If you looked at this email fast, you’d swear it came from Microsoft. Same logo, layout, tone - everything checks out. Except for one thing: The sender’s domain was rnicrosoft(.)com instead of microsoft(.)com That tiny swap of “rn” instead of “m” is what’s called typosquatting. Attackers register near-identical domains to catch people who skim their inbox too fast. What makes this effective is how subtle it is. On mobile, you barely see the full address. On desktop, your brain autocorrects it. It feels right and that’s all they need. These kinds of tricks are showing up more often in credential phishing, vendor invoice scams, even internal HR impersonations. How to handle these cleanly (real, practical steps): - Expand the full sender address every time before you click. - Hover the link to view the real href, or long-press the link on mobile to reveal the URL. - Check the Reply-To header -- scammers often route replies elsewhere. - If it’s a password reset you didn’t request, open a new tab and log in from the official site rather than clicking the email. - Forward the phish to your security team or report it (company phishing inbox / your provider’s report feature). Examples of look-alikes to watch for: swapped letters (rn → m), zero for o (micros0ft), added hyphens or extra subdomains (microsoft-support[.]com). Small habit change, big payoff. Teams that rehearse these scenarios stop reflexively clicking.
Email Security Features
Explore top LinkedIn content from expert professionals.
-
-
The CFO was furious. He had just wired $65,000 to a scammer because he thought he was paying a trusted vendor. It wasn’t a hack. No one broke a firewall. No one cracked a password. It was a classic Business Email Compromise (BEC). The attackers simply asked for the money, and because they looked legitimate, he sent it. His first reaction? "We need better software to stop this." I had to tell him the hard truth: Software can't fix a broken process. Technology alone cannot stop a human from being manipulated. If you rely solely on tools, you are bringing a firewall to a confidence game. We didn't solve this problem by buying an expensive new security appliance. We solved it by rewriting the company's Standard Operating Procedure (SOP). We implemented a simple, non-technical rule: Any request for a wire transfer received via email or text must be verbally verified by a second authorized signer. That one process change (which cost $0 in software licensing) did more to secure their finances than any tool on the market could have. 👇 I've attached the exact SOP template we use. Swipe through to see the specific language you can add to your finance policies today. In my book, Fire Doesn't Innovate, I share tools like this because cyber resilience is about People, Process, and Technology; not just Technology. #BusinessEmailCompromise #CFO #RiskManagement #FireDoesntInnovate #SOP
-
Attackers can send emails that look like they’re from your company without ever touching your systems. They spoof your domain, impersonate your executives, and target your customers. This can turn into real financial loss. Customers pay fake invoices. Vendors update payment details based on a fraudulent message. Employees get pulled into credential or payment scams that look legitimate. For a small business, that can mean lost revenue, recovery costs, and operational disruption. Email authentication helps reduce this risk. SPF and DKIM verify sending systems. DMARC ties it together and tells receiving servers how to handle messages that fail checks. When configured and enforced, many spoofed emails can be filtered or blocked before they reach inboxes. It also gives you visibility into who is trying to use your domain. It’s worth checking where you stand: Ask your MSP or IT team if SPF, DKIM, and DMARC are configured and actively monitored. Confirm your DMARC policy is enforced, not just set to monitor. Make sure you can review and act on DMARC reports. This is basic protection that’s easy to put in place, inexpensive to maintain, and can make a meaningful difference, especially given how much business communication and payments still rely on email. Learn more here: ➢ FTC: "How to Stop a Would-Be Business Impersonator" https://lnkd.in/gfjq6eEu ➢ FTC: "Email Authentication" https://lnkd.in/gmZuyxFj #Cybersecurity #EmailSecurity #EmailAuthentication #SmallBusiness #BusinessRisk
-
Bob just gave $70,000 to a complete stranger who provided zero value. Actually, it wasn’t just a stranger, it was a thief posing as a vendor. They sent an email saying, “Pay now, get a 5% discount.” Bob was busy, running a million miles an hour, and thought he’d snag a quick win for the bottom line. He sent the wire. By the time he realized it was a scam, the money was gone. Most contractors think cybercriminals are only targeting the big guys. They aren't. They’re targeting mid-sized construction shops because you move high-dollar amounts for materials every day, and your internal controls usually aren't as tight as a tech giant's. Unfortunately, Bob is screwed. You don't have to be. Unless you have the right coverage, you’re eating that loss. When you’re looking at your cyber or crime policy, look specifically for Social Engineering or Funds Transfer Fraud. You need to ensure it covers "Voluntary Parting." Most people think of "hacking" as someone breaking into a vault. In this case, the thief didn’t break in, they tricked you into opening the door and handing them the bag. But look, a policy is just a safety net. The goal is to never fall off the tightrope in the first place. If a vendor sends an email with new wire instructions, a "special discount," or a sudden sense of urgency, stop. Pick up the phone. Don’t call the number in the signature of that email, call the number you’ve had in your system for five years. Verification takes seven minutes. Replacing $70,000 of net profit takes a heckuva lot longer. Implement an SOP where no wire goes out without a voice on the other end of the line. Share this with your office manager today. It’s a lot cheaper than the alternative.
