Email spoofing is an attack method used to send an email that appears to be from a sender other than the one who actually sent it.<\/p>\n\n\n\n
What you see in the “From” section is not, in fact, verified when you receive a spoofed email. The early days of the internet had email as an open system, relying on trust between servers. Attackers exploit that openness to send emails that display any name and address they choose, regardless of where the email actually originated.<\/p>\n\n\n\n
Quick definition: Email spoofing is the falsification of an email’s sender address or header information to make a message appear to originate from a person or organization the recipient trusts, when it actually comes from an attacker-controlled source.<\/p>\n\n\n\n
The attack is not new. But it has grown dramatically more dangerous as attackers combine it with AI-generated content, deepfake audio and video, and detailed research into their targets. In 2025, 72% of all phishing attacks involved some form of brand or identity spoofing. At the same time, 50% of organizations still have no effective protection against email spoofing, according to Valimail’s 2025 report.<\/p>\n\n\n\n
If your organization’s email domain is not properly protected, anyone in the world can send an email that appears to come from your address to anyone they choose.<\/p>\n\n\n\n
<\/span>Email Spoofing vs Phishing: What Is the Difference?<\/span><\/h2>\n\n\n\nThe two terms can be used synonymously at times, but describe different elements of a cyber threat.<\/p>\n\n\n\n
Email Spoofing is a method of sending an email appearing to be from a trusted sender and sending forged sender information so as to do so. Spoofing is a weapon, and attackers use spoofing.<\/p>\n\n\n\n
Phishing is a type of attack objective; trying to trick an individual to reveal a username\/password, to send a wire transfer or some cash, or to download malicious software, or to do something else damaging. Phishing is the goal.<\/p>\n\n\n\n
Most phishing attacks use email spoofing to be convincing. But not all spoofed emails are phishing attempts. A spoofed email might be used to spread disinformation, damage a reputation, bypass security filters, or deliver malware without any credential harvesting involved.<\/p>\n\n\n\n
Think of it this way: spoofing is the disguise, and phishing is what the attacker does while wearing it.<\/p>\n\n\n\n
Business email compromise (BEC) sits at the intersection of both. It uses spoofing to impersonate a trusted identity and phishing-style social engineering to convince the victim to take a financially damaging action. It is the most costly email-based threat category in the world, and spoofing is what makes it believable.<\/p>\n\n\n\n
<\/span>How Email Spoofing Works <\/span><\/h2>\n\n\n\nTo understand why spoofing is so effective and so persistent, you need to understand a fundamental flaw in how email was designed.<\/p>\n\n\n\n
1. The Core Vulnerability: SMTP Has No Built-In Verification<\/h3>\n\n\n\n
Email is sent using a protocol called SMTP, Simple Mail Transfer Protocol. SMTP was designed in 1982, long before cybercrime was a consideration. SMTP has absolutely no built-in mechanism that proves the sender of the message really is who they claim to be.<\/p>\n\n\n\n
When an email server sends a message, it fills in a “From” field. But SMTP does not check whether the sending server is actually authorized to send on behalf of that domain. Any server can claim to be any sender. That is the gap that email spoofing exploits.<\/p>\n\n\n\n
2. What Attackers Manipulate<\/h3>\n\n\n\n
Attackers manipulate several fields within an email’s header to create a convincing spoof.<\/p>\n\n\n\n
The From field<\/strong> is the most commonly forged element. This is the sender name and address that appears in your email client. It can be set to anything without any verification.<\/p>\n\n\n\nReply-To<\/strong>: This is another field that is sometimes set to a different address than the one that is listed in the From field. So while the From address may appear to be trustworthy, the reply will go to a different address, which is controlled by the attacker and will not be noticed by the victim.<\/p>\n\n\n\nDisplay Name<\/strong>: This field is what allows the sender name to appear alongside the sender’s email address; attackers often leave the real address of the email sender visible but disguise the sender name as someone whom the recipient trusts. It might appear that “John Smith, CEO” has emailed you when actually his address could be “ceo-secure@randomdomain.com” (if you hover your mouse over the sender’s name, this will give you the real email address.)<\/p>\n\n\n\nReturn-Path<\/strong>: This is an email header that determines where failed emails will be returned to; an attacker will send an email with the From address of an unknown recipient but have the return path directed to a domain they themselves own.<\/p>\n\n\n\n3. Lookalike Domains and Typosquatting<\/h3>\n\n\n\n
A more advanced method of spoofing includes the purchase of a domain name that is very similar to the target company. Such domains are commonly known as lookalike or typosquatting domains.<\/p>\n\n\n\n
An attacker may purchase examp1e.com instead of example.com or examp1e-secure.com or even exarnple.com where ‘r’ and ‘n’ look similar. Emails sent from such addresses look very similar to genuine emails and are harder to distinguish; additionally, they might even pass a certain amount of authentication as a domain actually exists, although with a small difference.<\/p>\n\n\n\n
According to trends the number of domains for domain shadowing (using subdomains of compromised legitimate domains for phishing) increased by 43% year over year to 2025. The attacker wants to make the sender’s address look similar enough that recipients don’t ask themselves any questions.<\/p>\n\n\n\n
4. How Spoofed Emails Bypass Security Filters<\/h3>\n\n\n\n
