A Single Fake Email Cost This Company $37 Million

In 2024, the FBI's Internet Crime Complaint Center (IC3) reported that Business Email Compromise (BEC) schemes — built entirely on fake emails — accounted for over $2.9 billion in adjusted losses across the United States. That figure only captures what victims actually reported. The real number is almost certainly higher.

I've investigated incidents where a single convincing fake email led to a wire transfer that drained an operating account in under 90 minutes. No malware. No fancy exploit. Just a well-crafted message from what appeared to be the CEO, sent at 4:47 PM on a Friday.

This post breaks down how fake emails actually work, what makes them so effective, and the specific steps you can take right now to protect your organization. If you've ever wondered whether that message in your inbox is real, you're asking the right question.

What Are Fake Emails and Why Do They Work?

Fake emails — also called phishing emails, spoofed emails, or fraudulent messages — are messages designed to impersonate a trusted sender. The goal is almost always one of three things: steal credentials, trick someone into sending money, or deliver malware like ransomware.

They work because they exploit human psychology, not technical vulnerabilities. A threat actor doesn't need to break through your firewall. They just need one employee to click a link, open an attachment, or reply with sensitive information.

According to the Verizon Data Breach Investigations Report, phishing and pretexting via email remain involved in a significant portion of social engineering attacks year after year. The technique persists because it keeps working.

The Anatomy of a Convincing Fake Email

I've examined thousands of phishing emails over my career. The sophisticated ones share a few common traits that make them dangerous. Understanding these traits is your first line of defense.

Display Name Spoofing

Most email clients show the sender's display name prominently and hide the actual email address. A threat actor sets the display name to "Microsoft Support" or your CFO's name. On a mobile device, you may never see the real address unless you tap to expand. This is the single most effective trick in the fake email playbook.

Urgency and Emotional Pressure

Fake emails almost always manufacture a crisis. "Your account will be suspended in 24 hours." "This invoice is past due — legal action pending." "The CEO needs this wire transfer completed before end of day." The pressure is intentional. When people feel rushed, they skip the verification steps that would catch the deception.

A threat actor registers a domain like "m1crosoft-support.com" or "paypa1-security.net." At a glance, it looks legitimate. The email contains a link to a credential theft page that's a pixel-perfect copy of the real login screen. You type in your username and password, and you've just handed over your credentials to an attacker.

Malicious Attachments

That "invoice.pdf" or "shipping_confirmation.xlsx" might contain macros or embedded scripts that install ransomware or a remote access trojan the moment you open it. In my experience, finance and HR departments get hit with these more than any other group because they receive legitimate attachments from external parties every day.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's Cost of a Data Breach Report has consistently shown that phishing is among the costliest initial attack vectors. The average data breach cost in recent years has hovered near $4.88 million globally. A significant share of those breaches start with a single fake email.

What makes this worse is that many organizations still treat email security as a technology problem alone. They invest in spam filters and email gateways — which are necessary — but ignore the human element. Your spam filter catches a lot. It doesn't catch everything. The messages that slip through are the ones that matter most, because they're the ones specifically crafted to bypass automated defenses.

This is why security awareness training isn't optional. It's the layer that catches what technology misses. If you haven't started training your team, our cybersecurity awareness training program covers exactly this — how to recognize and respond to real-world social engineering tactics.

How to Spot Fake Emails: A Practical Checklist

Here's the checklist I give to every organization I work with. Print it. Post it near workstations. Make it part of your onboarding process.

  • Check the actual sender address. Don't trust the display name. On desktop, hover over it. On mobile, tap to expand. If the domain doesn't match the organization it claims to be from, it's fake.
  • Hover over links before clicking. The text might say "Login to your account" but the URL underneath points to a completely different domain. If the domain looks off — even by one character — don't click.
  • Look for generic greetings. "Dear Customer" or "Dear User" from a company that definitely knows your name is a red flag.
  • Watch for spelling and grammar errors. Not all fake emails have them — sophisticated ones are clean — but many still contain awkward phrasing or inconsistent formatting.
  • Question urgency. Any email that demands immediate action and threatens consequences deserves extra scrutiny. Legitimate organizations give you time.
  • Verify through a separate channel. If the email claims to be from your bank, call the number on the back of your card — not the number in the email. If it's from your CEO, walk to their office or call their known number.
  • Never open unexpected attachments. If you weren't expecting a file, confirm with the sender through a separate channel before opening it.

What Is the Most Common Type of Fake Email?

The most common type of fake email is the credential phishing email. These messages impersonate a trusted service — Microsoft 365, Google Workspace, a bank, or a shipping company — and direct you to a fake login page. When you enter your username and password, the attacker captures those credentials and uses them to access your real account. According to CISA, credential theft via phishing remains one of the most prevalent initial access techniques used by threat actors targeting both government and private sector organizations.