-
The silent killer of outbound campaigns isn't bad copy—it's poor inbox deliverability with no fall-back. Most SaaS companies operate with a single sending domain, creating a single point of failure for their entire pipeline. Here's what the top 10% of outbound teams implement: 1. Primary domain (used for most company communications) 2. Secondary domains (warmed 2-6 weeks before campaign use) - Different IP and domains than primary - SPF/DKIM/DMARC records - Routine inbox placement + blacklist monitoring 3. Tertiary backup domains (fully warmed but unused) - Complete isolation from domains 1 & 2 - Ready for immediate deployment if needed This three-domain architecture creates redundancy. It'll protect against deliverability disasters when algorithms change. It takes about a month to fully prepare—but it's insurance against the most common outbound failure: sudden email reputation collapse. The companies that use this architecture survive even in the roughest of times.
-
70% of staff at this £18Bn IT giant were clicking on phishing links. 12 months later, we cut it down to 20%. I led the transformation as CISO. Here's exactly how we did it step by step: We had a workforce of 300,000 people across 150+ countries in 2021. Different cultures, different languages, different inbox habits, but one common problem: Inbox fatigue. Hundreds of emails a day meant people stopped thinking. If it hit their inbox, they opened it. And when it looked remotely legitimate? They clicked. Even the most senior execs — the ones with the most sensitive data — were falling for the bait. As CISO, I wanted to help fix this laissez-faire view without humiliating anyone. Here's how: Step 1: Awareness Training We launched 5-10 minute micro-learning modules that dove into • why phishing exists • what criminals get out of it • the tell-tale signs (bad grammar, lookalike domains, letter swaps in emails, etc.) The lessons were practical and related to life at business and at home. People finished the module knowing exactly what to check before clicking. Step 2: Realistic & Layered Phishing Simulations Now it was time to test everyone. We started with easy simulations and built complexity over time: → Simple: obvious scams like “Nigerian prince” emails → Intermediate: fake brand offers from Apple or similar → Advanced: MS login pages so convincing they fooled seasoned IT staff Every “fail” on the simulation triggered an instant education page showing exactly what they missed. We sent them in waves over 14 hours, with multiple variations so colleagues couldn’t tip each other off. We used the local language in each country and avoided dirty tricks like fake bonus announcements. Step 3: Tracking the Data We built in features in each email that helped us track: • link clicks • email opens • data entered (and whether it was real or spoof) • reports (via a “report phishing” button) This helped us see where someone stopped in the chain and reward them for correct reporting. Step 4: Analyzing & Reporting Findings We analysed the data above by country, seniority, and cultural trends. Key Findings: • Colleagues in some cultures were more likely to open emails 'just in case' it was from a boss. • Some countries will not allow phishing simulations at all. • Execs were the WORST offenders. With this info, we moved onto: Step 5: Education & Implementing Solutions On top of the built-in education pages, we hosted workshops with repeat offenders to • dissect the email together • point out red flags they missed For the top-level execs who were still clicking after a year, we held direct coaching sessions — explaining that with their access came the highest stakes. –– By the end of the programme: • Click rate: 70% → 20% • Dramatic increase in phishing reports • A cultural shift where questioning suspicious emails became the norm (post continued in the comments below)
-
🚫 Stop Fraud Before It Starts Fraudsters thrive on urgency and fear — but you can outsmart them with one simple habit: pause and verify. 🔑 Key Reminders: • Fraud preys on haste. Pause and think. • Stop. Verify. Don’t be a victim. • If it feels rushed, it’s probably a scam. • Never share your OTP. Ever. • Protect your password like your wallet. 💰 Money Safety Alerts: • No bank asks for passwords by phone — hang up. • Gift cards as payment? 🚩 That’s fraud. • Wire transfers are final — double‑check first. • Crypto requests? Stop and verify. • Don’t send money to strangers online. 📧 Email & Link Safety: • Hover before you click — check the URL. • Real companies don’t ask for credentials by email. • Links can lie. Type the site yourself. • Attachments from strangers? Delete them. 👥 Social Engineering Defense: • Caller ID can be faked — confirm independently. • Romance scams ask for money — don’t fall for it. • Never give personal info to unsolicited callers. ⚡ Your Action Plan: • Pause. Verify. Report. • Lock it down: strong passwords + MFA. • Update. Backup. Protect. ✅ Remember: Scammers create urgency to cloud your judgment. Slow down, verify, and protect yourself. Share this post to help others stay safe.