Email security filters are designed to catch known threats: malicious links, known malware signatures, and suspicious attachment types. Business email compromise spoofing is effective precisely because it often contains none of these things.<\/p>\n\n\n\n
A spoofed email asking a finance manager to urgently wire funds to a new account contains no malware, no suspicious link, and no known malicious content. It is plain text, written in a familiar tone, from what appears to be a known sender. Traditional filters have no way to flag it as malicious because technically, it is not.<\/p>\n\n\n\n
This is why 50% of all BEC phishing attacks evade secure email gateways, according to LastPass research. The attack is designed to bypass what automated tools look for.<\/p>\n\n\n\n
<\/span>Types of Email Spoofing Attacks<\/span><\/h2>\n\n\n\n![\"Types](\"https:\/\/getdarkscout.com\/blog\/wp-content\/uploads\/2026\/04\/Types-of-Email-Spoofing-Attacks.webp\")
<\/figure>\n\n\n\nEmail spoofing is used across a range of attack types. These are the most common and most damaging.<\/p>\n\n\n\n
1. CEO Fraud and Executive Impersonation<\/h3>\n\n\n\n
The fraudster spoofs an executive in a high-level position like the CEO or CFO and sends a seemingly urgent email or instant message to the accounting or human resources department requesting them to execute an immediate wire transfer into a bank account unknown to them, change employee pay data or execute a confidential financial transaction.<\/p>\n\n\n\n
The urgency and authority of the request prevent verification. The employee receiving the request doesn’t want to be seen questioning their CEO or having the executive on the other line waiting for their callback. That pressure is why the attack is so prevalent.<\/p>\n\n\n\n
2. Vendor and Supplier Fraud<\/h3>\n\n\n\n
Attackers impersonate a known vendor or supplier and send fake invoices or updated payment instructions. The email arrives in the middle of a normal business relationship, so the recipient has no particular reason to question it. The only change is that the bank account number has been quietly updated to one controlled by the attacker.<\/p>\n\n\n\n
This type of attack cost a North Carolina church $793,000 when a criminal spoofed a contractor’s email, changing only one letter in the email address, and redirected construction funds to a fraudulent account.<\/p>\n\n\n\n
3. Invoice Fraud and Billing Scheme Attacks<\/h3>\n\n\n\n
Similar to vendor fraud but targeted at businesses that process high volumes of invoices. Attackers monitor business communications, often through a compromised inbox, and inject spoofed invoices at precisely the right moment in an existing transaction to maximize credibility. When credentials are stolen and traded on dark web markets<\/a>, this kind of access to ongoing business correspondence becomes a commodity.<\/p>\n\n\n\n4. Payroll Diversion<\/h3>\n\n\n\n
Attackers spoof an employee’s email address and contact HR or payroll teams, requesting a change to direct deposit banking details. The request is processed normally, and the next paycheck, sometimes several pay periods of paychecks, goes directly to the attacker.<\/p>\n\n\n\n
5. Brand Impersonation<\/h3>\n\n\n\n
Attackers spoof major brands to reach consumers. In Q2 of ’25, Microsoft was impersonated in 25% of all brand phishing attacks, with Google at 11% and Apple at 9%. DocuSign, PayPal, and LinkedIn fill out the rest. These campaigns usually go out to thousands and Millions of people in single attacks, using malvertising<\/a> and various other distribution means.<\/p>\n\n\n\n6. AI-Augmented Spoofing<\/h3>\n\n\n\n
The newest and perhaps most insidious evolution. The most recent reports state that by 2025, 82.6% of phishing emails will be composed of AI-generated text, and poorly written spoof emails will effectively become a thing of the past. In the context of spoofing, AI allows the perpetrator to write messages that are not only highly contextual but also composed in the writing style of the targeted individual.<\/p>\n\n\n\n
Coupled with deepfake audio\/video capabilities, AI spoofing has been responsible for some of the most audacious scams conducted to date. In 2024, an engineering firm named Arup lost $25 million because a finance worker was first defrauded via a deepfake video call portraying apparently legitimate co-workers and then, subsequently, instructed via an AI-spoofed email to transfer funds. The finance worker had already suspected the initial email was phishing, but was deceived by the video call.<\/p>\n\n\n\n
Another incident was thwarted at the last minute by a Ferrari executive. An attacker spoofed the voice and appearance of the CEO and requested a wire transfer of funds, which would have undoubtedly gone through; however, the executive inquired about information the CEO had divulged a few days prior, information that the attacker could not have known, instilling the necessary doubt to avoid this massive loss.<\/p>\n\n\n\n
<\/span>Real Email Spoofing Attacks and What They Cost <\/span><\/h2>\n\n\n\nThese are documented instances. The figures associated with cost are correct, and the methods of targeting will likely look familiar to your organization.<\/p>\n\n\n\n
1. Toyota Boshoku: $37 Million<\/h3>\n\n\n\n
In 2019, Toyota Boshoku, a supplier to the Toyota automotive group, was targeted by an attacker impersonating a trusted internal contact. The spoofed email convinced the finance team to authorize a wire transfer. The attack resulted in a $37 million loss<\/a>, demonstrating that even large, sophisticated organizations with mature finance teams can be defeated by a single convincing spoofed email.<\/p>\n\n\n\n2. Facebook and Google: $100 Million<\/h3>\n\n\n\n
