The email that looked like yours

The scenario:

• The invoice came from billing@acme-consulting.com - and your client didn't send it.

  
  

• Email spoofing remains trivially easy for domains without proper authentication. DMARC, DKIM, and SPF are well-understood, widely supported, and still not implemented correctly by most small businesses. Attackers exploit this daily - sending emails that appear to come from legitimate domains to customers, vendors, and employees.

  
  

• The consequences are expensive. Fake invoices get paid to attacker accounts. Credential harvesting emails gain credibility. Business email compromise succeeds because the "from" address looks right. And the victim domain's reputation suffers when recipients report the spoofed emails as spam.

  
  

• Lock down email authentication by implementing DMARC with a reject policy - not just monitoring. Ensure SPF records cover all legitimate sending sources. Deploy DKIM signing for all outbound mail. Monitor DMARC reports for spoofing attempts. Treat email authentication as client security hygiene, not optional configuration.

  
  

• Email authentication is basic security that most businesses still get wrong. Fixing it is low-effort, high-impact - and a concrete deliverable you can add to security reviews.