That Email From Your CEO? It Was a FakeEmail.

In January 2024, a finance employee at a multinational firm in Hong Kong wired $25 million after attending a video call with what appeared to be the company's CFO and several colleagues. Every person on that call was a deepfake. The attack started the same way most do — with a fakeemail that looked legitimate enough to get the employee's attention and pull them into the trap.

FakeEmail attacks — messages sent from spoofed, impersonated, or fraudulently created email addresses — remain the number one initial access vector for data breaches. The 2024 Verizon Data Breach Investigations Report confirmed that phishing and pretexting accounted for the majority of social engineering incidents, with email as the primary delivery channel.

This post breaks down exactly how fakeemail attacks work, why your existing defenses probably aren't catching all of them, and what practical steps actually stop them. If you're responsible for protecting an organization — or just your own inbox — this is the guide you need right now.

What Exactly Is a FakeEmail Attack?

A fakeemail is any email designed to deceive the recipient about who actually sent it. That deception takes several forms, and threat actors mix and match them constantly.

Domain Spoofing

The attacker forges the "From" header to display a legitimate domain. Without proper email authentication records (SPF, DKIM, DMARC), most mail servers will accept these messages without question. The recipient sees a trusted sender name and domain. Nothing looks off.

Lookalike Domains

Instead of spoofing an existing domain, the attacker registers one that's nearly identical. Think "yourcompany-hr.com" instead of "yourcompany.com," or swapping a lowercase L for the number 1. These bypass SPF and DKIM checks entirely because the sending domain is technically legitimate — it's just not yours.

Display Name Manipulation

The simplest trick. The attacker sets the display name to "John Smith - CEO" while the actual sending address is a random Gmail or throwaway account. On mobile devices, most email clients only show the display name. I've seen this fool senior executives more times than I can count.

Compromised Legitimate Accounts

The most dangerous variant. The attacker gains access to a real employee's mailbox through credential theft and sends fakeemail messages from within your own infrastructure. No spoofing detection will catch this because the email is genuinely coming from your mail server.

The $4.88 Million Price Tag of a Single Click

IBM's 2024 Cost of a Data Breach Report pegged the global average cost of a data breach at $4.88 million — the highest figure ever recorded. Phishing was identified as the most common initial attack vector, and business email compromise (BEC) carried the highest per-incident cost.

The FBI's Internet Crime Complaint Center (IC3) has tracked BEC as the costliest cybercrime category for years. Their 2023 IC3 Annual Report documented over $2.9 billion in adjusted losses from BEC alone. Every one of those incidents started with some form of fakeemail.

Here's what actually happens in a typical attack chain:

  • A fakeemail lands in an employee's inbox, impersonating a vendor, executive, or IT department.
  • The employee clicks a link or opens an attachment, surrendering credentials or triggering malware.
  • The threat actor uses those credentials to move laterally, escalate privileges, or initiate fraudulent wire transfers.
  • Ransomware deploys, data exfiltrates, or money vanishes — sometimes all three.

The median time for a user to fall for a phishing email is under 60 seconds, according to the 2024 Verizon DBIR. Your defenses have less than a minute to work.

Why Your Spam Filter Isn't Enough

I talk to IT leaders every week who believe their email security gateway handles this problem. It doesn't. Here's why.

Modern fakeemail campaigns use techniques specifically designed to evade automated filters. Threat actors test their messages against common spam filters before launching campaigns. They rotate sending infrastructure. They use legitimate cloud services — Google Docs, Microsoft OneDrive, Dropbox — as payload hosts, knowing those domains are whitelisted by most organizations.

Secure Email Gateways (SEGs) catch a lot. But "a lot" isn't "all." In my experience, even well-configured environments see 1-3% of malicious emails reaching inboxes. In an organization of 500 people receiving 50 emails per day, that's potentially 250-750 malicious messages per day getting through.

That's where the human layer matters. Technology and training aren't competing strategies — they're complementary ones.

How to Detect a FakeEmail Before You Click

This section is your cheat sheet. Share it with your team today.

Check the Actual Sender Address

On desktop, hover over the sender's name. On mobile, tap it. If the display name says "IT Help Desk" but the address is "[email protected]," you're looking at a fakeemail. This single habit stops a surprising number of attacks.

Hover over every link. If the URL doesn't match the organization it claims to represent — or if it's shortened, obfuscated, or encoded — don't click it. Copy it into a URL inspection tool like VirusTotal or urlscan.io instead.

Watch for Urgency and Pressure

Social engineering thrives on urgency. "Your account will be locked in 24 hours." "Wire this payment before end of business." "The CEO needs this immediately." Legitimate requests can wait for verification. Attackers can't.

Verify Out-of-Band

If an email requests money, credentials, sensitive data, or any unusual action, verify through a different communication channel. Call the person directly using a number you already have — not one from the email. This one step would eliminate billions of dollars in BEC losses annually.