In one of the most widely cited BEC cases, Lithuanian fraudster Evaldas Rimasauskas posed as Quanta Computer, a Taiwan-based manufacturer that supplies both Facebook and Google. Over a period of roughly two years, spoofed emails and fake invoices convinced finance teams at both companies to wire funds to accounts Rimasauskas controlled. Combined losses exceeded $100 million. Rimasauskas was later extradited to the United States and convicted.<\/p>\n\n\n\n
3. Medicare and Medicaid: $11.1 Million<\/h3>\n\n\n\n
Cybercriminals targeting US government healthcare programs used spoofed emails impersonating trusted figures within the system to divert $11.1 million into fraudulent bank accounts. The attack exploited the scale and complexity of government payment systems, where large transfers are routine, and verification is difficult to enforce at every stage.<\/p>\n\n\n\n
4. Knox County Government: $750,000<\/h3>\n\n\n\n
In 2025, scammers stole over $750,000<\/a> from a Knox County government agency by sending a spoofed email that appeared to come from a regular vendor. A minor alteration to the sender’s address was enough to convince staff to update the bank routing information, redirecting the funds. The county only discovered the fraud after the real vendor contacted them about an unpaid invoice.<\/p>\n\n\n\n5. North Carolina Church: $793,000<\/h3>\n\n\n\n
A criminal monitoring a church construction project spoofed the contractor’s email address, changing only a single letter in the domain. The spoofed emails redirected construction payment funds to a fraudulent account. The church lost $793,000 before the fraud was discovered.<\/p>\n\n\n\n
6. SilverTerrier BEC Gang: Tens of Thousands of Victims<\/h3>\n\n\n\n
SilverTerrier, a Nigeria-based BEC group, targeted over 50,000 businesses across 150 countries using coordinated spoofing campaigns across multiple languages. Their operation involved at least 400 members and used a combination of credential phishing to compromise email accounts and email spoofing to impersonate executives and vendors. Interpol arrested a key ringleader in 2022, but the group remained active through successor operations.<\/p>\n\n\n\n
These are not isolated incidents. Stolen credentials from dark web marketplaces<\/a> power many of these attacks. When email account credentials are purchased from criminal forums and used to monitor ongoing business communications, spoofed emails can be timed with precision.<\/p>\n\n\n\n<\/span>How to Spot a Spoofed Email<\/span><\/h2>\n\n\n\nIdentifying spoofed emails requires a combination of technical awareness and behavioral skepticism. Neither alone is sufficient.<\/p>\n\n\n\n
1. Check the Actual Sender Address, Not Just the Display Name<\/h3>\n\n\n\n
Most email clients show the display name prominently and the actual email address in smaller text or only on hover. Always check the actual address, not just the name. A display name of “CEO John Smith” with an actual address of ceo-john@examplecompany-secure.net<\/code> This is a clear red flag.<\/p>\n\n\n\n2. Look for Subtle Domain Variations<\/h3>\n\n\n\n
Lookalike domains are designed to pass casual inspection. Train yourself to look carefully at the domain name itself:<\/p>\n\n\n\n
\n- Letters that look similar:
rn<\/code> instead of m<\/code>, 1<\/code> instead of l<\/code>, 0<\/code> instead of o<\/code><\/li>\n\n\n\n- Added words:
company-secure.com<\/code>, company-invoice.com<\/code>, company-payments.net<\/code><\/li>\n\n\n\n- Different top-level domains:
.net<\/code> or .org<\/code> instead of the usual .com<\/code><\/li>\n\n\n\n- Hyphens added or removed:
example-company.com<\/code> instead of examplecompany.com<\/code><\/li>\n<\/ul>\n\n\n\nQuestion: Any Unexpected Urgency<\/h3>\n\n\n\n
Urgency is the most common social engineering lever in spoofed emails. Requests that must be completed immediately, before end of business, or confidentially without telling anyone else are red flags regardless of who appears to have sent them.<\/p>\n\n\n\n
Legitimate executives, vendors, and banks build processes around routine communications. Genuine emergencies rarely require bypassing those processes entirely.<\/p>\n\n\n\n
Verify Through a Separate Channel<\/h3>\n\n\n\n
If you receive an unexpected request involving money, credentials, or sensitive data, verify it through a channel you initiated using contact details you already trust, not a number or link provided in the email itself. Call the vendor. Message the executive on Slack. Use the phone number from the company’s official website.<\/p>\n\n\n\n
This is the single most reliable behavioral control against email spoofing, and it is the verification instinct that saved Ferrari from a $25 million loss.<\/p>\n\n\n\n
Check the Email Headers<\/h3>\n\n\n\n
Email headers contain the technical record of where a message actually came from. Most email clients allow you to view full headers, though the format varies. A spoofed email will often show a mismatch between the “From” address and the server that actually sent the message. For signs that your email has already been compromised<\/a>, checking headers on suspicious emails can provide early confirmation.<\/p>\n\n\n\n<\/span>How to Prevent Email Spoofing<\/span><\/h2>\n\n\n\n![\"How](\"https:\/\/getdarkscout.com\/blog\/wp-content\/uploads\/2026\/04\/How-to-Prevent-Email-Spoofing.webp\")
<\/figure>\n\n\n\nPrevention operates on two levels: protecting your own domain from being spoofed, and protecting your organization from spoofed emails that arrive in your inbox.<\/p>\n\n\n\n
1. Implement SPF, DKIM, and DMARC on Your Domain<\/h3>\n\n\n\n
These three protocols are the technical backbone of stopping the spoofing of emails. By working together, receiving mail servers are able to identify whether an email purporting to be from your domain actually originated from your domain.<\/p>\n\n\n\n
SPF records on your DNS server will tell receiving mail servers which mail servers are permitted to send email on your behalf; emails originating from your domain that do not come from the allowed servers can either be tagged or dropped entirely.<\/p>\n\n\n\n