Why Phishing Simulations Are Non-Negotiable

Telling people about fake emails is step one. Testing them is step two. Phishing simulations send realistic but harmless fake emails to your employees and measure who clicks, who reports, and who falls for it.

I've run these programs for organizations ranging from 50 to 5,000 employees. First-round click rates often land between 20% and 35%. After six months of regular simulations and targeted training, that number typically drops below 5%. That's not theoretical — I've seen it happen repeatedly.

The point isn't to catch people or shame them. It's to build muscle memory. When someone sees a suspicious email in a simulation and correctly reports it, they'll do the same thing when a real threat actor comes knocking.

If you're ready to implement phishing simulations for your organization, our phishing awareness training for organizations provides the tools and structure to run effective campaigns that actually change behavior.

Technical Defenses That Complement Training

Training alone isn't enough. Technology alone isn't enough. You need both. Here are the technical controls that make the biggest difference against fake emails.

Email Authentication: SPF, DKIM, and DMARC

These three protocols work together to verify that an email actually came from the domain it claims to come from. SPF checks the sending server. DKIM adds a cryptographic signature. DMARC tells receiving servers what to do when SPF or DKIM fail. If your organization hasn't implemented DMARC with a "reject" policy, you're making it easy for threat actors to spoof your domain.

Multi-Factor Authentication (MFA)

Even if an employee falls for a credential phishing email, multi-factor authentication adds a second barrier. The attacker has the password but can't get in without the second factor. MFA isn't bulletproof — sophisticated attackers use adversary-in-the-middle techniques to bypass it — but it stops the vast majority of credential theft attacks cold.

Zero Trust Architecture

Zero trust assumes that no user or device should be trusted by default, even inside the network. Every access request gets verified. This approach limits the damage a compromised account can do. If an attacker gets in through a fake email, zero trust controls prevent them from moving laterally across your systems.

Advanced Email Filtering

Modern email security tools use machine learning to analyze message content, sender reputation, embedded URLs, and attachment behavior in real time. They're not perfect, but they catch a significant volume of fake emails before they ever reach an inbox. Make sure your filtering is properly configured and regularly updated.

Real-World Incident: When the CEO's Email Wasn't Really the CEO

I worked with a mid-size manufacturing company that received an email from what appeared to be their CEO. The message asked the controller to wire $180,000 to a vendor for an "urgent acquisition." The email address was one letter off from the CEO's actual address — a lookalike domain registered that same morning.

The controller almost sent the wire. She paused only because the CEO's writing style seemed slightly off — he never used the word "kindly" in emails. She walked to his office and asked. He had no idea what she was talking about.

That pause saved the company $180,000. But it only happened because the controller had been through security awareness training three weeks earlier. Training gave her the framework to question what looked legitimate. Without it, that wire transfer would have gone out.

What To Do When You Receive a Suspected Fake Email

Having a clear response procedure matters as much as detection. Here's what I recommend for every organization:

  • Don't click anything. Don't open attachments. Don't reply. Don't forward it to coworkers to ask "is this real?"
  • Report it immediately. Use your organization's phishing report button if you have one. If not, forward it to your IT or security team as an attachment — not inline.
  • If you already clicked, act fast. Disconnect from the network if possible. Change your password immediately from a different device. Contact your IT team. Time matters here — the faster you respond, the less damage gets done.
  • Document everything. Screenshot the email, note the time, and preserve any details. Your security team needs this information to assess the scope and protect others.

Building a Culture That Catches Fake Emails

The organizations that handle fake emails best aren't the ones with the biggest security budgets. They're the ones where reporting suspicious emails is normalized — even rewarded.

I've seen companies where employees are afraid to report because they think they'll get in trouble for clicking. That's exactly backward. You want people to report. Every report is threat intelligence. Every report protects the next person who might receive the same message.

Start by making reporting easy. Add a one-click phishing report button to your email client. Acknowledge reports promptly. Share anonymized results from phishing simulations. Celebrate improvements publicly.

Security awareness isn't a one-time event. It's a continuous process. Regular training, ongoing phishing simulations, and clear communication from leadership build the kind of culture where fake emails get caught before they cause a data breach.

The Threat Isn't Slowing Down

Generative AI has made fake emails dramatically more convincing. Threat actors now use AI tools to craft messages with flawless grammar, appropriate tone, and personalized details scraped from LinkedIn and company websites. The days of spotting phishing by bad grammar are ending fast.

According to the FBI IC3, email-based fraud consistently ranks among the top reported cybercrime types, with losses climbing year over year. Every organization — regardless of size — is a target.

Your defenses need to evolve just as fast. That means layering technical controls with human training, running regular phishing simulations, and staying current on the latest social engineering tactics. The organizations that do this consistently are the ones that avoid becoming the next headline.

Start with your people. Equip them with the knowledge to question every unexpected email. Back them up with technology that catches what they miss. And never stop testing, because the threat actors never stop adapting.