A Single Fake Email Cost Facebook and Google $120 Million

Between 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas sent a series of fake email messages to employees at Facebook and Google. He impersonated a legitimate hardware vendor, complete with forged invoices and contracts. By the time both companies realized what happened, they had wired over $120 million to fraudulent bank accounts. The DOJ announced charges in 2019, but the damage had been done years earlier.

That's the power of a single convincing fake email. Not malware. Not a zero-day exploit. Just a well-crafted message that looked real enough for smart people to act on it.

If you think your organization is too savvy to fall for this, I'd encourage you to keep reading. I've spent years watching companies of every size get burned by emails that should have raised red flags — but didn't. This post breaks down exactly how fake emails work, what they look like in the wild, and the specific steps you can take to protect yourself and your team right now in 2021.

What Exactly Is a Fake Email?

A fake email is any message designed to deceive the recipient about the sender's identity, intent, or content. It can take several forms: a spoofed sender address, a phishing link disguised as a login page, or a carefully impersonated executive requesting a wire transfer. The goal is always the same — trick you into doing something you wouldn't do if you knew the truth.

Threat actors use fake emails because they work. According to Verizon's 2021 Data Breach Investigations Report, 36% of all data breaches involved phishing — up from 25% the year before. That's the largest single attack vector in the entire report. Email remains the front door for most cyberattacks, and it's not even close.

The 5 Types of Fake Email You'll Actually Encounter

1. Spoofed Sender Emails

The "From" field in an email is shockingly easy to forge. Without proper authentication protocols in place (SPF, DKIM, DMARC), anyone can send a message that appears to come from your CEO, your bank, or your IT department. Most recipients never look past the display name.

2. Phishing Emails

These are the workhorses of cybercrime. A phishing email typically mimics a trusted brand — Microsoft 365, Amazon, DocuSign — and pushes you toward a fake login page designed for credential theft. Once the attacker has your password, they own your account. If you haven't enabled multi-factor authentication, they're in within seconds.

3. Spear Phishing

Unlike mass phishing campaigns, spear phishing targets specific individuals. The attacker researches you on LinkedIn, reads your company's press releases, and crafts a message that references real projects, real colleagues, or real events. These are devastatingly effective because they feel personal.

4. Business Email Compromise (BEC)

BEC is the big money play. The FBI's 2020 Internet Crime Report documented $1.8 billion in BEC losses — making it the costliest cybercrime category by far. In a BEC attack, the threat actor either compromises or impersonates an executive's email account and instructs an employee to transfer funds, change payment details, or send sensitive data.

5. Malware-Laden Emails

Some fake emails carry malicious attachments — Word documents with embedded macros, PDFs with exploit code, or ZIP files containing ransomware. The Colonial Pipeline attack in May 2021 reminded everyone how devastating ransomware can be. While that attack vector was a compromised VPN credential, many ransomware infections begin with a single malicious email attachment.

How to Spot a Fake Email in Under 30 Seconds

Here's what I tell every team I train: slow down. Attackers rely on urgency. They want you to click before you think. Here's a rapid checklist you can use on any suspicious message.

  • Check the actual sender address. Click or hover on the display name. If the email claims to be from "Microsoft Support" but the address is [email protected], that's your answer.
  • Look for urgency and threats. "Your account will be locked in 24 hours." "Immediate action required." "Failure to respond will result in legal action." Real organizations rarely communicate this way.
  • Hover over every link before clicking. On desktop, hovering reveals the actual URL. If it doesn't match the supposed sender's domain, don't click. Period.
  • Watch for generic greetings. "Dear Customer" or "Dear User" from a company that should know your name is a red flag.
  • Inspect attachments with suspicion. Were you expecting this file? Is the file type unusual (.exe, .scr, .js)? When in doubt, verify with the sender through a separate communication channel.
  • Check for grammar and formatting issues. Many fake emails originate from non-native speakers or use templates with subtle errors. Mismatched fonts, odd spacing, and broken logos all signal trouble.

This 30-second habit can save your organization millions. I've seen it work firsthand in phishing simulation exercises where click rates drop by over 60% after employees learn these cues.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2021 Cost of a Data Breach Report pegged the average cost of a data breach at $4.24 million globally — and $9.05 million in the United States. A significant percentage of those breaches start with social engineering through email. The math is simple: investing in detection and training costs a fraction of what a single successful fake email can cost you.

Yet most organizations still treat security awareness as an annual checkbox. A once-a-year slideshow doesn't change behavior. What changes behavior is repeated, realistic practice — which is exactly why phishing awareness training for organizations uses simulated attacks to build muscle memory in your employees.