DKIM adds a cryptographic signature to outbound emails, the receipt of which can be checked by the sending mail servers. If the key is invalid or the signature does not match, then either the email was tampered with in transit or was never sent by your domain to begin with.<\/p>\n\n\n\n
DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM by telling receiving servers what to do when an email fails authentication: deliver it, quarantine it, or reject it outright. DMARC also generates reports that give you visibility into who is sending email on behalf of your domain.<\/p>\n\n\n\n
The data is clear on how effective these tools are. In the US, the percentage of phishing emails accepted by mail servers fell from 68.8% in 2023 to just 14.2% in 2025, driven largely by stricter DMARC enforcement. Google and Yahoo now require DMARC for bulk email senders, and this requirement has contributed to a 65% reduction in unauthenticated email reaching Gmail inboxes.<\/p>\n\n\n\n
Despite this, only 18% of the world’s ten million most-visited domains publish a valid DMARC record, and only 4% enforce a reject policy. The protection exists. Most organizations simply have not implemented it.<\/p>\n\n\n\n
2. Set DMARC to Enforcement, Not Just Monitoring<\/h3>\n\n\n\n
Many organizations implement DMARC at p=none<\/code>, which means they receive reports but take no action on unauthenticated emails. This is a monitoring posture, not a protection posture.<\/p>\n\n\n\nFor real spoofing prevention, your DMARC policy should be set to p=quarantine<\/code> or ideally p=reject<\/code>. This tells receiving mail servers to quarantine or refuse emails that fail authentication. Until you reach enforcement, your domain can still be spoofed into any inbox that does not check authentication.<\/p>\n\n\n\n3. Train Employees to Recognize the Patterns<\/h3>\n\n\n\n
Technical controls protect against a significant portion of spoofing attacks. But social engineering that exploits human trust, the CEO fraud that arrives from a lookalike domain, the vendor invoice that appears at exactly the right moment, requires human vigilance as a second layer.<\/p>\n\n\n\n
Training should focus on the specific patterns described above: urgency as a red flag, checking actual sender addresses rather than display names, and using out-of-band verification for any financial or sensitive request. Our guide on email security best practices<\/a> covers what to include in security awareness training.<\/p>\n\n\n\n4. Establish Strict Payment Verification Protocols<\/h3>\n\n\n\n
No payment, wire transfer, or banking detail change should be processed on the basis of an email request alone. Any such request should require verbal confirmation through a known, pre-verified contact number, not one provided in the email.<\/p>\n\n\n\n
This protocol eliminates the most common BEC attack pattern entirely. An attacker who has spoofed your supplier’s email cannot also answer your call to the supplier’s main phone number.<\/p>\n\n\n\n
5. Monitor for Domain Spoofing and Brand Impersonation<\/h3>\n\n\n\n
Beyond protecting your own inbox, your organization should actively monitor whether your domain or brand is being spoofed in attacks against your customers, partners, or employees.<\/p>\n\n\n\n
DarkScout’s brand protection and domain monitoring<\/a> identify when lookalike domains are registered against your brand, when your domain appears in reported phishing campaigns, and when compromised email accounts linked to your organization surface in dark web data.<\/p>\n\n\n\nThis kind of monitoring is especially important because email account credentials stolen through infostealers<\/a> end up on dark web markets within hours of being harvested. An attacker who purchases access to a compromised email account does not need to spoof anything. They can send emails from the real account, which passes every authentication check. Knowing when your organization’s email credentials are exposed is the upstream defense.<\/p>\n\n\n\n6. Enable Multi-Factor Authentication on All Email Accounts<\/h3>\n\n\n\n
Account takeover via stolen credentials is the most sophisticated form of email compromise because it requires no spoofing at all. The attacker is using the real account. Enabling MFA on every email account ensures that even when passwords are stolen, attackers cannot log in and begin sending emails or monitoring communications.<\/p>\n\n\n\n
Be aware that push-based MFA is vulnerable to push bombing attacks<\/a>. For email accounts with elevated access or financial authority, consider phishing-resistant MFA such as passkeys or FIDO2 hardware keys.<\/p>\n\n\n\n7. Use Advanced Email Security Tools<\/h3>\n\n\n\n
Legacy secure email gateways are unable to defend against these BEC scams because they are designed to flag known malicious URLs and attachments rather than recognize conversationally-styled attacks without attachments or links. AI-driven email security systems have become more prevalent as they can detect threats based on an individual sender\u2019s reputation, communication patterns between parties involved, context of the discussion, and unexpected request categories.<\/p>\n\n\n\n
Integrating this into your DMARC deployment, employee training, and dark web credentials monitoring strategy creates an all-encompassing security protocol designed to protect every facet of an attack chain.<\/p>\n\n\n\n
<\/span>What to Do If You Received or Acted on a Spoofed Email<\/span><\/h2>\n\n\n\nSpeed is of the essence in this scenario to minimize damage. The following outlines steps you can take depending on what you have or haven’t done.<\/p>\n\n\n\n
1. If You Received a Spoofed Email and Did Not Act on It<\/h3>\n\n\n\n
Report it to your IT or security team so that they may analyze the spoofed domain, implement filter updates, and verify whether anyone else within your organization has also received the message. You should not respond to the email or click on anything contained within.<\/p>\n\n\n\n
