Fake mail — a fraudulent email impersonating a trusted sender — ranks among the most common and effective tools in the cybercriminal arsenal. Billions of these messages are sent worldwide every day. Their goal is to steal login credentials, extort money, or infect systems with malicious software. In this article, we explain what fake mail is, what forms it takes, how to recognize it, and — most importantly — how to effectively protect corporate email infrastructure against these threats.
What Is Fake Mail?
Fake mail is an email message that deliberately misleads the recipient about the sender’s identity, the purpose of the message, or the truthfulness of the information it contains. The attacker exploits the trust that the recipient places in the alleged sender — a bank, employer, IT service provider, or business partner — to compel them to take a specific action: clicking a link, opening an attachment, transferring funds, or disclosing confidential data.
The scale of the problem is staggering. According to the Anti-Phishing Working Group (APWG), over 4.7 million phishing attacks were recorded in 2025 — a record number in the history of measurement. The FBI Internet Crime Complaint Center reports that financial losses from email fraud exceed $3 billion annually, with Business Email Compromise (BEC) attacks accounting for the largest share. In Europe, ENISA’s threat landscape reports consistently identify email-based attacks as the primary initial access vector across all sectors.
The problem affects every organization regardless of industry or size. Fake emails are cheap to produce, easy to scale, and — without proper technical safeguards — remarkably effective. The SMTP protocol, which underpins the entire email infrastructure, was designed in the 1980s without sender identity verification mechanisms. This means that by default, anyone can send a message with any address in the “From:” field — and only proper configuration on both the sender’s and recipient’s domain can change that.
Types of Fake Emails
Fake emails take various forms depending on the attacker’s goal, level of sophistication, and chosen target. Understanding these types allows organizations to better prepare their defenses.
Email Spoofing
Spoofing is a technique of forging email headers so that a message appears to have been sent from a trusted address. The attacker modifies the “From:” field so that the displayed name and address match a real person or organization. The recipient sees an email “from the CEO” or “from the bank” — when in reality, the message was sent from an entirely different server. Spoofing is possible because the SMTP protocol does not require sender authentication. Without SPF, DKIM, and DMARC in place, the recipient’s mail server has no way to verify whether the sender is who they claim to be.
Phishing Emails
Phishing involves mass distribution of fraudulent messages that mimic communications from well-known institutions — banks, service providers, e-commerce platforms, or government agencies. The messages contain links to forged websites where the victim is prompted to enter login credentials, credit card numbers, or personal data. Phishing relies on scale: attackers send thousands or millions of identical messages, counting on even a small percentage of recipients falling for the scam.
Spear Phishing
Unlike mass phishing, spear phishing is precisely targeted at a specific individual or group of individuals. The attacker conducts reconnaissance — analyzing LinkedIn profiles, social media, organizational structure — and crafts a personalized message that is difficult to distinguish from legitimate correspondence. Spear phishing may impersonate a colleague, manager, or business partner. It is one of the most effective attack vectors against organizations.
Business Email Compromise (BEC)
BEC is the most sophisticated and costliest form of fake mail. The attacker impersonates a person in a decision-making position — CEO, CFO, legal counsel — and sends a message to an employee authorized to execute wire transfers or handle confidential data. BEC messages rarely contain malicious links or attachments, which means traditional anti-spam filters do not detect them. Instead, they rely entirely on social engineering: an urgent request for a wire transfer, a change in supplier’s bank account number, a demand for confidential documents.
Malicious Attachments
Fake emails can serve as delivery vehicles for malware — malicious software hidden in attachments. Files such as .exe, .zip, .docm (Word documents with macros), or .iso may contain ransomware, trojans, keyloggers, or remote access tools. Opening such an attachment initiates an infection process that can spread across the entire corporate network.
How to Recognize a Fake Email: 10 Warning Signs
Identifying fake mail requires vigilance and familiarity with common warning signs. Below is a checklist of the ten most important indicators to watch for.
1. Mismatch between display name and email address. The message displays as “John Smith from Your Bank,” but the actual address is john.smith8742@gmail.com or support@y0urbank-secure.com. Always check the full sender address, not just the display name.
2. Urgency and time pressure. “Your account will be locked within 24 hours,” “Immediate action required,” “Last chance to verify.” Fake emails deliberately create a sense of urgency so the recipient acts impulsively without thinking.
3. Suspicious links. Hover over a link without clicking — most email clients will show the actual URL. If the link leads to a domain other than the alleged sender’s official website, that is a red flag. Watch for domains with subtle modifications: m1crosoft.com, g00gle.com, amaz0n.com.
