made it the most financially devastating cybercrime category in the entire FBI IC3 annual report. Not ransomware. Not cryptojacking. Fake emails. The kind that land in your inbox looking perfectly routine — and drain your accounts within hours.

I've spent years training organizations to recognize these messages, and here's the uncomfortable truth: most people can't tell a well-crafted fake email from a real one on first glance. This post breaks down exactly how threat actors build these messages, what the real warning signs look like, and — most importantly — what you and your organization can do right now to stop falling for them.

What Exactly Is a Fake Email?

A fake email is any message designed to impersonate a trusted sender — a colleague, a vendor, a bank, or a service like Microsoft 365 — to trick the recipient into taking a harmful action. That action could be clicking a malicious link, downloading malware, wiring money, or handing over login credentials.

The technical umbrella includes phishing, spear phishing, and business email compromise (BEC). But they all share a common DNA: social engineering. The attacker exploits human trust, not software vulnerabilities.

The $2.4 Billion Problem Hiding in Your Inbox

The Verizon 2022 Data Breach Investigations Report found that 82% of breaches involved a human element, and phishing was the top action variety in social engineering incidents. That means fake emails remain the single most reliable door into your organization for a threat actor.

Think about it from the attacker's perspective. Why spend weeks hunting for a zero-day exploit when you can send 500 spoofed emails and get three people to click? The economics of cybercrime heavily favor fake email campaigns — they're cheap to run and devastatingly effective.

I've seen it firsthand. A mid-size accounting firm I consulted with in early 2022 lost $380,000 because one employee replied to a fake email that appeared to come from a managing partner. The message asked for an urgent wire transfer to close a deal. The email address was off by one character. Nobody noticed until the money was gone.

Why Traditional Spam Filters Miss the Worst Ones

Basic spam filters catch bulk junk — Nigerian prince scams, fake lottery wins, obvious malware attachments. But modern fake email attacks don't look like spam. They use clean domains, pass SPF and DKIM checks, contain no attachments, and include personalized details scraped from LinkedIn or company websites.

Spear phishing and BEC messages are designed to sail right past automated defenses because they look like normal business communication. That's why your last line of defense is always the human reading the message.

Anatomy of a Fake Email: What Threat Actors Actually Do

Let me walk you through the building blocks of a convincing fake email. Understanding the attacker's playbook is the first step toward not getting played.

1. Domain Spoofing and Lookalike Domains

Attackers either spoof the "From" header to display a legitimate email address or — more commonly now — register a domain that looks nearly identical. Think yourcompany-hr.com instead of yourcompany.com. Some swap an uppercase "I" for a lowercase "L." Others add a subtle hyphen or swap a ".com" for a ".co."

In my experience, lookalike domains fool people more often than outright spoofs because they actually pass email authentication checks. The receiving mail server sees a valid domain and lets it through.

2. Emotional Pressure and Urgency

Nearly every fake email contains an urgency trigger. "Your account will be suspended in 24 hours." "The CEO needs this handled before end of day." "There's been suspicious activity on your account — verify now."

This isn't random. Attackers know that urgency short-circuits critical thinking. When your pulse spikes, you stop examining the sender address and start clicking. The 2022 DBIR data confirms this: phishing click rates rise dramatically when the message implies a time-sensitive consequence.

3. Credential Harvesting Pages

The link in a fake email typically leads to a cloned login page — an exact replica of your Microsoft 365, Google Workspace, or banking portal. You type your username and password. The attacker captures both. If you don't have multi-factor authentication enabled, they're inside your account in seconds.

Credential theft from fake emails is the gateway to data breaches, lateral movement within networks, and ransomware deployment. One stolen password can cascade into a full organizational compromise.

4. Payload Delivery

Some fake emails carry malicious attachments — typically disguised as invoices, shipping confirmations, or document signing requests. Opening the file triggers a macro, a script, or an exploit that installs malware. Ransomware gangs like Emotet and QakBot relied heavily on this delivery mechanism throughout 2022.

How to Spot a Fake Email: 7 Specific Red Flags

Here are the concrete things I train people to look for. Not vague advice like "be careful." Actual, checkable signals.

