Learn

Spotting payment-redirect emails

The most expensive email in business doesn't look dangerous. It looks like your vendor, your title company, or your contractor, writing in a familiar thread, with one quiet update: we've changed banks, please use the new account for the next payment. Business email compromise losses run into the billions every year, and the redirect email is its workhorse, because nothing about it looks like an attack. The defense is mechanical, not intuitive, and it has two layers: the email's own records, and one phone call.

Where redirect emails come from

Three origins, in rising order of difficulty. A lookalike domain: the sender registered a domain one character off from your counterparty's and writes from it, often passing every authentication check for its own fraudulent domain. A spoofed thread: the attacker fakes the familiar address without controlling it, which authentication usually exposes. Worst, a compromised account: the email really does come from the counterparty's mailbox, passing every check, often replying inside a genuine thread the attacker has been reading for weeks, waiting for an invoice moment.

The mechanical checks

Read the exact From domain character by character; "vendorco-billing.com" is not "vendorco.com." Check Reply-To against From, redirect attackers often route replies to a third address. On anything changing payment details, look at the authentication results and routing for the message: failures or misalignment on a familiar domain is a stop sign. If an invoice is attached, check the file too; redirect campaigns frequently pair the email with an edited or regenerated invoice carrying the new account, and the document's own records betray the swap. And weigh the ask against the pattern: banking changes announced by email, urgency about an imminent payment, and small changes to long-standing instructions are the signature trio.

Then the layer that beats even the compromised account, because it has to: verify any change in payment details by phone, using a number you already had, with a person you know. Never the number in the email. This single procedural rule defeats every variant, including the perfect one, and costs ninety seconds.

FAQ

The email passed SPF, DKIM, and DMARC. Safe to pay?

No. Authentication proves the sending domain, which is exactly what a compromised account or a lookalike domain with proper setup also has. For payment changes, the callback is the verification; the checks just tell you which attack you might be facing.

What should we do after catching one?

Don't reply. Preserve the email as a .eml, warn the real counterparty by phone, their mailbox may be compromised, and alert your bank if anything was sent. Speed matters most in the first hours.

How do companies prevent this structurally?

A standing rule that payment-detail changes are never accepted by email alone, verified callbacks on file, and dual approval on first payments to any new account. Process beats vigilance.