91% of Cyberattacks Start With Fake Mail

That's not a guess. The Verizon 2021 Data Breach Investigations Report confirmed that phishing was present in 36% of breaches — up from 25% the year before. And when you broaden the lens to include all forms of social engineering delivered through email, the picture gets worse. Fake mail — fraudulent emails designed to impersonate trusted senders — is the single most effective weapon in a threat actor's arsenal.

I've investigated incidents at organizations of every size, from five-person law firms to Fortune 500 companies. The common thread? Someone opened a fake mail message and acted on it. They clicked a link, entered credentials, or downloaded an attachment. In nearly every case, the victim told me the same thing: "It looked completely real."

This post breaks down exactly how fake mail works in 2021, why it keeps bypassing technical defenses, and what you can do right now to protect your organization. If you're responsible for any part of your company's security posture, this is the playbook.

What Is Fake Mail, Exactly?

Fake mail is any email crafted to deceive the recipient into believing it came from a legitimate source. It's the digital equivalent of a forged letter — same logos, same tone, same urgency. The goal is always the same: get you to do something you wouldn't do if you knew the real sender.

Most fake mail falls into a few categories:

  • Phishing emails — mass-sent messages impersonating banks, tech companies, or government agencies to steal credentials or install malware.
  • Spear phishing — targeted fake mail aimed at a specific individual, often using personal details scraped from LinkedIn or company websites.
  • Business Email Compromise (BEC) — highly targeted attacks where the sender impersonates a CEO, CFO, or vendor to authorize fraudulent wire transfers.
  • Ransomware delivery — fake mail carrying malicious attachments that encrypt your files and demand payment.

The FBI's Internet Crime Complaint Center (IC3) 2020 annual report documented over 241,000 phishing complaints — making it the most reported cybercrime category by a massive margin. BEC alone accounted for $1.8 billion in losses.

Why Fake Mail Still Works in 2021

You'd think by now we'd have this figured out. We don't. Here's why.

Email Protocols Were Never Designed for Trust

SMTP — the protocol that moves email across the internet — was built in 1982. It has no built-in mechanism to verify sender identity. Technologies like SPF, DKIM, and DMARC were bolted on decades later, but adoption remains inconsistent. A 2020 study by Valimail found that fewer than 15% of domains had a DMARC policy set to enforcement. That means most organizations still can't prevent someone from spoofing their domain in fake mail.

Threat Actors Have Gotten Disturbingly Good

The days of Nigerian prince scams with broken English are fading. Modern fake mail campaigns use pixel-perfect replicas of Microsoft 365 login pages, legitimate-looking DocuSign notifications, and even hijacked email threads where the attacker inserts themselves into an existing conversation. I've seen fake mail that referenced real invoice numbers, real project names, and real employee names — because the attacker had already compromised a vendor's mailbox.

Remote Work Expanded the Attack Surface

The mass shift to remote work in 2020 and 2021 created perfect conditions for fake mail. Employees lost the ability to walk down the hall and verify a suspicious request. They're processing more email, on more devices, with fewer security controls. VPN fatigue is real. Alert fatigue is real. And threat actors know it.

The $4.88M Lesson Most Organizations Learn Too Late

According to IBM's 2021 Cost of a Data Breach Report, the average cost of a breach caused by phishing was $4.65 million. Business email compromise — the most refined form of fake mail — cost even more at $5.01 million per incident.

These aren't just numbers for big enterprises. The Ponemon Institute has consistently found that small and mid-size businesses bear a disproportionate cost relative to their revenue. A single successful fake mail attack can mean the difference between staying in business and shutting down.

Look at the 2020 attack on Magellan Health. A threat actor sent a carefully crafted spear phishing email that gave them access to internal systems. The result: a ransomware deployment and the theft of personal data for over 365,000 people. It started with one fake mail.

How to Identify Fake Mail: 7 Red Flags

I train thousands of employees every year through cybersecurity awareness training programs, and these are the specific tells I teach people to look for:

1. Sender Address Doesn't Match the Display Name

The email says it's from "Microsoft Support" but the actual address is something like [email protected]. Always hover over or tap the sender name to reveal the real address. Legitimate organizations send from their primary domain.

2. Urgency and Fear Tactics

"Your account will be suspended in 24 hours." "Unauthorized login detected — act now." Fake mail almost always creates artificial urgency because rushed decisions bypass critical thinking. If an email makes your heart rate spike, slow down.

3. Generic Greetings

"Dear Customer" or "Dear User" instead of your actual name. Your bank knows your name. Your employer knows your name. A mass-sent fake mail campaign often doesn't.

