Email Domain Spoofing & Business Email Compromise
Fraudsters register a near-identical domain (one changed character) or hijack a mailbox, monitor the thread for weeks, then inject fraudulent instructions.
How the scam works
- 1.Attacker compromises or imitates the supplier's (or buyer's) email.
- 2.They quietly monitor genuine correspondence for weeks, learning the deal.
- 3.At the payment moment they send instructions from a look-alike domain.
- 4.Funds are routed to the fraudster before anyone notices the swap.
Red flags to watch for
- Sender domain differs by a single character (rn vs m, .co vs .com).
- Sudden switch to a free email account or a new contact name.
- Subtle changes in tone, signature, or reply-to address.
- Any payment-instruction change delivered only by email.
How to protect yourself
- Verify every payment instruction by voice on a pre-agreed number.
- Check the full sender address, not just the display name.
- Adopt a multi-channel confirmation policy for all transfers.
- Use a shared, secured deal portal instead of loose email where possible.
In depth
Email domain spoofing is the delivery mechanism behind most payment redirection. The attacker registers a look-alike domain that differs from the genuine one by a single character — a swapped letter, an added hyphen, a .co for a .com — and inserts themselves into the conversation so convincingly that the buyer never notices they are now talking to a different party.
Because the human eye skims domains, build a mechanical check into your process. Confirm sensitive instructions — especially anything about money — by voice on a pre-verified number, scrutinize the full email address rather than the display name, and treat any change of contact address or banking detail as a trigger to verify out-of-band before acting.
Related reading
Frequently asked questions
- How does business email compromise work in steel trade?
- Fraudsters compromise or imitate the supplier's email, monitor genuine correspondence for weeks to learn the deal, then send fraudulent payment instructions from a look-alike domain at the moment of payment.
- How do I stop email-based payment fraud?
- Verify every payment instruction by voice on a pre-agreed number, check the full sender address rather than the display name, and adopt a strict multi-channel confirmation policy for all transfers.
Real cases
The near-identical domain
A fraudulent email inserted itself into the genuine thread and sent revised banking instructions from a one-character-different domain. A large sum was wired to a third-country account.
Three weeks of watching the inbox
Fraudsters monitored email for three weeks, then sent 'revised payment instructions' from a near-identical domain directing funds to a third-country account. The full amount went before detection.
Worried this is happening to you?
Run your supplier through the structured verification checklist.