The FakeEmail That Cost One Company $75 Million
In 2020, the FBI's Internet Crime Complaint Center reported that business email compromise — attacks built on fakeemail techniques — generated over $1.8 billion in losses in a single year. That made it the costliest category of cybercrime, beating ransomware by a wide margin. One Belgian bank, Crelan, lost approximately $75.8 million to a single business email compromise attack built on spoofed executive emails.
A fakeemail isn't some clumsy Nigerian prince scam anymore. It's a precise, weaponized social engineering tool that threat actors use to impersonate CEOs, vendors, IT departments, and even government agencies. If your organization hasn't faced one yet, you will — and the question is whether your people will recognize it.
This post breaks down exactly how fakeemail attacks work, why they're so effective, and the specific steps you need to take to protect your organization in 2021.
What Is a FakeEmail Attack, Exactly?
A fakeemail attack is any email sent with a forged or misleading sender address designed to trick the recipient into believing it came from a trusted source. Technically, email spoofing is trivially easy. The SMTP protocol — the backbone of email since the 1980s — was never designed with authentication in mind. Anyone with basic technical knowledge can send a message that appears to come from your CEO, your bank, or the IRS.
There are two primary methods threat actors use:
- Display name spoofing: The attacker sets the "From" display name to something like "John Smith - CFO" while using a completely unrelated email address. Most mobile email clients only show the display name, making this devastatingly effective.
- Domain spoofing: The attacker forges the actual email header so the message appears to originate from your company's domain or a trusted partner's domain. Without proper DNS authentication records, most mail servers will accept and deliver these messages.
Both techniques are core components of phishing campaigns, business email compromise (BEC), and credential theft operations. The Verizon 2021 Data Breach Investigations Report found that 36% of all data breaches involved phishing — a significant jump from the previous year — and fakeemail is the delivery mechanism for the vast majority of those attacks.
Why Your Spam Filter Won't Save You
I've seen organizations spend six figures on email security gateways and still get compromised by a well-crafted spoofed email. Here's why.
Modern email filters are good at catching bulk spam and known malicious attachments. But a targeted fakeemail — especially one that contains no links, no attachments, and just a carefully worded request — sails right through. These are called "payload-less" attacks, and they're the backbone of BEC fraud.
Imagine your accounts payable clerk receives an email that appears to come from the CEO: "I need you to wire $48,000 to this account for an acquisition we're closing today. Keep this confidential." No malware. No link. Just social engineering. Your spam filter sees nothing suspicious because technically, there's nothing malicious in the message body.
The Authentication Gap Most Organizations Ignore
Three DNS-based email authentication standards exist to combat domain spoofing: SPF, DKIM, and DMARC. Together, they verify that an email actually originated from an authorized server for the sender's domain. The problem? According to a 2021 analysis by Valimail, roughly 80% of domains worldwide still don't have a DMARC policy set to enforcement (quarantine or reject). That means the vast majority of organizations are broadcasting to the world: "Go ahead, spoof our domain. We won't stop you."
If your organization hasn't configured DMARC with a policy of p=reject, you're leaving the door wide open for threat actors to send fakeemail messages using your domain to target your employees, partners, and customers.
Real-World FakeEmail Attacks That Made Headlines
The Ubiquiti Networks Wire Transfer
In 2015, Ubiquiti Networks disclosed that it lost $46.7 million after employees were tricked by spoofed emails impersonating executives and requesting wire transfers to overseas accounts. The company eventually recovered some funds, but the incident demonstrated how a simple fakeemail could bypass every technical control when human judgment fails.
The COVID-19 Vaccine Phishing Wave
Throughout 2020 and into 2021, CISA issued multiple alerts about phishing campaigns using spoofed emails that impersonated health agencies, vaccine distributors, and government offices. These fakeemail campaigns targeted healthcare organizations and sought credentials that could be used for deeper network access — or sold on dark web markets. CISA documented these threats extensively at cisa.gov.
The SolarWinds Supply Chain Aftermath
After the SolarWinds breach was disclosed in December 2020, threat actors launched waves of phishing emails spoofing SolarWinds and Microsoft to capitalize on the confusion. Organizations scrambling to patch systems received fakeemail messages containing malicious links disguised as security updates. It was social engineering layered on top of a real crisis — and it worked.
How to Detect a FakeEmail Before It's Too Late
This is the section that matters most for your frontline employees. Every person in your organization who touches email needs to know these red flags:
- Check the actual sender address, not just the display name. On mobile, tap the sender name to reveal the full email address. If the display says "IT Help Desk" but the address is [email protected], it's spoofed.
- Look for urgency + secrecy. "Wire this immediately" + "Don't discuss this with anyone" is the signature pattern of BEC fraud. Legitimate executives don't operate this way.
