In January 2024, a finance director at a mid-sized logistics company wired $740,000 to a bank account in Hong Kong. The email requesting the transfer appeared to come from the CEO's exact email address — correct display name, correct domain, correct signature block. It wasn't the CEO. It was a threat actor using a fake mailer — a tool that forges email headers to make messages appear as if they originate from any sender the attacker chooses.
This is not a rare event. The FBI's Internet Crime Complaint Center (IC3) reported that business email compromise (BEC) losses exceeded $2.9 billion in 2023 alone. A significant portion of those attacks started with spoofed emails sent through fake mailer services. If you think your spam filter catches all of them, I've got bad news.
What Is a Fake Mailer and How Does It Work?
A fake mailer is any tool or service that allows someone to send an email with a forged "From" address. The email protocol — SMTP — was designed in the early 1980s without authentication. It trusts whatever sender information it receives. That fundamental design flaw is still exploitable today.
Here's what actually happens: an attacker opens a fake mailer tool (many are available as web apps, scripts, or even Telegram bots), enters your CEO's email address in the "From" field, types a convincing message, and hits send. The recipient's inbox shows the message as coming from a trusted colleague. No hacking required. No password theft. Just a forged envelope.
Some fake mailer tools go further. They let attackers customize the reply-to address, add realistic headers, and even embed tracking pixels to confirm when the target opens the message. The sophistication varies, but the core technique is dead simple.
Why Spam Filters Don't Always Catch Spoofed Emails
Modern email security relies on three authentication protocols: SPF, DKIM, and DMARC. When properly configured, they can flag or reject emails that fail authentication checks. The problem? According to a 2024 analysis, a majority of domains still don't enforce DMARC with a "reject" policy.
If your organization's DMARC policy is set to "none" — or if you haven't published a DMARC record at all — a fake mailer can impersonate your domain and the receiving server will likely deliver the message. Even with DMARC in place, attackers use lookalike domains (think "yourcompany-inc.com" instead of "yourcompany.com") to sidestep authentication entirely.
I've seen organizations that invested six figures in email gateway appliances get compromised because they never configured a $0 DNS record. The technology exists to mitigate this. Most organizations just haven't deployed it correctly.
The Real Damage a Fake Mailer Can Cause
Spoofed emails aren't just annoying — they're the entry point for the most expensive cyberattacks your organization will face. Here's the breakdown of what threat actors accomplish once a fake mailer message lands in someone's inbox.
Credential Theft at Scale
The most common play: the spoofed email includes a link to a phishing page disguised as a Microsoft 365 login, a DocuSign portal, or a shared Google Drive document. The employee enters their credentials, and the attacker now owns their account. From there, it's lateral movement, data exfiltration, or launching internal phishing campaigns that bypass all external filters.
Verizon's 2024 Data Breach Investigations Report found that stolen credentials were involved in over 77% of attacks against web applications. Many of those credential theft campaigns started with a spoofed email that appeared to come from a trusted source. You can explore this further in Verizon's 2024 DBIR.
Business Email Compromise (BEC)
BEC is the highest-dollar cybercrime category tracked by the FBI. The attacker impersonates an executive, vendor, or attorney and requests an urgent wire transfer, gift card purchase, or payroll diversion. The fake mailer makes the impersonation convincing enough to bypass the employee's gut check.
The FBI IC3's 2023 Internet Crime Report documented 21,489 BEC complaints with adjusted losses of $2.9 billion. That's an average loss of roughly $137,000 per incident. Most victims never recover the funds.
Ransomware Delivery
Some fake mailer campaigns skip the subtlety entirely. The spoofed email carries a malicious attachment — a macro-enabled Word document, a compressed executable, or a link to a drive-by download site. One click, and ransomware is deploying across your network. The median ransom demand in 2024 is well into six figures, and that doesn't account for downtime, remediation, or reputational damage.
How to Detect a Fake Mailer Message
Your employees are the last line of defense when technical controls miss a spoofed email. Here's what to look for.
- Check the full email headers. In most email clients, you can view the raw message source. Look for mismatches between the "From" address and the "Return-Path" or "Received" headers. If the email claims to be from your CEO but originated from a server in a country where you don't operate, that's a red flag.
- Hover over links before clicking. Fake mailer messages almost always include a malicious URL. The display text might say "invoice.yourcompany.com" but the actual link points to a completely different domain.
- Watch for urgency and secrecy. Social engineering relies on pressure. "Don't discuss this with anyone," "I need this done before end of day," and "I'm in a meeting and can't talk" are classic BEC phrases.
