A Single Fake Email Cost Facebook and Google $100 Million

Between 2013 and 2015, a Lithuanian man named Evaldas Rimasauskas sent a series of fake email messages to employees at Facebook and Google. He impersonated a legitimate hardware vendor, attached fraudulent invoices, and directed payments to bank accounts he controlled. By the time anyone noticed, he had stolen over $100 million from two of the most technically sophisticated companies on the planet.

If it can happen to them, it can happen to your organization. And the tactics have only gotten sharper since then.

This post breaks down exactly how a fake email works, what makes them so effective, and the specific steps you can take to protect yourself and your team. Whether you're an IT professional, a business owner, or just someone who opens email every day, this is the practical guide you need.

What Exactly Is a Fake Email?

A fake email is any message designed to deceive the recipient about its true origin, purpose, or content. The term covers a broad spectrum — from crude spam blasts to surgically targeted business email compromise (BEC) attacks that fool C-suite executives.

Here's the core distinction most people miss: a fake email doesn't have to contain malware. Many of the most damaging ones never trip an antivirus alert. They simply ask you to do something — wire money, share credentials, update a payment account — and they do it convincingly.

The Three Flavors of Fake Email You'll Actually Encounter

  • Spoofed sender emails: The "From" address is forged to look like a trusted contact, your bank, or a government agency. The underlying headers tell a different story, but most people never check.
  • Compromised account emails: A threat actor gains access to a real email account — often through credential theft — and sends messages from it. These are especially dangerous because the sender address is legitimate.
  • Lookalike domain emails: The attacker registers a domain like "micros0ft-support.com" and sends messages from it. At a glance, it passes inspection. On closer look, it's a trap.

Why Fake Emails Still Work in 2026

I've seen organizations spend six figures on email security gateways and still get burned by a well-crafted fake email. The reason is simple: these attacks target people, not technology.

According to the Verizon Data Breach Investigations Report, the human element is involved in the majority of breaches year after year. Social engineering — manipulating someone into taking an action — remains the most reliable weapon in an attacker's arsenal.

Here's what actually makes fake emails so effective:

  • Urgency: "Your account will be suspended in 24 hours." Panic overrides critical thinking.
  • Authority: An email that appears to come from your CEO carries weight. People comply first and question later.
  • Familiarity: If the message looks like every other email from your payroll provider, your brain processes it on autopilot.
  • AI-generated content: Generative AI has eliminated the spelling mistakes and awkward phrasing that used to be dead giveaways. Modern fake emails read like polished corporate correspondence.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. A significant portion of those breaches started with phishing — a fake email that tricked an employee into surrendering credentials or clicking a malicious link.

The FBI's Internet Crime Complaint Center (IC3) has consistently ranked BEC and phishing among the costliest cybercrimes reported. In many cases, the initial attack vector was a single deceptive message that looked perfectly routine.

The math is straightforward. The cost of training your people to recognize fake emails is a rounding error compared to the cost of a breach. If you haven't started, our cybersecurity awareness training program is built specifically to close that gap.

How to Spot a Fake Email: A Practical Checklist

Forget the generic advice about "looking for typos." Modern threat actors don't make those mistakes anymore. Here's what actually works in my experience:

1. Inspect the Full Sender Address

Don't just glance at the display name. Hover over it or tap on it to reveal the actual email address. "John Smith" might map to "[email protected]." That mismatch is your first red flag.

2. Check for Domain Impersonation

Look at the domain character by character. Attackers swap "rn" for "m," use zero instead of "o," or add extra characters. "[email protected]" is not Amazon.

Hover over every link. Does the URL match the supposed sender's domain? If an email claims to be from Microsoft but links to "login-verify-microsoft.sketchy-domain.com," that's a fake email trying to harvest your credentials.

4. Question Unusual Requests

Any email asking you to change payment details, wire money, share passwords, or download attachments outside normal business processes deserves a phone call to verify. Use a known number, not one from the email itself.

5. Look at Email Headers

For technical staff, checking the email headers reveals the actual sending server, SPF/DKIM/DMARC authentication results, and routing path. A failed SPF check is a strong indicator of spoofing.

What Should You Do If You Receive a Fake Email?

This is the question I get asked most often, and the answer matters for featured snippet purposes, so here it is directly:

If you receive a fake email: Do not click any links, do not download attachments, and do not reply. Report it to your IT or security team immediately. If your organization uses a "Report Phishing" button in your email client, use it. Forward the email as an attachment (not inline) to preserve the headers. If the email impersonates a specific company, report it to that company and to the Cybersecurity and Infrastructure Security Agency (CISA).

If you clicked a link or entered credentials, change your password immediately, enable multi-factor authentication on every account that supports it, and notify your security team so they can monitor for unauthorized access.

Building a Human Firewall Against Fake Emails

Technology alone won't solve this. Email security gateways, DMARC policies, and AI-based filters are necessary — but they're not sufficient. The Verizon DBIR makes this clear year after year: attackers adapt faster than filters can catch up.

What actually moves the needle is consistent, realistic security awareness training combined with regular phishing simulation exercises. Your employees need to practice identifying fake emails in a safe environment so they're ready when a real one lands in their inbox.

I've watched organizations cut their phishing click rates by more than half within six months of implementing structured training. It's not magic — it's repetition and accountability.

Our phishing awareness training for organizations uses real-world scenarios to test and teach your team. It's built for the attacks happening right now, not the ones from five years ago.

Technical Defenses You Should Already Have in Place

Training is the foundation, but you need the infrastructure to back it up. Here's the minimum stack I recommend:

  • SPF, DKIM, and DMARC: These email authentication protocols help receiving servers verify that messages actually come from your domain. If you haven't configured DMARC with a "reject" policy, spoofed emails using your domain are probably getting delivered to other people's inboxes right now.
  • Multi-factor authentication (MFA): Even if a fake email successfully captures credentials through a phishing page, MFA adds a second barrier. It's not bulletproof — adversary-in-the-middle attacks can bypass some forms — but it stops the vast majority of credential theft attempts.
  • Zero trust architecture: Stop assuming anything inside your network is safe. Verify every user, device, and connection. Zero trust principles limit the blast radius when someone inevitably falls for a convincing fake email.
  • Email filtering and sandboxing: Modern secure email gateways can detonate attachments in isolated environments and analyze URLs in real time. They won't catch everything, but they reduce volume significantly.

The Ransomware Connection

Here's something that keeps me up at night: a huge percentage of ransomware infections start with a fake email. The message delivers a malicious attachment or links to a compromised site that drops a loader. Within hours, your files are encrypted and you're staring at a ransom demand.

The Colonial Pipeline attack in 2021 disrupted fuel supply across the eastern United States. While the initial vector in that case was a compromised VPN credential, the broader pattern holds — most ransomware gangs use phishing as their primary delivery mechanism. A single fake email can be the first domino.

Make It Personal

Every fake email that reaches your inbox is a test. Most days, you'll pass without thinking about it. But it only takes one bad day — one rushed morning, one convincing sender name, one moment of distraction — to trigger a data breach that costs your organization millions.

Start with awareness. Build habits. Train your people using realistic phishing simulations and structured cybersecurity awareness training. Layer on technical controls. And never assume your current defenses are enough.

The threat actors sending fake emails are professionals. Your defense needs to be professional too.