- Hover over links before clicking. On desktop, hovering reveals the actual destination URL. If the link text says "portal.yourcompany.com" but the hover shows "yourcompany.portal-login.ru," walk away.
- Verify out of band. If an email requests money, credentials, or sensitive data, verify via a separate channel. Call the person directly using a number you already have — not a number from the email.
- Inspect the email headers. For IT teams, the full email headers reveal the actual originating server, SPF/DKIM pass/fail results, and routing information that exposes spoofing attempts.
Building this instinct across your workforce takes structured training. I recommend enrolling your team in a phishing awareness training program designed for organizations that uses realistic phishing simulations to build detection skills through practice, not just slides.
The $4.88M Lesson in Skipping Security Awareness Training
IBM's 2021 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.24 million — the highest in 17 years of the study. Phishing was the second most common initial attack vector, and breaches caused by phishing had an average cost of $4.65 million.
Here's what those numbers tell me: fakeemail isn't just an IT problem. It's a business survival problem. And the primary defense isn't a product — it's people.
Security awareness training reduces the likelihood that an employee will fall for a spoofed email. But not all training is equal. Annual compliance checkbox training doesn't change behavior. What works is continuous reinforcement: short modules, regular phishing simulations, and immediate feedback when someone clicks something they shouldn't have.
If you're starting from scratch or looking to upgrade your program, comprehensive cybersecurity awareness training gives your employees the foundation they need to recognize social engineering, credential theft attempts, and spoofed communications.
Technical Controls That Actually Stop FakeEmail Attacks
Training is the human layer. You also need technical controls. Here's the stack I recommend for every organization in 2021:
1. Implement DMARC, SPF, and DKIM
This is non-negotiable. SPF specifies which servers can send email for your domain. DKIM adds a cryptographic signature to outgoing messages. DMARC ties them together and tells receiving servers what to do when authentication fails. Set your DMARC policy to p=reject after monitoring. NIST provides detailed guidance on email authentication in Special Publication 800-177 Rev. 1.
2. Enable Multi-Factor Authentication Everywhere
Even if a fakeemail tricks someone into entering their credentials on a phishing page, multi-factor authentication (MFA) stops the attacker from using those stolen credentials. MFA is the single most effective control against credential theft. Period.
3. Deploy Email Banner Warnings
Configure your email system to add a visible banner to all messages originating outside your organization. Something like: "CAUTION: This email originated from outside the company. Do not click links or open attachments unless you recognize the sender." This simple visual cue has prevented countless BEC attacks in organizations I've worked with.
4. Adopt Zero Trust Principles
A zero trust architecture assumes that no user, device, or network is inherently trustworthy. Every access request is verified. In the context of fakeemail attacks, zero trust means that even if an attacker compromises one account via phishing, they can't move laterally across your network without passing additional authentication and authorization checks.
5. Run Regular Phishing Simulations
You can't measure what you don't test. Run monthly phishing simulations that mimic real-world fakeemail techniques — display name spoofing, lookalike domains, urgency-driven BEC messages. Track click rates and reporting rates over time. The goal isn't to punish people. It's to build muscle memory.
What Should You Do If You Receive a FakeEmail?
If you or an employee receives a suspected spoofed email, follow this process:
- Do not click any links or download any attachments.
- Do not reply to the message. Replying confirms your email address is active and may initiate a conversation with the attacker.
- Report it to your IT or security team immediately. Most email clients have a "Report Phishing" button. Use it.
- If you already clicked a link or entered credentials, change your password immediately, enable MFA if it isn't already active, and alert your security team so they can check for unauthorized access.
- File a report with the FBI's IC3 at ic3.gov if you've suffered financial loss from a BEC or fakeemail attack. Time matters — the IC3's Recovery Asset Team has a 74% success rate in freezing fraudulent wire transfers when contacted within 72 hours.
FakeEmail Will Only Get More Convincing
Threat actors are evolving fast. In 2021, we're seeing spoofed emails that incorporate details scraped from LinkedIn profiles, corporate press releases, and even previous legitimate email threads obtained from earlier compromises. The days of catching a fakeemail because of bad grammar are fading.
Deepfake audio is already being used alongside spoofed emails. In 2019, criminals used AI-generated voice technology to impersonate a CEO's voice on a phone call, convincing an employee to transfer $243,000. Pair that voice call with a spoofed email for "confirmation," and you have a multi-channel social engineering attack that's extraordinarily difficult to resist without training.
Your defense has to be layered: technical controls like DMARC and MFA, combined with a workforce that's been trained and tested through realistic phishing simulations. Neither layer alone is sufficient. Together, they make your organization a significantly harder target.
Start by getting your email authentication in order. Then invest in your people. The threat actors sending the next fakeemail to your inbox are counting on the fact that you won't.