Hover before you click. If the URL doesn't match the organization it claims to be from — or uses odd subdomains like signin.microsoft.com.attacker.xyz — it's fake mail. On mobile, long-press links to preview the URL.

5. Unexpected Attachments

Especially .zip, .exe, .docm, or .xlsm files. These are common ransomware delivery mechanisms. If you weren't expecting an attachment, verify with the sender through a separate channel before opening it.

6. Requests for Credentials or Payment

No legitimate company will ask you to enter your password via email. No real vendor will suddenly change wire transfer instructions mid-transaction without a phone call. These are hallmarks of credential theft and BEC attacks.

7. Poor Grammar — But Not Always

Yes, typos and grammatical errors still appear in fake mail. But don't rely on this alone. Sophisticated threat actors now use native speakers or AI-assisted tools to craft flawless messages. Grammar quality is a clue, not a verdict.

Technical Defenses That Actually Reduce Fake Mail

Training matters, but it's not a silver bullet. You need layered defenses. Here's what I recommend deploying now.

Enforce DMARC at Reject

DMARC tells receiving mail servers what to do when an email fails SPF and DKIM checks. Set your policy to "reject" — not "none" or "quarantine." This prevents attackers from spoofing your domain in fake mail sent to your customers and partners. CISA has published specific guidance on email authentication that every organization should follow.

Deploy Multi-Factor Authentication Everywhere

Even when fake mail successfully captures credentials through a phishing page, multi-factor authentication (MFA) stops the attacker from logging in. This is the single highest-ROI security control you can implement. Prioritize email accounts, VPN access, and administrative portals.

Use an Email Security Gateway With Sandboxing

Modern email security solutions detonate attachments in a sandbox before delivery and analyze URLs at time of click, not just time of delivery. This catches fake mail that uses delayed payload activation — where the malicious link only goes live after the email passes initial scans.

Implement Zero Trust Principles

Zero trust means never assuming a user or device is trusted based on network location alone. Even if fake mail compromises an employee's credentials, zero trust architectures limit lateral movement by requiring continuous verification. NIST's Special Publication 800-207 provides the framework for implementing zero trust.

Why Phishing Simulations Are Non-Negotiable

I've seen organizations invest six figures in email security tools and still get breached because an employee forwarded a fake mail message to their personal Gmail and clicked the link there — completely bypassing corporate defenses.

Technology can't catch everything. Your people are both the last line of defense and the most targeted attack surface. That's why regular phishing simulations are essential.

Effective phishing simulation programs do three things:

  • Baseline your risk — measure how many employees click, report, or ignore simulated fake mail.
  • Build muscle memory — repeated exposure to realistic scenarios trains people to pause and verify before acting.
  • Identify high-risk users — some roles (finance, HR, executive assistants) face disproportionate targeting and need additional training.

If you're looking to launch or improve your organization's phishing readiness, our phishing awareness training for organizations provides structured simulations and education tailored to real-world attack patterns.

What to Do When You Receive Fake Mail

Your response in the first 60 seconds matters. Here's the protocol I train teams to follow:

  • Don't click anything. No links, no attachments, no "unsubscribe" buttons.
  • Report it. Use your organization's phishing report button or forward to your security team. If you don't have a reporting process, that's a problem you need to fix today.
  • Verify independently. If the email appears to be from a colleague or vendor, call them at a known phone number. Don't use any contact information from the suspicious email itself.
  • If you clicked, say so immediately. The difference between a contained incident and a full breach often comes down to how quickly the security team finds out. No one should fear punishment for reporting — that fear is what threat actors exploit.

Building a Culture That Catches Fake Mail

The organizations I've seen with the best security outcomes share one trait: security awareness is woven into daily operations, not confined to an annual compliance checkbox.

That means monthly phishing simulations, not annual ones. It means security updates in team meetings, not just in IT newsletters no one reads. It means executives participating in training visibly, not exempting themselves.

Start with a comprehensive cybersecurity awareness training program that covers not just fake mail, but social engineering, credential theft, ransomware, and safe browsing habits. Then reinforce it with ongoing phishing simulations that evolve as threat actors evolve.

Every fake mail message your team correctly identifies and reports is an attack that failed. Every one they miss is a potential breach. The math is simple. The investment in training pays for itself the first time it prevents an incident.

Your Next Move

Fake mail isn't going away. The volume is increasing, the sophistication is improving, and the consequences are growing. But organizations that combine technical controls with genuine security awareness training consistently outperform those that rely on technology alone.

Audit your DMARC records this week. Run a phishing simulation this month. And make sure every person in your organization — from the intern to the CEO — knows exactly what fake mail looks like and what to do when they see it.

The threat actors are counting on your people being unprepared. Prove them wrong.