2. If You Clicked a Link in a Spoofed Email<\/h3>\n\n\n\n
Disconnect from the network immediately. Change your password from a clean device and enable MFA if it is not already active. Report the incident to your security team. Run a dark web scan<\/a> to check whether your credentials are already exposed.<\/p>\n\n\n\nIf the email may have delivered malware through a drive-by download<\/a>, treat the device as potentially compromised and have it forensically assessed before reconnecting to corporate systems.<\/p>\n\n\n\n3. If You Transferred Money or Updated Payment Details<\/h3>\n\n\n\n
Contact your bank immediately and request a recall of the transfer. Banks can sometimes halt or reverse wire transfers if they are notified quickly, but the window is very short. Then file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov.<\/p>\n\n\n\n
Do not attempt to resolve the situation by replying to the spoofed email. The attacker is still monitoring that conversation.<\/p>\n\n\n\n
4. If Your Email Account Was Used to Send Spoofed Emails<\/h3>\n\n\n\n
This typically indicates a full account compromise, not just a spoofed display name. Change your password immediately, revoke all active sessions, check your sent mail for unauthorized messages, review any email rules or forwarding settings the attacker may have set up, and notify your contacts that your account may have been compromised. Check signs your email has been breached<\/a> for a full checklist of what to look for and do.<\/p>\n\n\n\n
To understand why spoofing is so effective and so persistent, you need to understand a fundamental flaw in how email was designed.<\/p>\n\n\n\n
1. The Core Vulnerability: SMTP Has No Built-In Verification<\/h3>\n\n\n\n
Email is sent using a protocol called SMTP, Simple Mail Transfer Protocol. SMTP was designed in 1982, long before cybercrime was a consideration. SMTP has absolutely no built-in mechanism that proves the sender of the message really is who they claim to be.<\/p>\n\n\n\n
When an email server sends a message, it fills in a “From” field. But SMTP does not check whether the sending server is actually authorized to send on behalf of that domain. Any server can claim to be any sender. That is the gap that email spoofing exploits.<\/p>\n\n\n\n
2. What Attackers Manipulate<\/h3>\n\n\n\n
Attackers manipulate several fields within an email’s header to create a convincing spoof.<\/p>\n\n\n\n
The From field<\/strong> is the most commonly forged element. This is the sender name and address that appears in your email client. It can be set to anything without any verification.<\/p>\n\n\n\n Reply-To<\/strong>: This is another field that is sometimes set to a different address than the one that is listed in the From field. So while the From address may appear to be trustworthy, the reply will go to a different address, which is controlled by the attacker and will not be noticed by the victim.<\/p>\n\n\n\n Display Name<\/strong>: This field is what allows the sender name to appear alongside the sender’s email address; attackers often leave the real address of the email sender visible but disguise the sender name as someone whom the recipient trusts. It might appear that “John Smith, CEO” has emailed you when actually his address could be “ceo-secure@randomdomain.com” (if you hover your mouse over the sender’s name, this will give you the real email address.)<\/p>\n\n\n\n Return-Path<\/strong>: This is an email header that determines where failed emails will be returned to; an attacker will send an email with the From address of an unknown recipient but have the return path directed to a domain they themselves own.<\/p>\n\n\n\n A more advanced method of spoofing includes the purchase of a domain name that is very similar to the target company. Such domains are commonly known as lookalike or typosquatting domains.<\/p>\n\n\n\n An attacker may purchase examp1e.com instead of example.com or examp1e-secure.com or even exarnple.com where ‘r’ and ‘n’ look similar. Emails sent from such addresses look very similar to genuine emails and are harder to distinguish; additionally, they might even pass a certain amount of authentication as a domain actually exists, although with a small difference.<\/p>\n\n\n\n According to trends the number of domains for domain shadowing (using subdomains of compromised legitimate domains for phishing) increased by 43% year over year to 2025. The attacker wants to make the sender’s address look similar enough that recipients don’t ask themselves any questions.<\/p>\n\n\n\n Email security filters are designed to catch known threats: malicious links, known malware signatures, and suspicious attachment types. Business email compromise spoofing is effective precisely because it often contains none of these things.<\/p>\n\n\n\n A spoofed email asking a finance manager to urgently wire funds to a new account contains no malware, no suspicious link, and no known malicious content. It is plain text, written in a familiar tone, from what appears to be a known sender. Traditional filters have no way to flag it as malicious because technically, it is not.<\/p>\n\n\n\n This is why 50% of all BEC phishing attacks evade secure email gateways, according to LastPass research. The attack is designed to bypass what automated tools look for.<\/p>\n\n\n\n Email spoofing is used across a range of attack types. These are the most common and most damaging.<\/p>\n\n\n\n The fraudster spoofs an executive in a high-level position like the CEO or CFO and sends a seemingly urgent email or instant message to the accounting or human resources department requesting them to execute an immediate wire transfer into a bank account unknown to them, change employee pay data or execute a confidential financial transaction.