SteelVerify
High risk

Email Domain Spoofing & Business Email Compromise

Fraudsters register a near-identical domain (one changed character) or hijack a mailbox, monitor the thread for weeks, then inject fraudulent instructions.

How the scam works

  1. 1.Attacker compromises or imitates the supplier's (or buyer's) email.
  2. 2.They quietly monitor genuine correspondence for weeks, learning the deal.
  3. 3.At the payment moment they send instructions from a look-alike domain.
  4. 4.Funds are routed to the fraudster before anyone notices the swap.

Red flags to watch for

  • Sender domain differs by a single character (rn vs m, .co vs .com).
  • Sudden switch to a free email account or a new contact name.
  • Subtle changes in tone, signature, or reply-to address.
  • Any payment-instruction change delivered only by email.

How to protect yourself

  • Verify every payment instruction by voice on a pre-agreed number.
  • Check the full sender address, not just the display name.
  • Adopt a multi-channel confirmation policy for all transfers.
  • Use a shared, secured deal portal instead of loose email where possible.

In depth

Email domain spoofing is the delivery mechanism behind most payment redirection. The attacker registers a look-alike domain that differs from the genuine one by a single character — a swapped letter, an added hyphen, a .co for a .com — and inserts themselves into the conversation so convincingly that the buyer never notices they are now talking to a different party.

Because the human eye skims domains, build a mechanical check into your process. Confirm sensitive instructions — especially anything about money — by voice on a pre-verified number, scrutinize the full email address rather than the display name, and treat any change of contact address or banking detail as a trigger to verify out-of-band before acting.

Related reading

Frequently asked questions

How does business email compromise work in steel trade?
Fraudsters compromise or imitate the supplier's email, monitor genuine correspondence for weeks to learn the deal, then send fraudulent payment instructions from a look-alike domain at the moment of payment.
How do I stop email-based payment fraud?
Verify every payment instruction by voice on a pre-agreed number, check the full sender address rather than the display name, and adopt a strict multi-channel confirmation policy for all transfers.

Real cases

Buyer in the Middle EastCold-rolled coil, 800 MTLoss: Six figures (USD)

The near-identical domain

A fraudulent email inserted itself into the genuine thread and sent revised banking instructions from a one-character-different domain. A large sum was wired to a third-country account.

Buyer in South AsiaHRC & galvanized coils, 1,200 MTLoss: Six figures, unrecovered

Three weeks of watching the inbox

Fraudsters monitored email for three weeks, then sent 'revised payment instructions' from a near-identical domain directing funds to a third-country account. The full amount went before detection.

Worried this is happening to you?

Run your supplier through the structured verification checklist.

Verify a supplier