Technical Defenses That Actually Work Against Fake Email

Email Authentication: SPF, DKIM, and DMARC

If you haven't configured these three protocols, you're leaving the front door unlocked. SPF (Sender Policy Framework) tells receiving servers which IP addresses are authorized to send on your behalf. DKIM (DomainKeys Identified Mail) adds a cryptographic signature. DMARC ties them together with a policy that tells receivers what to do when checks fail.

CISA has been urging federal agencies and private organizations to adopt DMARC for years. Their Binding Operational Directive 18-01 required all federal agencies to implement DMARC. If it's good enough for the federal government, it should be on your priority list.

Multi-Factor Authentication (MFA)

Even if an attacker steals credentials through a fake email, MFA adds a second barrier. A password alone isn't enough. I've seen organizations reduce account takeover incidents by over 90% simply by enforcing MFA across all email accounts. It's the single highest-impact technical control you can deploy today.

Email Filtering and Sandboxing

Modern email gateways can quarantine messages with suspicious links, detonate attachments in sandboxed environments, and flag impersonation attempts. No filter catches everything — which is why human training remains essential — but a good email filter eliminates the bulk of low-effort attacks before they reach inboxes.

Zero Trust Architecture

Zero trust assumes no user or device is inherently trustworthy. Every access request is verified, every session is monitored, and lateral movement is restricted. If a fake email does lead to a compromised account, zero trust principles limit the blast radius. NIST's SP 800-207 provides the framework — and it's worth reading if you're planning your security architecture.

Training Your Team: The Only Defense That Scales

Technology catches known threats. Humans catch novel ones. That's why security awareness training isn't optional — it's the difference between a blocked attack and a catastrophic breach.

In my experience, the most effective training programs share three traits. They're continuous, not annual. They use realistic phishing simulations. And they provide immediate, specific feedback when someone fails a test.

If you're building a program from scratch or looking to strengthen what you already have, start with cybersecurity awareness training that covers the full landscape — from social engineering tactics to password hygiene to incident reporting. Then layer in targeted phishing simulation exercises that test your team with the same techniques real attackers use.

The combination of broad awareness and focused simulation practice is what moves the needle. I've watched organizations go from a 30% phishing click rate to under 5% within six months using this approach.

What Should I Do If I Receive a Fake Email?

This is the question I get asked more than any other, so here's a clear, step-by-step answer:

  • Don't click any links or open any attachments. This sounds obvious, but in the moment — especially when the message appears urgent — people click first and think second.
  • Don't reply. Replying confirms your address is active and can provide the attacker with additional information.
  • Report it immediately. Forward the message to your IT or security team. If your organization has a "Report Phishing" button in the email client, use it. If the email impersonates a specific company, forward it to that company's abuse address (e.g., [email protected] for IRS impersonation).
  • If you already clicked, act fast. Change your password immediately. Enable MFA if it's not already on. Alert your IT team so they can check for unauthorized access. If you entered payment information, contact your bank.
  • Document everything. Take screenshots. Note the sender address, subject line, and any URLs. This information helps your security team analyze the attack and warn others.

Why Fake Email Attacks Are Getting Worse in 2021

The shift to remote work accelerated every email-based attack vector. Employees working from home are outside the corporate network perimeter. They're using personal devices. They're juggling Slack, Zoom, and email simultaneously — which means they're distracted. Attackers know this.

The FBI reported a 69% increase in cybercrime complaints from 2019 to 2020, with phishing and related social engineering leading the pack. That trend has continued through 2021. Ransomware groups like DarkSide and REvil have dominated headlines, but their initial access often traces back to a compromised email credential or a fake email that delivered a malicious payload.

Remote work isn't going away. Neither are fake emails. The organizations that thrive will be the ones that treat email security as a continuous practice — not a one-time project.

Your 7-Day Action Plan

Here's what you can accomplish in the next week to dramatically reduce your exposure to fake email attacks:

  • Day 1: Audit your DMARC, SPF, and DKIM records. If they're not configured, start now.
  • Day 2: Enforce multi-factor authentication on all email accounts. No exceptions for executives.
  • Day 3: Review your email filtering rules. Ensure impersonation protection is enabled for high-value targets (C-suite, finance, HR).
  • Day 4: Launch a baseline phishing simulation to measure your team's current click rate.
  • Day 5: Enroll your team in cybersecurity awareness training that covers email threats, social engineering, and incident response.
  • Day 6: Establish a clear reporting process. Make it easy for employees to flag suspicious emails without fear of punishment.
  • Day 7: Schedule monthly phishing simulations and quarterly training refreshers. Consistency builds habits.

Every one of these steps is practical, measurable, and within reach — regardless of your organization's size or budget. The threat actors sending fake emails aren't taking days off. Neither should your defenses.