CEO fraud and fake invoices: is your domain being imitated?
A fraudster impersonating you or a supplier can cost your business thousands of dollars. Here's how these scams work — and how to check whether your domain is already being imitated.
In short: CEO fraud and fake invoices often rely on a lookalike domain — an imitation of your domain name. Your email protections (DMARC) don't apply to that fake domain: it has to be detected separately.
What is CEO fraud (business email compromise)?
A fraudster impersonates the company's executive (or a known supplier) and writes to your accounting team demanding an urgent wire transfer or payment of a fake invoice. It's one of the costliest scams for small businesses, because it targets people, not machines.
The role of lookalike domains (typosquatting)
To look credible, the fraudster registers a domain that resembles yours: a changed letter, an added hyphen, a different extension (.co instead of .com). They then create an email address on that fake domain and write to your customers or staff. Our lookalike detector checks for free whether such imitations already exist for your domain.
Direct spoofing vs. lookalike domain: two different problems
Direct spoofing — the fraudster uses your real address. This is blocked with DMARC at reject.
Lookalike domain — the fraudster uses a fake domain that resembles yours. DMARC doesn't block it (it's not your domain): it must be monitored.