• Sender address mismatch. Hover over the sender name. Does the actual email address match the display name? If "IT Support" is sending from [email protected], that's a fake email.
• Lookalike domain. Check the domain character by character. One swapped letter is all it takes.
• Generic greetings. "Dear Customer" or "Dear User" instead of your name — especially from a service that knows your name.
• Urgency or threat language. Suspension, termination, legal action, account lockout — all designed to make you react, not think.
• Unexpected attachments. If you weren't expecting a file, don't open it. Call the sender on a known number to verify.
• Mismatched URLs. Hover over any link before clicking. Does the URL match the organization it claims to be from? A Microsoft login page shouldn't live at microsoft-verify.xyz.
• Unusual requests. Any email asking you to change payment details, wire money, share credentials, or bypass normal procedures should trigger immediate verification through a second channel.

What Your Organization Should Do Right Now

Spotting fake emails individually is necessary but not sufficient. You need systematic defenses. Here's the layered approach I recommend to every organization I work with.

Implement Email Authentication Protocols

Deploy SPF, DKIM, and DMARC on your domain. DMARC in enforcement mode (p=reject) prevents attackers from spoofing your exact domain to your clients, vendors, and employees. CISA's Binding Operational Directive 18-01 required federal agencies to implement DMARC — your organization should follow the same standard.

Enable Multi-Factor Authentication Everywhere

Even when a fake email succeeds in harvesting credentials, multi-factor authentication (MFA) blocks the attacker from using them. MFA is the single highest-impact control you can deploy against credential theft. If you only do one thing after reading this post, turn on MFA for email, VPN, and all cloud services.

Run Regular Phishing Simulations

Testing your employees with realistic phishing simulations isn't about catching people making mistakes — it's about building muscle memory. When someone sees a simulated fake email that mirrors real attack patterns, they learn to pause and verify before clicking.

Our phishing awareness training for organizations provides scenario-based simulations modeled on current attack techniques. It's the kind of hands-on practice that actually changes behavior.

Adopt a Zero Trust Mindset

Zero trust isn't just a network architecture buzzword — it's a philosophy. Never trust an email, a request, or a login session by default. Verify identity, verify context, verify the request through an independent channel. This mindset applies to every employee, from the intern to the CEO.

Build a Security Awareness Culture

Technical controls catch a percentage of fake emails. Your people catch the rest. But only if they've been trained — and trained consistently, not once a year with a forgettable slide deck.

Comprehensive cybersecurity awareness training should cover social engineering, credential theft, ransomware prevention, and how to report suspicious messages. The organizations I've seen with the lowest click rates on phishing tests are the ones that train quarterly and keep the content relevant to current threats.

What to Do If You've Already Clicked

Mistakes happen. Here's the immediate response protocol I give every client.

• Don't panic, but move fast. Disconnect from the network if you suspect malware was downloaded.
• Change your password immediately — from a different, known-safe device.
• Enable MFA on the compromised account if it wasn't already active.
• Report it. Notify your IT or security team. Forward the email to your internal abuse address. File a report with the FBI's IC3 if financial loss is involved.
• Monitor for follow-on activity. Check for forwarding rules added to your email, unauthorized logins, or password reset requests on other accounts.

Speed matters. The window between a successful credential theft and the attacker leveraging that access is often measured in minutes, not days.

Why Fake Emails Will Get Worse in 2023

Attackers are already using AI-powered tools to generate more convincing phishing text, eliminate the grammar mistakes that used to be telltale signs, and personalize messages at scale. The barrier to creating a perfect fake email is dropping fast.

Deepfake audio is also entering the picture. In 2020, attackers used AI-generated voice to impersonate a company director and authorize a $35 million bank transfer. Combine that with a spoofed email thread, and you have a social engineering attack that's nearly impossible to distinguish from reality without verification procedures in place.

The organizations that survive this next wave will be the ones investing now in both technical controls and human training. Not one or the other. Both.

The Bottom Line: Verify Everything, Trust Nothing

Every data breach has a starting point. In the majority of cases, that starting point is a single fake email that one person trusted. The fix isn't paranoia — it's process. Verify sender addresses. Confirm unusual requests through a second channel. Deploy MFA. Train your people relentlessly.

Start with the fundamentals. Enroll your team in phishing awareness training and build out your security awareness program. The threat actors aren't slowing down. Your defenses shouldn't either.