A Single FakeEmail Cost One Company $37 Million

In 2024, Orion SA, a Luxembourg-based steel trading company, disclosed it lost approximately $60 million after an employee was tricked by a business email compromise scheme using fraudulent email communications. That same year, the FBI's IC3 received over 21,000 BEC complaints with adjusted losses exceeding $2.77 billion. The weapon in nearly every case? A fakeemail — a spoofed or impersonated message designed to look like it came from someone the victim trusted.

If you think your spam filter catches all of these, I need you to reconsider. I've investigated incidents where a single fakeemail bypassed every technical control because it was crafted to exploit trust, not technology. This post breaks down exactly how these attacks work, why they keep succeeding, and what your organization can do right now to stop them.

What Exactly Is a FakeEmail?

A fakeemail is any email message where the sender's identity has been forged, spoofed, or impersonated to deceive the recipient. This isn't just garden-variety spam. Threat actors use fakeemail techniques to impersonate CEOs, vendors, IT departments, and even government agencies. The goal is always the same: get you to take an action — click a link, open an attachment, wire money, or hand over credentials.

There are several distinct methods attackers use to create a convincing fakeemail:

  • Display name spoofing: The "From" name shows "John Smith - CEO" but the actual email address is something like [email protected].
  • Domain spoofing: The attacker forges the email header so the message appears to come from your-company.com, even though it originated elsewhere.
  • Lookalike domains: Registering domains like y0ur-company.com or your-cornpany.com — close enough that a busy employee won't notice.
  • Compromised accounts: The most dangerous variant. The attacker gains access to a real mailbox and sends messages from a legitimate address.

Each technique requires a different defensive strategy. That's why no single tool solves the problem.

Why FakeEmail Attacks Keep Bypassing Your Filters

I've seen organizations invest six figures in email security gateways and still get compromised by a well-crafted fakeemail. Here's why.

Technical Controls Have Blind Spots

SPF, DKIM, and DMARC are essential — but they only protect your domain from being spoofed by others. They do nothing when an attacker registers a lookalike domain with its own valid SPF record. They also can't help when the fakeemail comes from a compromised vendor's legitimate mailbox.

According to a 2024 analysis, less than half of domains globally have a DMARC policy set to "reject." That means most organizations aren't even fully protecting their own domain, let alone defending against inbound impersonation from others.

Social Engineering Exploits Human Psychology

The real power of a fakeemail isn't technical — it's psychological. Threat actors research their targets using LinkedIn, company websites, and even SEC filings. They know when your CFO is traveling. They know your vendor's invoice format. They time their attacks for Friday afternoons when attention is lowest.

The Verizon 2024 Data Breach Investigations Report found that the human element was involved in 68% of breaches. Social engineering — and specifically phishing via fakeemail — remains the top initial access vector. You can read the full report at Verizon's DBIR page.

The Anatomy of a FakeEmail Attack Chain

Understanding how a fakeemail leads to a full data breach helps you see where defenses need to be layered. Here's a typical attack chain I've reconstructed from real incidents:

Step 1: Reconnaissance

The attacker identifies targets inside your organization. They scrape names, titles, email formats, and reporting structures from public sources. Tools that enumerate email addresses are trivially available.

Step 2: Crafting the FakeEmail

The threat actor creates a message that matches the context. It might be a "password reset" from IT, an "invoice" from a known vendor, or a "wire transfer request" from the CEO. The from address is spoofed or uses a lookalike domain.

Step 3: Credential Theft or Malware Delivery

The fakeemail either links to a phishing page that harvests credentials or delivers a malicious attachment. In ransomware campaigns, the attachment often drops a loader that pulls down the actual payload later — evading sandbox analysis.

Step 4: Lateral Movement and Escalation

With stolen credentials, attackers move laterally through your network. If multi-factor authentication isn't enforced, a single set of credentials can give access to email, cloud storage, VPNs, and internal applications.

Step 5: Exfiltration or Extortion

Data is stolen, encrypted, or both. The attacker demands ransom. Your organization faces regulatory notification requirements, legal liability, and reputational damage.

Every step after the first depends on that initial fakeemail succeeding. That's why stopping it early matters more than anything else in the chain.

How Do You Identify a FakeEmail?

This is the question I get asked most often, and it deserves a direct answer.

Check the actual sender address, not just the display name. On mobile, tap the name to expand the full address. On desktop, hover over it. If the domain doesn't match the organization the sender claims to represent, it's a fakeemail.

Beyond that, watch for these indicators:

  • Urgency language: "Act immediately," "Your account will be suspended," "Do not discuss this with anyone."
  • Unusual requests: Wire transfers, gift card purchases, password resets you didn't initiate.
  • Mismatched URLs: Hover over any link before clicking. If the visible text says "microsoft.com" but the actual URL points elsewhere, stop.
  • Unexpected attachments: Especially .html, .zip, .iso, or macro-enabled Office files.
  • Grammar and formatting anomalies: Though AI-generated fakeemail is increasingly flawless, some attacks still contain subtle errors in formatting, greetings, or signatures.

