Fake Mail: How to Spot It Before It Costs You

The Fake Mail That Drained $37 Million

In 2024, Toyota Boshoku Corporation disclosed a business email compromise attack where a threat actor used fake mail to trick a finance executive into wiring approximately $37 million to a fraudulent bank account. The email looked legitimate. The sender address was nearly identical to a real business partner. And by the time anyone noticed, the money was gone.

This wasn't a sophisticated zero-day exploit. It was an email. A carefully crafted piece of fake mail that bypassed every technical control because it targeted the one vulnerability no firewall can patch — human judgment.

If you're reading this because you want to understand how fake mail works, how to identify it, and how to stop it from devastating your organization, you're in the right place. I've spent years helping organizations build defenses against exactly this kind of attack, and I'll walk you through everything you need to know — with real examples, specific red flags, and practical steps you can implement today.

What Exactly Is Fake Mail?

Fake mail is any email designed to deceive the recipient into believing it came from a legitimate source. It encompasses phishing emails, spoofed messages, business email compromise (BEC), and targeted spear-phishing campaigns. The goal varies — credential theft, malware delivery, wire fraud, or data exfiltration — but the method is consistent: manipulate trust.

According to the Verizon 2024 Data Breach Investigations Report, phishing and pretexting via email remain the top initial access vectors in confirmed breaches. Over 36% of all breaches involved phishing. That's not a trend — that's a structural problem.

Why Fake Mail Still Works in 2026

AI-Generated Content Has Eliminated the Obvious Red Flags

Remember when you could spot a phishing email by its broken English and bizarre formatting? Those days are over. Threat actors now use generative AI to produce grammatically flawless, contextually relevant fake mail that mirrors the tone and vocabulary of the person or brand being impersonated.

I've reviewed phishing samples in recent incident investigations that were indistinguishable from genuine executive communications. No typos. No awkward phrasing. Perfect formatting. The old advice of "look for spelling errors" is dangerously outdated.

Modern attackers don't blast millions of identical emails anymore. They research targets using LinkedIn, company websites, press releases, and even social media. They know your CFO's name, your vendor relationships, and your quarterly reporting schedule.

This is social engineering at its most refined. A well-crafted fake mail arrives at exactly the right moment — during a known acquisition, after an executive change, or right before a wire transfer deadline. The context makes it believable.

Email Authentication Isn't a Silver Bullet

SPF, DKIM, and DMARC help. They genuinely reduce domain spoofing. But they don't stop an attacker who registers a lookalike domain (think "yourcompany-finance.com" instead of "yourcompany.com") or who compromises a legitimate account to send fake mail from a real address. Technical controls are necessary but insufficient.

The 7 Red Flags That Identify Fake Mail

Here's what I train organizations to look for. These aren't theoretical — they're drawn from actual incident investigations and phishing simulation data.

Urgency or pressure tactics. "This must be processed within the hour" or "Your account will be suspended immediately." Legitimate senders rarely impose artificial deadlines via email.
Mismatched sender addresses. The display name says "CEO John Smith" but the actual email address is [email protected]. Always inspect the full address, not just the name.
Unexpected attachments or links. If you weren't expecting a document, don't open it. If a link points to a URL you don't recognize, don't click it. Hover before you click — every time.
Requests for credentials or sensitive data. No legitimate IT department emails you asking for your password. No bank asks you to "verify your account" through an email link. This is credential theft 101.
Unusual payment or wire transfer instructions. Any change to payment details delivered via email should trigger a phone call to a known, verified number. Not the number in the email.
Generic greetings from supposedly known contacts. "Dear Customer" or "Dear User" from someone who should know your name is a signal.
Emotional manipulation. Fear, curiosity, authority, helpfulness — fake mail exploits emotions to override critical thinking. If an email triggers a strong emotional reaction, slow down.

Real-World Fake Mail Attacks That Made Headlines

The Ubiquiti Networks BEC Attack

Ubiquiti Networks lost $46.7 million when attackers impersonated executives and external counsel via fake mail, directing employees to transfer funds to overseas accounts controlled by the threat actors. The emails were convincing enough that multiple employees complied without questioning the requests.