<\/p>\n\n\n\n The urgency and authority of the request prevent verification. The employee receiving the request doesn’t want to be seen questioning their CEO or having the executive on the other line waiting for their callback. That pressure is why the attack is so prevalent.<\/p>\n\n\n\n Attackers impersonate a known vendor or supplier and send fake invoices or updated payment instructions. The email arrives in the middle of a normal business relationship, so the recipient has no particular reason to question it. The only change is that the bank account number has been quietly updated to one controlled by the attacker.<\/p>\n\n\n\n This type of attack cost a North Carolina church $793,000 when a criminal spoofed a contractor’s email, changing only one letter in the email address, and redirected construction funds to a fraudulent account.<\/p>\n\n\n\n Similar to vendor fraud but targeted at businesses that process high volumes of invoices. Attackers monitor business communications, often through a compromised inbox, and inject spoofed invoices at precisely the right moment in an existing transaction to maximize credibility. When credentials are stolen and traded on dark web markets<\/a>, this kind of access to ongoing business correspondence becomes a commodity.<\/p>\n\n\n\n Attackers spoof an employee’s email address and contact HR or payroll teams, requesting a change to direct deposit banking details. The request is processed normally, and the next paycheck, sometimes several pay periods of paychecks, goes directly to the attacker.<\/p>\n\n\n\n Attackers spoof major brands to reach consumers. In Q2 of ’25, Microsoft was impersonated in 25% of all brand phishing attacks, with Google at 11% and Apple at 9%. DocuSign, PayPal, and LinkedIn fill out the rest. These campaigns usually go out to thousands and Millions of people in single attacks, using malvertising<\/a> and various other distribution means.<\/p>\n\n\n\n The newest and perhaps most insidious evolution. The most recent reports state that by 2025, 82.6% of phishing emails will be composed of AI-generated text, and poorly written spoof emails will effectively become a thing of the past. In the context of spoofing, AI allows the perpetrator to write messages that are not only highly contextual but also composed in the writing style of the targeted individual.<\/p>\n\n\n\n Coupled with deepfake audio\/video capabilities, AI spoofing has been responsible for some of the most audacious scams conducted to date. In 2024, an engineering firm named Arup lost $25 million because a finance worker was first defrauded via a deepfake video call portraying apparently legitimate co-workers and then, subsequently, instructed via an AI-spoofed email to transfer funds. The finance worker had already suspected the initial email was phishing, but was deceived by the video call.<\/p>\n\n\n\n Another incident was thwarted at the last minute by a Ferrari executive. An attacker spoofed the voice and appearance of the CEO and requested a wire transfer of funds, which would have undoubtedly gone through; however, the executive inquired about information the CEO had divulged a few days prior, information that the attacker could not have known, instilling the necessary doubt to avoid this massive loss.<\/p>\n\n\n\n These are documented instances. The figures associated with cost are correct, and the methods of targeting will likely look familiar to your organization.<\/p>\n\n\n\n In 2019, Toyota Boshoku, a supplier to the Toyota automotive group, was targeted by an attacker impersonating a trusted internal contact. The spoofed email convinced the finance team to authorize a wire transfer. The attack resulted in a $37 million loss<\/a>, demonstrating that even large, sophisticated organizations with mature finance teams can be defeated by a single convincing spoofed email.<\/p>\n\n\n\n In one of the most widely cited BEC cases, Lithuanian fraudster Evaldas Rimasauskas posed as Quanta Computer, a Taiwan-based manufacturer that supplies both Facebook and Google. Over a period of roughly two years, spoofed emails and fake invoices convinced finance teams at both companies to wire funds to accounts Rimasauskas controlled. Combined losses exceeded $100 million. Rimasauskas was later extradited to the United States and convicted.<\/p>\n\n\n\n Cybercriminals targeting US government healthcare programs used spoofed emails impersonating trusted figures within the system to divert $11.1 million into fraudulent bank accounts. The attack exploited the scale and complexity of government payment systems, where large transfers are routine, and verification is difficult to enforce at every stage.<\/p>\n\n\n\n In 2025, scammers stole over $750,000<\/a> from a Knox County government agency by sending a spoofed email that appeared to come from a regular vendor. A minor alteration to the sender’s address was enough to convince staff to update the bank routing information, redirecting the funds. The county only discovered the fraud after the real vendor contacted them about an unpaid invoice.<\/p>\n\n\n\n A criminal monitoring a church construction project spoofed the contractor’s email address, changing only a single letter in the domain. The spoofed emails redirected construction payment funds to a fraudulent account. The church lost $793,000 before the fraud was discovered.<\/p>\n\n\n\n SilverTerrier, a Nigeria-based BEC group, targeted over 50,000 businesses across 150 countries using coordinated spoofing campaigns across multiple languages. Their operation involved at least 400 members and used a combination of credential phishing to compromise email accounts and email spoofing to impersonate executives and vendors. Interpol arrested a key ringleader in 2022, but the group remained active through successor operations.<\/p>\n\n\n\n These are not isolated incidents. Stolen credentials from dark web marketplaces<\/a> power many of these attacks. When email account credentials are purchased from criminal forums and used to monitor ongoing business communications, spoofed emails can be timed with precision.