When in doubt, verify through a separate communication channel. Call the person. Use Slack or Teams. Never reply to the suspicious message itself to confirm.

Technical Defenses That Actually Work Against FakeEmail

Layered defense is the only approach that holds up in practice. Here's what I recommend based on real-world effectiveness.

Enforce DMARC at "Reject"

If you haven't moved your DMARC policy past "none," you're collecting data but not protecting anyone. Move to "quarantine" and then "reject" as fast as your email ecosystem allows. CISA provides detailed guidance on email authentication at their BOD 18-01 directive page.

Deploy Multi-Factor Authentication Everywhere

Even when a fakeemail successfully harvests credentials, multi-factor authentication stops the attacker from using them. Prioritize phishing-resistant MFA like FIDO2 security keys over SMS-based codes, which can be intercepted.

Implement a Zero Trust Architecture

Zero trust assumes the network is already compromised. Every access request is verified regardless of source. This limits the blast radius when a fakeemail does lead to credential theft. NIST's Zero Trust Architecture guide at NIST SP 800-207 is the reference standard.

Use Email Banners for External Messages

A simple banner that says "This message originated from outside your organization" gives employees a visual cue. It won't stop sophisticated attacks, but it catches basic display name spoofing attempts where the attacker impersonates an internal executive from an external address.

Modern email security platforms can detonate links and attachments in isolated environments before delivering them. This catches many malware-laden fakeemails that signature-based scanning misses.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's Cost of a Data Breach Report has consistently shown that phishing — which starts with a fakeemail — is among the costliest initial attack vectors. The global average cost of a data breach hit $4.88 million in 2024. Organizations that had trained employees and practiced incident response saved significantly more than those relying on technology alone.

Here's what I've seen repeatedly: the organizations that survive fakeemail attacks without catastrophic damage are the ones that invested in security awareness before the attack happened. Technology buys you time. Training buys you resilience.

Building a Human Firewall Against FakeEmail

Your employees are either your biggest vulnerability or your strongest sensor network. The difference is training.

Run Realistic Phishing Simulations

Phishing simulations work — when they're realistic and paired with immediate education. Generic "click this obviously fake link" tests don't build skills. Your simulations should mirror actual fakeemail techniques: display name spoofing, lookalike domains, and context-aware pretexting. Our phishing awareness training for organizations provides simulation-based learning that maps directly to the techniques threat actors use today.

Make Reporting Easy and Rewarded

If reporting a suspicious email takes five steps and a help desk ticket, people won't do it. Give them a one-click "Report Phish" button. Celebrate employees who report — even false positives. Every reported fakeemail is intelligence your security team can use.

Train Continuously, Not Annually

Annual compliance training checks a box but doesn't change behavior. Security awareness needs to be ongoing — short modules, real-world examples, and reinforcement through simulated attacks. Our cybersecurity awareness training program delivers exactly this kind of continuous, practical education your team can start immediately.

Focus on High-Risk Roles

Finance teams, executive assistants, HR departments, and IT administrators are prime targets for fakeemail campaigns. These roles need more intensive and more frequent training than the general population. Business email compromise attacks specifically target people who can authorize payments or access sensitive data.

What To Do When a FakeEmail Gets Through

Even with strong defenses, some fakeemails will land. Your response speed determines the outcome.

  • Isolate immediately: If an employee clicked a link or opened an attachment, disconnect the device from the network. Don't power it off — you may need forensic data.
  • Reset credentials: Change passwords for any accounts that may have been exposed. Force MFA re-enrollment if there's any chance tokens were compromised.
  • Notify your email security team: They can search for similar messages across the organization and block the sender domain, URL, or attachment hash.
  • Preserve evidence: Save the original email with full headers. Screenshot any phishing pages before they're taken down. This data is critical for law enforcement and insurance claims.
  • Report it: File a complaint with the FBI's IC3 at ic3.gov. If financial fraud occurred, contact your bank immediately — recovery chances drop dramatically after 24 hours.

FakeEmail Isn't Going Away — But You Can Get Ahead of It

AI is making fakeemail attacks more convincing, more personalized, and harder to detect. Deepfake voice and video are already being combined with email-based social engineering in multi-channel attacks. The threat is evolving fast.

But here's what I know from two decades in this field: the organizations that layer technical controls with genuine human awareness don't just survive these attacks — they catch them early, respond fast, and minimize damage. A fakeemail only works when someone trusts it. Your job is to build an organization where people verify before they trust.

Start with the fundamentals. Enforce DMARC. Deploy phishing-resistant MFA. Train your people with realistic scenarios. And when that next fakeemail lands in someone's inbox — and it will — make sure they're ready to recognize it for exactly what it is.