-
I almost gave hackers access to millions in client Google Ads accounts yesterday. Here's the phishing attack that nearly destroyed my agency: Contact form submission: "$120k/month spend, need audit ASAP, want to hire immediately." This was Red flag #1. (But I missed it because we all love fast-moving prospects.) Two hours later: "Google Ads invitation" hits my inbox. Perfect Google logo. Official formatting. Real customer ID. Looked completely legitimate. I clicked "Accept." Then I saw the sender: adssolutionnoreply@googlemail.com Not @google.com. @googlemail.com. I'd already entered my credentials on their fake login page. Emergency response: ✔Changed password twice ✔Forced logout on all devices ✔Removed email from MCC immediately ✔Audited access logs on client accounts ✔Reviewed all recent account changes This could have been catastrophic. Client budgets, campaign data, payment methods - everything was at risk. The contact came from someone using the name "Lewis Ingall" (found on LinkedIn: Lewis Ingall). I'm sharing this publicly so other agencies can avoid this scammer. 🚨 Red flags I should have caught: ✔Sender domain not @google.com ✔High-spend prospect demanding immediate action ✔Fake invite requiring password re-entry ✔No actual account access after clicking Accept I've attached screenshots of the fake email and phishing page so you can see exactly what this looks like. Study these images - this scam is incredibly convincing. Critical reminder: Google will NEVER ask you to re-enter your password through an email link. If you manage Google Ads, you're a target. These attacks are getting more sophisticated every week. Have you encountered similar phishing attempts? What's your security protocol for protecting client accounts?
-
I was invited to an interview by a big company… for a role I never applied for. At first I was like, okay maybe it’s from one of those applications I sprinkled everywhere months ago 😁. So I confirmed my availability. Then the next email landed... Flexible working hours… a mini home office will be set up for you… completely remote… Ok...That’s when my brain said, something is off. I checked the company – it existed. But the email? The promises? The tone? Too good to be true. So I copied the email address and pasted it into ChatGPT to verify. And boom, it showed me that the email domain wasn’t linked to the company at all. It even pulled up Facebook posts from people who received the exact same scam email. I’m so glad I checked before sending the personal details they requested. But someone just starting out… someone desperate for a job… someone hopeful… can easily fall for this and give away information that can cost them a lot. Truth is: Scammers now impersonate real companies. The branding looks legit. The roles sound perfect. The process feels smooth. And that’s exactly why people fall for it. So please, if you get an email that looks too good to be true, pause and verify. Here’s what to do: 📌Look up the company – check their official website, not just what they send you. 📌Visit their Careers page – if the role isn’t listed there, red flag. 📌Check the email domain – is it the same as the company’s official domain? 📌Use ChatGPT or Google – paste the email and ask if it’s associated with the company. These tools can pick up patterns you may not notice. 📌Search the exact email address online – scammers reuse them. While searching for a job, please ensure you Stay sharp. Stay alert. The job you’re waiting for will not require you to lose your peace please or your personal data. Are scammers getting smarter, or are the platforms getting weaker?