<\/p>\n\n\n\n Identifying spoofed emails requires a combination of technical awareness and behavioral skepticism. Neither alone is sufficient.<\/p>\n\n\n\n Most email clients show the display name prominently and the actual email address in smaller text or only on hover. Always check the actual address, not just the name. A display name of “CEO John Smith” with an actual address of Lookalike domains are designed to pass casual inspection. Train yourself to look carefully at the domain name itself:<\/p>\n\n\n\n Urgency is the most common social engineering lever in spoofed emails. Requests that must be completed immediately, before end of business, or confidentially without telling anyone else are red flags regardless of who appears to have sent them.<\/p>\n\n\n\n Legitimate executives, vendors, and banks build processes around routine communications. Genuine emergencies rarely require bypassing those processes entirely.<\/p>\n\n\n\n If you receive an unexpected request involving money, credentials, or sensitive data, verify it through a channel you initiated using contact details you already trust, not a number or link provided in the email itself. Call the vendor. Message the executive on Slack. Use the phone number from the company’s official website.<\/p>\n\n\n\n This is the single most reliable behavioral control against email spoofing, and it is the verification instinct that saved Ferrari from a $25 million loss.<\/p>\n\n\n\n Email headers contain the technical record of where a message actually came from. Most email clients allow you to view full headers, though the format varies. A spoofed email will often show a mismatch between the “From” address and the server that actually sent the message. For signs that your email has already been compromised<\/a>, checking headers on suspicious emails can provide early confirmation.<\/p>\n\n\n\n Prevention operates on two levels: protecting your own domain from being spoofed, and protecting your organization from spoofed emails that arrive in your inbox.<\/p>\n\n\n\n These three protocols are the technical backbone of stopping the spoofing of emails. By working together, receiving mail servers are able to identify whether an email purporting to be from your domain actually originated from your domain.<\/p>\n\n\n\n SPF records on your DNS server will tell receiving mail servers which mail servers are permitted to send email on your behalf; emails originating from your domain that do not come from the allowed servers can either be tagged or dropped entirely.<\/p>\n\n\n\n DKIM adds a cryptographic signature to outbound emails, the receipt of which can be checked by the sending mail servers. If the key is invalid or the signature does not match, then either the email was tampered with in transit or was never sent by your domain to begin with.<\/p>\n\n\n\n DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM by telling receiving servers what to do when an email fails authentication: deliver it, quarantine it, or reject it outright. DMARC also generates reports that give you visibility into who is sending email on behalf of your domain.<\/p>\n\n\n\n The data is clear on how effective these tools are. In the US, the percentage of phishing emails accepted by mail servers fell from 68.8% in 2023 to just 14.2% in 2025, driven largely by stricter DMARC enforcement. Google and Yahoo now require DMARC for bulk email senders, and this requirement has contributed to a 65% reduction in unauthenticated email reaching Gmail inboxes.<\/p>\n\n\n\n Despite this, only 18% of the world’s ten million most-visited domains publish a valid DMARC record, and only 4% enforce a reject policy. The protection exists. Most organizations simply have not implemented it.<\/p>\n\n\n\n Many organizations implement DMARC at For real spoofing prevention, your DMARC policy should be set to Technical controls protect against a significant portion of spoofing attacks. But social engineering that exploits human trust, the CEO fraud that arrives from a lookalike domain, the vendor invoice that appears at exactly the right moment, requires human vigilance as a second layer.<\/p>\n\n\n\n Training should focus on the specific patterns described above: urgency as a red flag, checking actual sender addresses rather than display names, and using out-of-band verification for any financial or sensitive request. Our guide on email security best practices<\/a> covers what to include in security awareness training.<\/p>\n\n\n\n No payment, wire transfer, or banking detail change should be processed on the basis of an email request alone. Any such request should require verbal confirmation through a known, pre-verified contact number, not one provided in the email.<\/p>\n\n\n\n This protocol eliminates the most common BEC attack pattern entirely. An attacker who has spoofed your supplier’s email cannot also answer your call to the supplier’s main phone number.<\/p>\n\n\n\n Beyond protecting your own inbox, your organization should actively monitor whether your domain or brand is being spoofed in attacks against your customers, partners, or employees.<\/p>\n\n\n\n DarkScout’s brand protection and domain monitoring<\/a> identify when lookalike domains are registered against your brand, when your domain appears in reported phishing campaigns, and when compromised email accounts linked to your organization surface in dark web data.<\/p>\n\n\n\n This kind of monitoring is especially important because email account credentials stolen through infostealers<\/a> end up on dark web markets within hours of being harvested. An attacker who purchases access to a compromised email account does not need to spoof anything. They can send emails from the real account, which passes every authentication check. Knowing when your organization’s email credentials are exposed is the upstream defense.