4. Unexpected attachments. You receive an invoice you know nothing about, a document “for urgent signing,” or a .zip package from an unknown sender. Particularly dangerous are .exe, .scr, .bat, .vbs, .docm, and .xlsm files.
5. Language and stylistic errors. While AI-generated attacks are becoming increasingly polished, many fake emails still contain spelling mistakes, grammatical errors, or unusual phrasing. Watch for unnatural language, odd formatting, and inconsistent style.
6. Generic greetings. “Dear Customer,” “Dear User” instead of your actual name. Legitimate organizations with which you have a relationship address you by name.
7. Requests for confidential information. No bank, government agency, or IT service provider asks for your password, PIN, or full credit card number via email. Such a request is an almost certain sign of fraud.
8. Inconsistency with previous correspondence. Changes in tone, communication style, footer format, logo, or manner of address — all of these can indicate a fake email.
9. Message headers fail verification. In advanced analysis, check the headers: the Return-Path field does not match From:, DKIM signature is missing, SPF status is fail or softfail, DMARC indicates fail. Most email clients allow you to view full message headers.
10. Requests for non-standard actions. A change of bank account number for a transfer, a request to purchase gift cards, a demand to send data to a personal email address — anything that deviates from standard company procedures should raise suspicion.
Practical Checklist
Before responding to any message, ask yourself five questions:
- Was I expecting this message?
- Is the sender address (not just the display name) correct?
- Do the links lead to the official domain?
- Does the message create time pressure?
- Is the requested action consistent with standard procedures?
If even one answer raises doubt — do not click, do not reply, do not open attachments. Contact the alleged sender through a different channel (phone call, company messenger) and verify the message’s authenticity.
Technical Protection Mechanisms Against Fake Emails
Human recognition of fake messages is important but insufficient. The real barrier against fake mail consists of technical mechanisms implemented at the email infrastructure level: SPF, DKIM, and DMARC.
SPF (Sender Policy Framework)
SPF is a DNS record published by a domain owner that specifies which mail servers are authorized to send emails on behalf of that domain. When a recipient’s server receives a message, it checks the sending server’s IP address against the domain’s SPF record. If the IP address is not on the authorized list, the message is flagged as suspicious or rejected.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic digital signature to every message. The sender’s server signs the message with a private key, and the public key is published in DNS. The recipient’s server retrieves the public key and verifies the signature. If the message content or headers were modified during transit, verification fails. DKIM guarantees message integrity and confirms that it originated from the declared domain.
DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC combines SPF and DKIM into a coherent policy and defines what the recipient’s server should do with messages that fail verification: pass them through (none), mark as spam (quarantine), or reject them (reject). A critical element of DMARC is alignment — the domain in the From: field must match the domain that passed SPF or DKIM verification. An organization with DMARC policy set to reject effectively blocks over 90% of spoofing attempts against its domain.
Properly implementing these three mechanisms requires technical expertise and careful planning. A misconfigured SPF record can cause legitimate messages to be rejected, and transitioning to DMARC reject too quickly without a monitoring phase risks losing legitimate correspondence. This is why professional training and expert guidance are essential for teams managing email security infrastructure.
Read the complete guide: Email Security — DMARC, SPF, DKIM and Spoofing Protection
Protecting Corporate Email Against Fake Mail
Implementing SPF, DKIM, and DMARC is the foundation, but comprehensive corporate email protection requires additional security layers.
Secure Email Gateway (SEG)
Email security gateways analyze every inbound and outbound message for threats. Advanced SEG solutions leverage machine learning and behavioral analysis to detect new attack variants whose signatures are not yet known. They filter malicious attachments, analyze links in real time (URL rewriting), and detect anomalies in message headers.
Attachment Sandboxing
Suspicious attachments are opened in an isolated environment (sandbox) and analyzed for malicious behavior — attempts to establish connections with C2 servers, registry modifications, file encryption. If an attachment exhibits suspicious activity, the message is blocked before it reaches the recipient’s inbox.
AI-Based Filtering
Modern email protection systems use AI models to analyze message content, tone, and context. They can detect BEC attacks where there are no malicious links or attachments — only manipulative text. AI analyzes communication patterns within the organization and identifies messages that deviate from the norm.
Training and Phishing Simulations
Technology cannot replace employee awareness. Regular phishing simulations measure an organization’s susceptibility to social engineering attacks and systematically reduce it. Employees who regularly participate in simulations learn to recognize fake emails in their daily work and respond according to procedures — instead of clicking links under pressure.