Look for Authentication Failures

If your email client shows authentication warnings or marks messages with "via" tags (e.g., "sent via sendgrid.net"), pay attention. These indicators mean the message didn't pass standard authentication checks.

Technical Defenses That Actually Stop FakeEmail Campaigns

Detection by employees is your last line of defense. These technical controls are your first.

Deploy SPF, DKIM, and DMARC — Properly

SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance) work together to prevent domain spoofing. But here's the problem: most organizations that deploy DMARC set it to "p=none," which monitors but doesn't block anything.

You need to get to "p=reject." CISA has been pushing federal agencies toward this standard, and Binding Operational Directive 18-01 required it for all federal domains. Your organization should follow the same path.

Enforce Multi-Factor Authentication Everywhere

Even when a fakeemail successfully harvests credentials, multi-factor authentication (MFA) stops the attacker from using them. Prioritize phishing-resistant MFA like FIDO2 security keys or passkeys. SMS-based MFA is better than nothing but vulnerable to SIM-swapping attacks.

Implement Zero Trust Architecture

Zero trust assumes every request is potentially malicious, regardless of whether it originates inside or outside your network. Even if a threat actor compromises a single account through a fakeemail attack, zero trust principles limit their ability to move laterally or access sensitive systems.

Enable External Email Banners

A simple but effective control. Tag every email originating outside your organization with a visible banner: "CAUTION: This email originated from outside your organization." This makes display name impersonation immediately obvious.

Why Phishing Simulations Change Behavior

Telling people about fakeemail threats doesn't change behavior. Testing them does.

Organizations that run regular phishing simulations see measurable reductions in click rates over time. The key word is "regular." A single annual test teaches nothing. Monthly or quarterly simulations, paired with immediate feedback and training, build the reflexive skepticism that stops real attacks.

I've seen organizations go from a 30% click rate on their first simulation to under 5% within six months. That's not just a metric — that's hundreds of potential breach entry points closed.

If you're looking to build a phishing simulation program, our phishing awareness training for organizations provides scenario-based exercises that mirror real-world fakeemail tactics. It's designed to train employees against the exact techniques threat actors are using right now.

Building a Security Awareness Program That Works

Phishing simulations are one piece. A complete security awareness program covers the full spectrum of social engineering — pretexting, vishing, smishing, and physical security tactics.

Start With the Biggest Risk

Email-based attacks. That's where the data points. Build your program around recognizing and reporting fakeemail attempts first, then expand.

Make It Continuous

Annual compliance training checks a box. It doesn't build skills. Deliver short, focused training modules throughout the year. Five minutes per month beats two hours once a year.

Measure What Matters

Track simulation click rates, report rates (employees flagging suspicious messages), and time-to-report. The goal isn't zero clicks — it's a culture where employees report suspicious emails fast enough for your security team to respond before damage spreads.

Our cybersecurity awareness training program covers these fundamentals — from fakeemail identification to ransomware prevention — in a format designed for busy professionals who don't have hours to sit through lectures.

What Should I Do If I Receive a FakeEmail?

Don't click any links. Don't open any attachments. Don't reply. Here's the step-by-step response:

  • Report it. Use your organization's phishing report button (most email clients support this) or forward the message to your security team. If you don't have an internal team, forward it to the Anti-Phishing Working Group at [email protected].
  • Delete it. After reporting, remove the message from your inbox and trash.
  • If you clicked something, disconnect from the network immediately and contact your IT or security team. Change any passwords you may have entered. Enable MFA on affected accounts if you haven't already.
  • Document what happened. Note the sender address, subject line, and any actions you took. This helps your security team assess scope and block similar messages.

Speed matters. The faster you report a fakeemail, the faster your security team can block the campaign and protect other employees who may have received the same message.

The Threat Is Evolving — Your Defenses Must Too

Generative AI has changed the fakeemail landscape in 2024. Threat actors now produce grammatically flawless, contextually aware phishing emails at scale. The days of spotting attacks by broken English and generic greetings are over.

Deepfake audio and video — like the Hong Kong incident I mentioned at the top — add another layer. An employee receives a fakeemail, then gets a phone call from what sounds exactly like their manager confirming the request. Traditional security advice to "verify by phone" breaks down when the phone call is also fake.

This means your defenses need layering. Technical controls to block what they can. Training to catch what slips through. Verification procedures that require multiple authentication factors for sensitive actions. No single control is sufficient.

Three Actions to Take This Week

  • Audit your DMARC policy. If it's set to "none," start the process of moving to "quarantine" and then "reject." This single change blocks the majority of domain spoofing attacks.
  • Launch a phishing simulation. Use realistic fakeemail scenarios. Measure your baseline. Then train and test again.
  • Require MFA on all email accounts. Every single one. No exceptions for executives. Especially not for executives — they're the top targets for BEC attacks.

FakeEmail attacks aren't going away. They're getting cheaper to launch, harder to detect, and more devastating when they succeed. The organizations that survive them are the ones that invest in both technology and people — and treat email security as an ongoing program, not a one-time project.