<\/p>\n\n\n\n Account takeover via stolen credentials is the most sophisticated form of email compromise because it requires no spoofing at all. The attacker is using the real account. Enabling MFA on every email account ensures that even when passwords are stolen, attackers cannot log in and begin sending emails or monitoring communications.<\/p>\n\n\n\n Be aware that push-based MFA is vulnerable to push bombing attacks<\/a>. For email accounts with elevated access or financial authority, consider phishing-resistant MFA such as passkeys or FIDO2 hardware keys.<\/p>\n\n\n\n Legacy secure email gateways are unable to defend against these BEC scams because they are designed to flag known malicious URLs and attachments rather than recognize conversationally-styled attacks without attachments or links. AI-driven email security systems have become more prevalent as they can detect threats based on an individual sender\u2019s reputation, communication patterns between parties involved, context of the discussion, and unexpected request categories.<\/p>\n\n\n\n Integrating this into your DMARC deployment, employee training, and dark web credentials monitoring strategy creates an all-encompassing security protocol designed to protect every facet of an attack chain.<\/p>\n\n\n\n Speed is of the essence in this scenario to minimize damage. The following outlines steps you can take depending on what you have or haven’t done.<\/p>\n\n\n\n Report it to your IT or security team so that they may analyze the spoofed domain, implement filter updates, and verify whether anyone else within your organization has also received the message. You should not respond to the email or click on anything contained within.<\/p>\n\n\n\n Disconnect from the network immediately. Change your password from a clean device and enable MFA if it is not already active. Report the incident to your security team. Run a dark web scan<\/a> to check whether your credentials are already exposed.<\/p>\n\n\n\n If the email may have delivered malware through a drive-by download<\/a>, treat the device as potentially compromised and have it forensically assessed before reconnecting to corporate systems.<\/p>\n\n\n\n Contact your bank immediately and request a recall of the transfer. Banks can sometimes halt or reverse wire transfers if they are notified quickly, but the window is very short. Then file a complaint with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov.<\/p>\n\n\n\n Do not attempt to resolve the situation by replying to the spoofed email. The attacker is still monitoring that conversation.<\/p>\n\n\n\n This typically indicates a full account compromise, not just a spoofed display name. Change your password immediately, revoke all active sessions, check your sent mail for unauthorized messages, review any email rules or forwarding settings the attacker may have set up, and notify your contacts that your account may have been compromised. Check signs your email has been breached<\/a> for a full checklist of what to look for and do.<\/p>\n\n\n\n3. Lookalike Domains and Typosquatting<\/h3>\n\n\n\n
4. How Spoofed Emails Bypass Security Filters<\/h3>\n\n\n\n
<\/span>Types of Email Spoofing Attacks<\/span><\/h2>\n\n\n\n
<\/figure>\n\n\n\n1. CEO Fraud and Executive Impersonation<\/h3>\n\n\n\n
2. Vendor and Supplier Fraud<\/h3>\n\n\n\n
3. Invoice Fraud and Billing Scheme Attacks<\/h3>\n\n\n\n
4. Payroll Diversion<\/h3>\n\n\n\n
5. Brand Impersonation<\/h3>\n\n\n\n
6. AI-Augmented Spoofing<\/h3>\n\n\n\n
<\/span>Real Email Spoofing Attacks and What They Cost <\/span><\/h2>\n\n\n\n
1. Toyota Boshoku: $37 Million<\/h3>\n\n\n\n
2. Facebook and Google: $100 Million<\/h3>\n\n\n\n
3. Medicare and Medicaid: $11.1 Million<\/h3>\n\n\n\n
4. Knox County Government: $750,000<\/h3>\n\n\n\n
5. North Carolina Church: $793,000<\/h3>\n\n\n\n
6. SilverTerrier BEC Gang: Tens of Thousands of Victims<\/h3>\n\n\n\n
<\/span>How to Spot a Spoofed Email<\/span><\/h2>\n\n\n\n
1. Check the Actual Sender Address, Not Just the Display Name<\/h3>\n\n\n\n
ceo-john@examplecompany-secure.net<\/code> This is a clear red flag.<\/p>\n\n\n\n2. Look for Subtle Domain Variations<\/h3>\n\n\n\n
\n
rn<\/code> instead of m<\/code>, 1<\/code> instead of l<\/code>, 0<\/code> instead of o<\/code><\/li>\n\n\n\ncompany-secure.com<\/code>, company-invoice.com<\/code>, company-payments.net<\/code><\/li>\n\n\n\n.net<\/code> or .org<\/code> instead of the usual .com<\/code><\/li>\n\n\n\nexample-company.com<\/code> instead of examplecompany.com<\/code><\/li>\n<\/ul>\n\n\n\nQuestion: Any Unexpected Urgency<\/h3>\n\n\n\n
Verify Through a Separate Channel<\/h3>\n\n\n\n
Check the Email Headers<\/h3>\n\n\n\n
<\/span>How to Prevent Email Spoofing<\/span><\/h2>\n\n\n\n
<\/figure>\n\n\n\n1. Implement SPF, DKIM, and DMARC on Your Domain<\/h3>\n\n\n\n
2. Set DMARC to Enforcement, Not Just Monitoring<\/h3>\n\n\n\n
p=none<\/code>, which means they receive reports but take no action on unauthenticated emails. This is a monitoring posture, not a protection posture.<\/p>\n\n\n\np=quarantine<\/code> or ideally p=reject<\/code>. This tells receiving mail servers to quarantine or refuse emails that fail authentication. Until you reach enforcement, your domain can still be spoofed into any inbox that does not check authentication.<\/p>\n\n\n\n3. Train Employees to Recognize the Patterns<\/h3>\n\n\n\n
4. Establish Strict Payment Verification Protocols<\/h3>\n\n\n\n
5. Monitor for Domain Spoofing and Brand Impersonation<\/h3>\n\n\n\n
6. Enable Multi-Factor Authentication on All Email Accounts<\/h3>\n\n\n\n
7. Use Advanced Email Security Tools<\/h3>\n\n\n\n
<\/span>What to Do If You Received or Acted on a Spoofed Email<\/span><\/h2>\n\n\n\n
1. If You Received a Spoofed Email and Did Not Act on It<\/h3>\n\n\n\n
2. If You Clicked a Link in a Spoofed Email<\/h3>\n\n\n\n
3. If You Transferred Money or Updated Payment Details<\/h3>\n\n\n\n
4. If Your Email Account Was Used to Send Spoofed Emails<\/h3>\n\n\n\n