The Google and Facebook Vendor Scam

Between 2013 and 2015, a Lithuanian national sent fake mail posing as a legitimate Asian hardware vendor to both Google and Facebook. He invoiced them for goods and services that were never delivered. Combined losses exceeded $100 million before the scheme was detected. The FBI IC3 highlighted this case as a textbook example of BEC targeting even the most sophisticated organizations.

The Ongoing Ransomware Pipeline

Most ransomware infections still start with fake mail. An employee clicks a malicious link or opens an infected attachment. The malware establishes persistence, moves laterally, and eventually encrypts critical systems. CISA has repeatedly warned that email remains the primary delivery mechanism for ransomware payloads. Their guidance at StopRansomware.gov emphasizes email security as a foundational defense.

How to Protect Your Organization From Fake Mail

Layer 1: Technical Controls

Start with the basics. Implement DMARC with a policy of "reject" — not just "monitor." Deploy an email security gateway that analyzes links, attachments, and sender reputation in real time. Enable multi-factor authentication on every email account in your organization. MFA won't prevent fake mail from arriving, but it dramatically limits the damage when credentials are stolen.

Consider implementing a zero trust architecture where email access is continuously verified and segmented. No single compromised account should give an attacker the keys to the kingdom.

Layer 2: Process Controls

Technical tools catch a lot. But the fake mail that gets through — and some always will — needs to hit a wall of smart processes.

Out-of-band verification. Any email requesting a financial transaction, credential change, or sensitive data transfer must be verified via a separate communication channel. Call the person. Use a known number.
Dual authorization for payments. No single employee should be able to approve and execute a wire transfer based on an email alone.
Reporting mechanisms. Make it easy and consequence-neutral for employees to report suspicious emails. Every reported fake mail is an attack that failed.

Layer 3: Human Training

This is where most organizations fall short, and it's where the highest ROI lives.

Your employees are the last line of defense. They need to recognize fake mail instinctively — not because they memorized a checklist, but because they've practiced identifying it repeatedly. That's why phishing awareness training programs designed for organizations use realistic phishing simulations to build muscle memory. Employees who've been exposed to simulated attacks are significantly less likely to fall for real ones.

Pair that with comprehensive cybersecurity awareness training that covers not just email threats but the full spectrum of social engineering, credential theft, and data breach scenarios. Training isn't a one-time event — it's a continuous program that adapts as threat actors evolve their tactics.

How Often Should You Run Phishing Simulations?

Based on my experience and industry research, monthly phishing simulations produce the best results. Organizations that test quarterly see improvement, but monthly testing keeps security awareness top of mind. Each simulation should use current, realistic fake mail templates — not obvious, cartoonish examples that don't reflect real threats.

Track click rates, reporting rates, and time-to-report. These metrics tell you more about your security posture than any compliance checkbox ever will.

What Should I Do If I Receive Fake Mail?

This is the question I get asked most often, so here's a clear, step-by-step answer:

Don't click any links or open any attachments. If you've already clicked, disconnect from the network and contact your IT security team immediately.
Don't reply to the email. Engaging confirms your address is active and may invite further targeting.
Report it. Use your organization's phishing report button or forward it to your security team. If you're an individual, forward phishing emails to the Anti-Phishing Working Group at [email protected].
Change your credentials if you entered any login information. Enable multi-factor authentication if it isn't already active.
Document everything. Screenshots, headers, timestamps. This information helps your security team investigate and block future attempts.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million. Phishing was the most common initial attack vector. The math is straightforward — investing in fake mail detection, employee training, and process controls costs a fraction of a single successful breach.

I've watched organizations resist training budgets, calling them unnecessary overhead. Then I've watched those same organizations scramble to contain a breach that started with one convincing email. The pattern is predictable and preventable.

Building a Culture That Rejects Fake Mail

Technology and processes matter. But the organizations I've seen withstand sustained phishing campaigns share one trait: a security-first culture where questioning an email is encouraged, not punished.

That means leadership participates in training. It means the CEO publicly acknowledges when they report a suspicious email. It means no one gets shamed for asking, "Is this real?"

Security awareness isn't a department. It's an organizational behavior. And it starts with treating fake mail as the serious, persistent, evolving threat that it is — not as a nuisance to be ignored or a box to be checked.

Your attackers are getting better every day. Your defenses need to keep pace. Start with the fundamentals: train your people, test your defenses, and never assume the next email in your inbox is what it claims to be.