- Verify out-of-band. If an email requests money, credentials, or sensitive data, pick up the phone and call the supposed sender using a known number — not the one in the email signature.
Building these instincts across your workforce requires structured cybersecurity awareness training that covers real-world spoofing scenarios, not just checkbox compliance modules.
Technical Defenses That Actually Stop Fake Mailers
Security awareness matters, but you also need to harden your infrastructure. Here's what works.
Deploy SPF, DKIM, and DMARC — Correctly
SPF tells receiving servers which IP addresses are authorized to send mail for your domain. DKIM adds a cryptographic signature to outgoing messages. DMARC ties them together and tells receiving servers what to do when authentication fails.
The critical step most organizations skip: setting your DMARC policy to p=reject. A policy of "none" monitors but doesn't block anything. You need to get to "reject" — and that means auditing all legitimate email senders (marketing platforms, CRMs, ticketing systems) first. CISA has published detailed guidance on this through their Binding Operational Directive 18-01.
Implement Multi-Factor Authentication Everywhere
Even if a fake mailer campaign successfully harvests an employee's password, multi-factor authentication (MFA) stops the attacker from using it. Phishing-resistant MFA — hardware security keys or passkeys — is the gold standard. SMS-based MFA is better than nothing, but it's vulnerable to SIM swapping and real-time phishing proxies.
Adopt Zero Trust Principles
Zero trust assumes every request is potentially malicious, regardless of where it originates. Applied to email, this means verifying every message's authenticity before trusting it, limiting what any single compromised account can access, and monitoring for anomalous behavior like mass email forwarding rules or unusual login locations.
Run Phishing Simulations Regularly
You won't know how your employees respond to a convincing fake mailer attack until you test them. Regular phishing simulations identify who clicks, who reports, and where your training gaps are. Our phishing awareness training for organizations lets you run realistic simulated attacks and deliver targeted education to employees who need it most.
Why Fake Mailer Attacks Are Getting Worse in 2024
Three trends are accelerating the fake mailer threat this year.
Generative AI eliminates language barriers. The days of spotting phishing emails by their broken grammar are over. Threat actors use large language models to craft flawless, context-aware messages in any language. A fake mailer message generated with AI assistance is nearly indistinguishable from legitimate correspondence.
Spoofing-as-a-service is booming. Underground marketplaces now sell fake mailer access as a subscription service, complete with rotating IPs, pre-warmed domains, and templates targeting specific industries. The barrier to entry has never been lower.
Remote work expanded the attack surface. Employees working from home are more likely to rely on email for approvals and less likely to verify requests in person. Every wire transfer approval that happens over email instead of a face-to-face conversation is an opportunity for a BEC attack.
A Quick-Reference FAQ: Fake Mailer Essentials
Can a fake mailer send emails from any address?
Yes. SMTP does not require authentication of the sender address. A fake mailer can put any email address in the "From" field. Whether the message gets delivered depends on the recipient's email security configuration — specifically SPF, DKIM, and DMARC. If the target domain doesn't enforce DMARC with a reject policy, the spoofed message will likely land in the inbox.
Is using a fake mailer illegal?
Sending spoofed emails to deceive someone is illegal under multiple federal statutes, including the CAN-SPAM Act, the Computer Fraud and Abuse Act, and wire fraud laws. Penalties include fines and imprisonment. The tools themselves exist in a gray area — some claim to be for "testing purposes" — but their primary use in practice is malicious.
How do I know if my domain is being spoofed?
If you have DMARC configured with reporting enabled (rua/ruf tags), you'll receive aggregate and forensic reports showing every email sent using your domain — including unauthorized ones. These reports reveal fake mailer abuse in near-real time. If you're not getting DMARC reports, you're flying blind.
The $2.9 Billion Problem You Can Actually Solve
Fake mailer attacks exploit two things: weak email authentication and untrained humans. You can fix both.
On the technical side, audit your SPF, DKIM, and DMARC records this week. If your DMARC policy isn't set to "reject," create a project plan to get there. Enable MFA on every account that touches email, financial systems, or sensitive data.
On the human side, stop treating security awareness as an annual compliance exercise. Your employees need hands-on experience recognizing spoofed messages, verifying requests through secondary channels, and reporting suspicious emails without fear of blame. Structured security awareness training builds those reflexes. Regular phishing simulations reinforce them.
The threat actor using a fake mailer doesn't need to be sophisticated. They just need one employee who trusts a forged email. Make sure your organization doesn't give them that opening.