BEC — The Most Expensive Type of Fake Mail
Business Email Compromise deserves separate discussion because it is the costliest type of email fraud worldwide. According to FBI data, global losses from BEC attacks have exceeded $50 billion since 2013.
How Does a BEC Attack Work?
The attacker conducts thorough reconnaissance of the organization: identifies personnel responsible for finances, learns the reporting structure, monitors publicly available information about transactions, mergers, and projects. Then they impersonate the CEO, CFO, or an external partner and send a message to a person authorized to execute wire transfers.
A typical scenario unfolds as follows: a finance department employee receives an email “from the CEO” with an urgent request to transfer funds to a specified account number. The message is written in a style matching the CEO’s communication patterns, includes context about a current project, and requests confidentiality. The employee, wanting to quickly fulfill the executive’s directive, executes the transfer — to an account controlled by the attacker.
How to Protect Against BEC
- Multi-channel verification procedures. Every transfer above a set threshold requires phone or in-person confirmation. Never confirm a transfer by replying to the same email.
- Separation of duties. No single person should be able to both initiate and approve a wire transfer independently.
- External message tagging. The mail server adds a visible banner to messages from outside the organization: “This message originated from outside the company.”
- Targeted training. Individuals in positions vulnerable to BEC (finance, HR, executive management) should undergo dedicated training in recognizing these types of attacks.
- Lookalike domain monitoring. Register domains with spelling similar to the company’s (typosquatting) and monitor for impersonation attempts.
Consider regular sociotechnical testing to evaluate your organization’s resilience against these sophisticated attacks.
What to Do After Receiving a Fake Email
Receiving a fake email does not have to lead to a security incident — provided the recipient reacts correctly. Below is a step-by-step guide for individuals and organizations.
For Employees
- Do not click any links or open attachments. Even if the message looks credible.
- Do not reply to the message. Replying confirms to the attacker that the address is active.
- Report the message to IT or the security team. Use the dedicated reporting channel (the “Report Phishing” button in your email client, an abuse@company.com address, or a reporting form).
- If you clicked a link or shared data — act immediately. Change passwords, enable multi-factor authentication (MFA), run an antivirus scan, and inform IT.
- Preserve the message as evidence. Do not delete the email — it may be needed for incident analysis.
For Organizations
- Collect incident information. Message headers, list of recipients, actions taken by recipients.
- Block the sender and associated domains. Add the address and domain to the blocklist on the email gateway.
- Notify employees. Send an alert describing the attack and instructions on what to watch for.
- Conduct an impact analysis. Determine whether anyone clicked a link, submitted credentials, or opened an attachment. If so — initiate the incident response procedure.
- Update filtering rules. Add new indicators of compromise (IoCs) to security systems.
- Learn from the incident. Every incident is an opportunity for improvement — update procedures, schedule additional training, verify security configurations.
Learn more about incident handling: Incident Response — how to respond to security incidents
Frequently Asked Questions (FAQ)
How can you tell if an email is real?
Check the message headers — the Return-Path, Received fields, and SPF, DKIM, and DMARC verification results. Verify the sender’s address, not just the display name. Hover over links without clicking to see where they lead. When in doubt, contact the sender through a different channel — by phone or via company messenger.
What is email spoofing?
Email spoofing is a technique of forging the sender (From:) field in an email message. The SMTP protocol does not verify sender identity, which allows attackers to send messages that appear to originate from trusted individuals or organizations. Spoofing is possible without breaking into a server — all it takes is a properly configured SMTP server or email sending tool.
What are SPF, DKIM, and DMARC?
SPF specifies which servers can send emails on behalf of a domain — it is a DNS record listing authorized IP addresses. DKIM adds a cryptographic signature to every message, guaranteeing its integrity and authenticity. DMARC combines both mechanisms and defines a policy for handling messages that fail verification. Together, they form a multi-layered defense against spoofing and fake emails.
What should I do if I clicked a link in a fake email?
Immediately change passwords for any accounts that may have been compromised — especially if you entered login credentials on a fake website. Run an antivirus scan on your computer. Report the incident to your IT department or security team. If you shared financial data (card number, bank details), contact your bank immediately and block your card. Monitor your accounts for unauthorized transactions over the following weeks.
Can a company completely block fake emails?
Not 100% — no technology solution eliminates risk entirely. However, proper SPF, DKIM, and DMARC configuration with a reject policy eliminates over 90% of domain spoofing attempts. Adding advanced filtering at the email gateway (Secure Email Gateway), regular phishing simulations, employee training, and multi-channel verification procedures reduces risk to a minimum. The key is a layered approach: technology plus people plus processes.
